From 33feb25966762329ee076ab96a7ab796a6d2f879 Mon Sep 17 00:00:00 2001 From: rtfmkiesel <79413747+rtfmkiesel@users.noreply.github.com> Date: Thu, 15 Jun 2023 21:29:02 +0200 Subject: [PATCH] updated internal drivers --- pkg/loldrivers/drivers.json | 181074 +++++++++++++++++---------------- 1 file changed, 95346 insertions(+), 85728 deletions(-) diff --git a/pkg/loldrivers/drivers.json b/pkg/loldrivers/drivers.json index e7e70f3..63889f7 100644 --- a/pkg/loldrivers/drivers.json +++ b/pkg/loldrivers/drivers.json @@ -1,21 +1,21 @@ [ { - "Id": "ad21819d-3080-4fe2-89b1-74385031fb4d", + "Id": "0a2f2700-97b5-42b6-b121-38e5f03e9957", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create ATSZIO64.sys binPath=C:\\windows\\temp\\ATSZIO64.sys type=kernel && sc.exe start ATSZIO64.sys", + "Command": "sc.exe create BS_RCIO.sys binPath=C:\\windows\\temp\\BS_RCIO.sys type=kernel && sc.exe start BS_RCIO.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -24,31 +24,31 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "ATSZIO64.sys", - "MD5": "b12d1630fd50b2a21fd91e45d522ba3a", - "SHA1": "490109fa6739f114651f4199196c5121d1c6bdf2", - "SHA256": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece", + "Filename": "BS_RCIO.sys", + "MD5": "ab53d07f18a9697139ddc825b466f696", + "SHA1": "213ba055863d4226da26a759e8a254062ea77814", + "SHA256": "362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc", "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Biostar Microtech Int'l Corp", + "DigiCert EV Code Signing CA", + "DigiCert" ], "Date": "", "Publisher": "", - "Company": "ASUSTek Computer Inc.", - "Description": "ATSZIO Driver", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "FileVersion": "0.2.1.7", - "MachineType": "AMD64", - "OriginalFilename": "ATSZIO.sys", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", "Authentihash": { - "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", - "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", - "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" + "MD5": "8284660345377a69dd99b25fdf397314", + "SHA1": "3311e4e94e8a6dd81859719fbe0fcbf187f0bd8a", + "SHA256": "f67e60228084151fdcb84e94a48693db864cf606b65faef5a1d829175380dbfa" }, - "InternalName": "ATSZIO.sys", - "Copyright": "Copyright (C) 2012", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" @@ -56,28 +56,42 @@ "ExportedFunctions": "", "ImportedFunctions": [ "KeWaitForSingleObject", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "memcpy", + "KeDelayExecutionThread", + "PsTerminateSystemThread", + "KeSetEvent", + "IoStartNextPacket", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "ZwClose", + "MmMapIoSpace", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExEventObjectType", "IofCompleteRequest", + "KeRemoveEntryDeviceQueue", + "IoStartPacket", + "KeTickCount", + "KeBugCheckEx", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "KeReleaseSemaphore", + "KeInitializeSemaphore", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "IoCreateDevice", "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "DbgPrint", + "PsCreateSystemThread", "IoDeleteDevice", - "RtlInitUnicodeString", "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalGetBusDataByOffset", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "READ_PORT_UCHAR", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "KfLowerIrql" ], "Signatures": [ { @@ -85,52 +99,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "??=Private Organization, ??=TW, serialNumber=23826200, ??=2F, NO.108,2, MIN CHUAN RD, postalCode=231, C=TW, ST=XINDIAN DIST, L=NEW TAIPEI CITY, O=Biostar Microtech Int'l Corp, CN=Biostar Microtech Int'l Corp", + "ValidFrom": "2017-01-18 00:00:00", + "ValidTo": "2018-11-21 12:00:00", + "Signature": "aa8cef17213cdec7450165ba781408fc71b6792ac728f013552013c510425eb3a2e2ef24ade49746109163fa7f439ea8fdd5d17d6b314fec14bcbf7ee75a9583786cf64194fd76065aa97819044180dd63b9168bdd5cefcd2ce925b4ca4da6e78b0d61ad0850722efed489401704611c8918e733ff438a81521e58224b3b0357ac9f8e8feaf9b4da492ef2e00b1d30ebacb6146bdafc613fbd87377733614beb7458f1bd285b224620c0dc41a4b58ed64abb79fa6344ca956ea323f12cdcc794f5620cc46ef8892a04d6b33cb81b5e0b2e6e1218fc9f1de0a1d7083ec01b422d9b351f429b4c709bd1fa057edcc32dda3b940fb999896097c07237578e983fc5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0240c40d347ee38f707adae8a101450b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } @@ -138,159 +145,19 @@ } ], "Tags": [ - "ATSZIO64.sys" - ] - }, - { - "Id": "3f39af20-802a-4909-a5de-7f6fe7aab350", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrOmgDrv.sys binPath=C:\\windows\\temp\\AsrOmgDrv.sys type=kernel && sc.exe start AsrOmgDrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsrOmgDrv.sys", - "MD5": "4f27c09cc8680e06b04d6a9c34ca1e08", - "SHA1": "400f833dcc2ef0a122dd0e0b1ec4ec929340d90e", - "SHA256": "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", - "Authentihash": { - "MD5": "b39f71ca0eb035173a7f6c3dc7a43620", - "SHA1": "045818bc05faf8fb2b7ccc60623f5a6f185d68c7", - "SHA256": "6c9dc878d9605070921338d09c6dbecbe11dec50c03fc69a0462884a07c2c442" - }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } + "BS_RCIO.sys" ], - "Tags": [ - "AsrOmgDrv.sys" - ] + "yara": false }, { - "Id": "90e8600a-9b5c-4153-bb06-1d8fbe0ef232", + "Id": "5d3f0b7d-7413-48e6-8d9c-7fc0bb5a66ee", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create nstr.sys binPath=C:\\windows\\temp \\n \\n \\n str.sys type=kernel && sc.exe start nstr.sys", + "Command": "sc.exe create Proxy64.sys binPath=C:\\windows\\temp\\Proxy64.sys type=kernel && sc.exe start Proxy64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -307,8 +174,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "nstr.sys", - "SHA256": "455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b", + "Filename": "Proxy64.sys", + "SHA256": "c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a", "Signature": [], "Date": "", "Publisher": "", @@ -322,18 +189,19 @@ } ], "Tags": [ - "nstr.sys" - ] + "Proxy64.sys" + ], + "yara": false }, { - "Id": "99668140-a8f6-48f8-86d1-cf3bf693600c", + "Id": "204eccdf-99ca-4f2a-a325-8ebe34fd29a1", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create ProtectS.sys binPath=C:\\windows\\temp\\ProtectS.sys type=kernel && sc.exe start ProtectS.sys", + "Command": "sc.exe create bwrs.sys binPath=C:\\windows\\temp\\bwrs.sys type=kernel && sc.exe start bwrs.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -350,22 +218,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "ProtectS.sys", - "SHA256": "9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "ProtectS.sys", - "SHA256": "4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe", + "Filename": "bwrs.sys", + "SHA256": "221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9", "Signature": [], "Date": "", "Publisher": "", @@ -379,95 +233,127 @@ } ], "Tags": [ - "ProtectS.sys" - ] + "bwrs.sys" + ], + "yara": false }, { - "Id": "ff74f03e-e4ce-4242-bfe3-60601056bb34", + "Id": "fbdd993b-47b1-4448-8c41-24c310802398", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create CorsairLLAccess64.sys binPath=C:\\windows\\temp\\CorsairLLAccess64.sys type=kernel && sc.exe start CorsairLLAccess64.sys", - "Description": "", + "Command": "sc.exe create rwdrv.sys binPath=C:\\windows\\temp\\rwdrv.sys type=kernel && sc.exe start rwdrv.sys", + "Description": "This utility access almost all the computer hardware, including PCI (PCI Express), PCI Index/Data, Memory, Memory Index/Data, I/O Space, I/O Index/Data, Super I/O, Clock Generator, DIMM SPD, SMBus Device, CPU MSR Registers, ATA/ATAPI Identify Data, Disk Read Write, ACPI Tables Dump (include AML decode), Embedded Controller, USB Information, SMBIOS Structures, PCI Option ROMs, MP Configuration Table, E820, EDID and Remote Access. And also a Command Window is provided to access hardware manually.\n", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "http://rweverything.com/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "CorsairLLAccess64.sys", - "MD5": "803a371a78d528a44ef8777f67443b16", - "SHA1": "5fb9421be8a8b08ec395d05e00fd45eb753b593a", - "SHA256": "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b", + "Filename": "rwdrv.sys", + "MD5": "257483d5d8b268d0d679956c7acdf02d", + "SHA1": "fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2", + "SHA256": "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3", "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" + "ChongKim Chan", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", - "Company": "Corsair Memory, Inc.", - "Description": "Corsair LL Access", - "Product": "Corsair LL Access", - "ProductVersion": "1.0.18.0", - "FileVersion": "1.0.18.0", - "MachineType": "AMD64", - "OriginalFilename": "Corsair LL Access", + "Company": "RW-Everything", + "Description": "RwDrv Driver", + "Product": "RwDrv Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "I386", + "OriginalFilename": "RwDrv.sys", "Authentihash": { - "MD5": "daa859bc87e256d7cbf1d86285d96f9b", - "SHA1": "d29d73b2add87a7daf3c626d593599ef6b9560ca", - "SHA256": "e4ac5c7fbb41ee988029b27d8b6be574725689fd1365f5a56f5a12d9120f86c6" + "MD5": "3cd1454d2308cee5c59b45d5f952e70b", + "SHA1": "2c3b01ff8ce024f70f9daad31ea6c78de54f239b", + "SHA256": "acb65f96f1d5c986b52d980a1c5ea009292ff472087fdd8a98a485404948f585" }, - "InternalName": "Corsair LL Access", - "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "InternalName": "RwDrv.sys", + "Copyright": "Copyright (C) 2011 RW-Everything", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ObfDereferenceObject", + "IoUnregisterPlugPlayNotification", + "ExFreePoolWithTag", + "MmUnmapIoSpace", + "MmMapIoSpace", + "RtlCompareMemory", + "ExAllocatePoolWithTag", + "memcpy", + "memset", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemorySpecifyCache", + "IoFreeIrp", + "IoFreeMdl", + "MmUnlockPages", "RtlInitUnicodeString", - "RtlGetVersion", - "KeInitializeMutex", - "KeReleaseMutex", + "IoBuildAsynchronousFsdRequest", "KeWaitForSingleObject", - "ExQueryDepthSList", - "ExpInterlockedPopEntrySList", - "ExpInterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "wcsncmp", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateDevice", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "IoFreeWorkItem", + "IoGetDeviceObjectPointer", + "ExfInterlockedInsertTailList", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "RtlCopyUnicodeString", + "IoRegisterPlugPlayNotification", "IoCreateSymbolicLink", - "IoDeleteDevice", + "IoCreateDevice", + "KeTickCount", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetRequestorProcessId", - "__C_specific_handler", - "KeBugCheckEx", - "wcsncat_s", - "MmUnmapLockedPages", - "wcscpy_s", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoDeleteDevice", + "IofCallDriver", + "IofCompleteRequest", + "KfReleaseSpinLock", + "KeStallExecutionProcessor", + "KfAcquireSpinLock" ], "Signatures": [ { @@ -475,24 +361,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, CN=ChongKim Chan", + "ValidFrom": "2012-07-31 20:41:59", + "ValidTo": "2013-08-01 20:41:59", + "Signature": "6b86336c2008e3d1a9cb42f4e323c36c782602b06948e63b7cc646ca61b5768677c2cdd5cf24f58d68844079cd6d8e9534b3170a0261fe64ea47971eecf4a84de8174a4a8b5c6ad87894cf5cc8a10ec522db9697504b208442ae34ec6e9a0e85d93470f66374f36c4f1ec3483c136497b2880d8ba4de0342b5aa2c0890ad80e010c8e34ae8792740e677952d3bc05a36a032ab7bbb64051d506f674e0232f66900c8c29dad2df6960012a8bb216f9e83157632545ead40db592c1e7de76f407601b111113e9b087db3e780f21a61e9f7593e96332f0c35162e0900a61c6ba3a88faee64d9fe94cad5705d6d16585603b5bb376161bdcf01b0bb9022bb360aceb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "11218f56dafd7542d5f3d70b213e2a546cff", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -500,1201 +407,507 @@ } ], "Tags": [ - "CorsairLLAccess64.sys" - ] + "rwdrv.sys" + ], + "yara": true }, { - "Id": "79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "d64167b6-f281-41d8-9535-6cb925e77aec", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create VBoxDrv.sys binPath=C:\\windows\\temp\\VBoxDrv.sys type=kernel && sc.exe start VBoxDrv.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" + "Commands": { + "Command": "sc.exe create EneTechIo64.sys binPath=C:\\windows\\temp\\EneTechIo64.sys type=kernel && sc.exe start EneTechIo64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", + "https://github.com/hfiref0x/KDU/releases/tag/v1.2.0", + "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "VBoxDrv.sys", - "MD5": "b1b8e6b85dd03c7f1290b1a071fc79c1", - "SHA1": "a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec", - "SHA256": "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712", + "Filename": "EneTechIo64.sys", + "MD5": "d6e9f6c67d9b3d790d592557a7d57c3c", + "SHA1": "a87d6eac2d70a3fbc04e59412326b28001c179de", + "SHA256": "06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "6837b5fe3a3a100c88c7cf4f0408f528", - "SHA1": "d679aadb2844462deaaf069d48e7d0fc76979741", - "SHA256": "7dcd81140dc57d1d412c39940643ea923a1925815097f83788d840c1a7b57d25" + "MD5": "0765c07a666231285972c3487acfc7b2", + "SHA1": "6b60825564b2dccff3a4f904b71541bfe94136c9", + "SHA256": "865e4bc7290fc3b380e266ccd98c2d4e965beb711d7efd090d052e8326accdd2" }, - "Description": "VirtualBox Support Driver", - "Company": "Vektor T13 Security Service", - "InternalName": "VBoxDrv", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "1.2.0.119230", - "Product": "Antidetect 2018 Public by Vektor T13 (rev.05)", - "ProductVersion": "1.2.0.119230", - "Copyright": "Copyright (C) 2009-2018 Oracle Corporation", + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "IofCompleteRequest", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "RtlTimeToSecondsSince1970", + "KeBugCheckEx", + "ObfDereferenceObject", + "RtlInitUnicodeString", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + } + ], + "Tags": [ + "EneTechIo64.sys" + ], + "yara": false + }, + { + "Id": "ca415ed5-b611-4840-bfb2-6e1eacac33d1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Monitor_win10_x64.sys binPath=C:\\windows\\temp\\Monitor_win10_x64.sys type=kernel && sc.exe start Monitor_win10_x64.sys", + "Description": "CVE-2018-16712", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/244386-mta-fairplaykd-driver-reversed-exploited-rpm.html", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Monitor_win10_x64.sys", + "MD5": "988dabdcf990b134b0ac1e00512c30c4", + "SHA1": "ef80da613442047697bec35ea228cde477c09a3d", + "SHA256": "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb", + "Signature": [ + "IObit Information Technology", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "IObit", + "Description": "IObit Temperature Monitor", + "Product": "Advanced SystemCare", + "ProductVersion": "12.0.0.0", + "FileVersion": "1.2.0.11", "MachineType": "AMD64", + "OriginalFilename": "Monitor.sys", + "Authentihash": { + "MD5": "68e5bf10aeb81b2ec77280aec1c2dc22", + "SHA1": "c42802424a1e61cc089ba1f071734b390232aec3", + "SHA256": "2dec76da0b361e4ed49a4015e67cefb0e6b812103d8ebf93b74016d99d9fcfad" + }, + "InternalName": "Monitor.sys", + "Copyright": "© IObit. All rights reserved.", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "ASMAtomicBitClear", - "ASMAtomicXchgU16", - "ASMAtomicXchgU8", - "ASMGetCS", - "ASMGetDS", - "ASMGetES", - "ASMGetFS", - "ASMGetGS", - "ASMGetIDTR", - "ASMGetSS", - "ASMMultU64ByU32DivByU32", - "ASMNopPause", - "RTAssertAreQuiet", - "RTAssertMayPanic", - "RTAssertMsg1", - "RTAssertMsg1Weak", - "RTAssertMsg2AddV", - "RTAssertMsg2V", - "RTAssertMsg2Weak", - "RTAssertMsg2WeakV", - "RTAssertSetMayPanic", - "RTAssertSetQuiet", - "RTAssertShouldPanic", - "RTAvlPVDestroy", - "RTAvlPVDoWithAll", - "RTAvlPVGet", - "RTAvlPVGetBestFit", - "RTAvlPVInsert", - "RTAvlPVRemove", - "RTAvlPVRemoveBestFit", - "RTCrc32", - "RTCrc32Finish", - "RTCrc32Process", - "RTCrc32Start", - "RTErrConvertFromErrno", - "RTErrConvertFromNtStatus", - "RTErrConvertToErrno", - "RTErrInfoAdd", - "RTErrInfoAddF", - "RTErrInfoAddV", - "RTErrInfoSet", - "RTErrInfoSetF", - "RTErrInfoSetV", - "RTErrVarsAreEqual", - "RTErrVarsHaveChanged", - "RTErrVarsRestore", - "RTErrVarsSave", - "RTHandleTableAllocWithCtx", - "RTHandleTableCreate", - "RTHandleTableCreateEx", - "RTHandleTableDestroy", - "RTHandleTableFreeWithCtx", - "RTHandleTableLookupWithCtx", - "RTLatin1CalcUtf8Len", - "RTLatin1CalcUtf8LenEx", - "RTLatin1ToUtf8ExTag", - "RTLatin1ToUtf8Tag", - "RTLogClearFileDelayFlag", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDefaultInstanceEx", - "RTLogDestinations", - "RTLogDestroy", - "RTLogDumpPrintfV", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGetDefaultInstanceEx", - "RTLogGetDestinations", - "RTLogGetFlags", - "RTLogGetGroupSettings", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelGetDefaultInstance", - "RTLogRelGetDefaultInstanceEx", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetBuffering", - "RTLogRelSetDefaultInstance", - "RTLogSetBuffering", - "RTLogSetCustomPrefixCallback", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAllocExTag", - "RTMemAllocTag", - "RTMemAllocVarTag", - "RTMemAllocZTag", - "RTMemAllocZVarTag", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDupExTag", - "RTMemDupTag", - "RTMemExecAllocTag", - "RTMemExecFree", - "RTMemFree", - "RTMemFreeEx", - "RTMemReallocTag", - "RTMemTmpAllocTag", - "RTMemTmpAllocZTag", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpCurSetIndex", - "RTMpCurSetIndexAndId", - "RTMpGetArraySize", - "RTMpGetCount", - "RTMpGetCpuGroupCounts", - "RTMpGetMaxCpuGroupCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCoreCount", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetPresentCoreCount", - "RTMpGetPresentCount", - "RTMpGetPresentSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuPresent", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnAllIsConcurrentSafe", - "RTMpOnOthers", - "RTMpOnPair", - "RTMpOnPairIsConcurrentExecSupported", - "RTMpOnSpecific", - "RTMpPokeCpu", - "RTMpSetIndexFromCpuGroupMember", - "RTNetIPv4AddDataChecksum", - "RTNetIPv4AddTCPChecksum", - "RTNetIPv4AddUDPChecksum", - "RTNetIPv4FinalizeChecksum", - "RTNetIPv4HdrChecksum", - "RTNetIPv4IsDHCPValid", - "RTNetIPv4IsHdrValid", - "RTNetIPv4IsTCPSizeValid", - "RTNetIPv4IsTCPValid", - "RTNetIPv4IsUDPSizeValid", - "RTNetIPv4IsUDPValid", - "RTNetIPv4PseudoChecksum", - "RTNetIPv4PseudoChecksumBits", - "RTNetIPv4TCPChecksum", - "RTNetIPv4UDPChecksum", - "RTNetIPv6PseudoChecksum", - "RTNetIPv6PseudoChecksumBits", - "RTNetIPv6PseudoChecksumEx", - "RTNetTCPChecksum", - "RTNetUDPChecksum", - "RTOnceReset", - "RTOnceSlow", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0AssertPanicSystem", - "RTR0Init", - "RTR0MemAreKrnlAndUsrDifferent", - "RTR0MemKernelCopyFrom", - "RTR0MemKernelCopyTo", - "RTR0MemKernelIsValidAddr", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocContTag", - "RTR0MemObjAllocLowTag", - "RTR0MemObjAllocPageTag", - "RTR0MemObjAllocPhysExTag", - "RTR0MemObjAllocPhysNCTag", - "RTR0MemObjAllocPhysTag", - "RTR0MemObjEnterPhysTag", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernelTag", - "RTR0MemObjLockUserTag", - "RTR0MemObjMapKernelExTag", - "RTR0MemObjMapKernelTag", - "RTR0MemObjMapUserTag", - "RTR0MemObjProtect", - "RTR0MemObjReserveKernelTag", - "RTR0MemObjReserveUserTag", - "RTR0MemObjSize", - "RTR0MemUserCopyFrom", - "RTR0MemUserCopyTo", - "RTR0MemUserIsValidAddr", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTR0TermForced", - "RTSemEventCreate", - "RTSemEventCreateEx", - "RTSemEventDestroy", - "RTSemEventGetResolution", - "RTSemEventMultiCreate", - "RTSemEventMultiCreateEx", - "RTSemEventMultiDestroy", - "RTSemEventMultiGetResolution", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitEx", - "RTSemEventMultiWaitExDebug", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitEx", - "RTSemEventWaitExDebug", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSemMutexCreate", - "RTSemMutexCreateEx", - "RTSemMutexDestroy", - "RTSemMutexIsOwned", - "RTSemMutexRelease", - "RTSemMutexRequest", - "RTSemMutexRequestDebug", - "RTSemMutexRequestNoResume", - "RTSemMutexRequestNoResumeDebug", - "RTSemSpinMutexCreate", - "RTSemSpinMutexDestroy", - "RTSemSpinMutexRelease", - "RTSemSpinMutexRequest", - "RTSemSpinMutexTryRequest", - "RTSpinlockAcquire", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTStrAAppendNTag", - "RTStrAAppendTag", - "RTStrATruncateTag", - "RTStrAllocExTag", - "RTStrAllocTag", - "RTStrCalcLatin1Len", - "RTStrCalcLatin1LenEx", - "RTStrCalcUtf16Len", - "RTStrCalcUtf16LenEx", - "RTStrCat", - "RTStrConvertHexBytes", - "RTStrCopy", - "RTStrCopyEx", - "RTStrCopyP", - "RTStrDupExTag", - "RTStrDupNTag", - "RTStrDupTag", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrFree", - "RTStrGetCpExInternal", - "RTStrGetCpInternal", - "RTStrGetCpNExInternal", - "RTStrIsValidEncoding", - "RTStrNCmp", - "RTStrPrevCp", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrPurgeComplementSet", - "RTStrPurgeEncoding", - "RTStrPutCpInternal", - "RTStrReallocTag", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToLatin1ExTag", - "RTStrToLatin1Tag", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTStrToUni", - "RTStrToUniEx", - "RTStrToUtf16BigExTag", - "RTStrToUtf16BigTag", - "RTStrToUtf16ExTag", - "RTStrToUtf16Tag", - "RTStrUniLen", - "RTStrUniLenEx", - "RTStrValidateEncoding", - "RTStrValidateEncodingEx", - "RTTermDeregisterCallback", - "RTTermRegisterCallback", - "RTTermRunCallbacks", - "RTThreadCreate", - "RTThreadCreateF", - "RTThreadCreateV", - "RTThreadCtxHookCreate", - "RTThreadCtxHookDestroy", - "RTThreadCtxHookDisable", - "RTThreadCtxHookEnable", - "RTThreadCtxHookIsEnabled", - "RTThreadFromNative", - "RTThreadGetName", - "RTThreadGetNative", - "RTThreadGetType", - "RTThreadIsInInterrupt", - "RTThreadIsInitialized", - "RTThreadIsMain", - "RTThreadIsSelfAlive", - "RTThreadIsSelfKnown", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptIsPending", - "RTThreadPreemptIsPendingTrusty", - "RTThreadPreemptIsPossible", - "RTThreadPreemptRestore", - "RTThreadSelf", - "RTThreadSelfName", - "RTThreadSetName", - "RTThreadSetType", - "RTThreadSleep", - "RTThreadUserReset", - "RTThreadUserSignal", - "RTThreadUserWait", - "RTThreadUserWaitNoResume", - "RTThreadWait", - "RTThreadWaitNoResume", - "RTThreadYield", - "RTTimeExplode", - "RTTimeFromString", - "RTTimeImplode", - "RTTimeIsLeapYear", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNormalize", - "RTTimeNow", - "RTTimeSpecFromString", - "RTTimeSpecToString", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimeToString", - "RTTimerCanDoHighResolution", - "RTTimerChangeInterval", - "RTTimerCreate", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "RTUuidClear", - "RTUuidCompare", - "RTUuidCompare2Strs", - "RTUuidCompareStr", - "RTUuidFromStr", - "RTUuidFromUtf16", - "RTUuidIsNull", - "RTUuidToStr", - "RTUuidToUtf16", - "SUPGetCpuHzFromGipForAsyncMode", - "SUPGetGIP", - "SUPGetTscDeltaSlow", - "SUPIsTscFreqCompatible", - "SUPIsTscFreqCompatibleEx", - "SUPR0BadContext", - "SUPR0ChangeCR4", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetCurrentGdtRw", - "SUPR0GetKernelFeatures", - "SUPR0GetPagingMode", - "SUPR0GetSessionGVM", - "SUPR0GetSessionVM", - "SUPR0GetSvmUsability", - "SUPR0GetVmxUsability", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0PageProtect", - "SUPR0Printf", - "SUPR0QueryUcodeRev", - "SUPR0QueryVTCaps", - "SUPR0ResumeVTxOnCpu", - "SUPR0SetSessionVM", - "SUPR0SuspendVTxOnCpu", - "SUPR0TracerDeregisterDrv", - "SUPR0TracerDeregisterImpl", - "SUPR0TracerFireProbe", - "SUPR0TracerRegisterDrv", - "SUPR0TracerRegisterImpl", - "SUPR0TracerRegisterModule", - "SUPR0TracerUmodProbeFire", - "SUPR0TscDeltaMeasureBySetIndex", - "SUPR0UnlockMem", - "SUPReadTscWithDelta", - "SUPSemEventClose", - "SUPSemEventCreate", - "SUPSemEventGetResolution", - "SUPSemEventMultiClose", - "SUPSemEventMultiCreate", - "SUPSemEventMultiGetResolution", - "SUPSemEventMultiReset", - "SUPSemEventMultiSignal", - "SUPSemEventMultiWait", - "SUPSemEventMultiWaitNoResume", - "SUPSemEventMultiWaitNsAbsIntr", - "SUPSemEventMultiWaitNsRelIntr", - "SUPSemEventSignal", - "SUPSemEventWait", - "SUPSemEventWaitNoResume", - "SUPSemEventWaitNsAbsIntr", - "SUPSemEventWaitNsRelIntr", - "g_pSUPGlobalInfoPage", - "g_pszRTAssertExpr", - "g_pszRTAssertFile", - "g_pszRTAssertFunction", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2", - "g_u32RTAssertLine" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "strchr", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", "__C_specific_handler", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "IoIs32bitProcess", - "ZwSetSystemInformation", - "ExRegisterCallback", - "ExCreateCallback", - "MmGetSystemRoutineAddress", - "RtlQueryRegistryValues", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=Sichuan, L=Chengdu, O=IObit Information Technology, CN=IObit Information Technology", + "ValidFrom": "2018-01-16 00:00:00", + "ValidTo": "2021-03-30 23:59:59", + "Signature": "2399cd4e647d91c7104b30472ba9c4be48e93b5c0e461daad843ecc81cde308513d1b6bc20ad75ae3ad9882a649b4409440700153f47b8df154d468b5716d8bf06d28dc92d96a2a43cdf5784eed93ff5ed05fbdb4d869a458c2e6bf732f549210ddae9806124e0a1b14371b778a8227b98ae06f3d2d99150ed9a066fa5e424d4a5688306dddad4b81785bbe97c8d61556f962d1f50178da4a1071ae3846770f7ac735d2907230d65e2c65407294c713c9e5f9cbf9235ac2224a0c623ebde5f46e957251594e25101404ae961c171a3aa82d36098e219d1d49b767cb801ff7f3ab00a4d73c00f784ef7328a65748a38690a777041d61042ce0d91f1e4ed550cf6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "5cd0502920c27eeaec2a184d0452e53a", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "Monitor_win10_x64.sys" + ], + "yara": true + }, + { + "Id": "4e5064b4-48d3-418c-a7a8-f0dc7ac0a176", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create MsIo32.sys binPath=C:\\windows\\temp\\MsIo32.sys type=kernel && sc.exe start MsIo32.sys", + "Description": "The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\\SYSTEM privileges, by mapping \\Device\\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845", + "http://blog.rewolf.pl/blog/?p=1630", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "MsIo32.sys", + "MD5": "d9e7e5bcc5b01915dbcef7762a7fc329", + "SHA1": "e6305dddd06490d7f87e3b06d09e9d4c1c643af0", + "SHA256": "525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd", + "Signature": [ + "MICSYS Technology Co., Ltd.", + "Symantec Class 3 Extended Validation Code Signing CA - G2", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6491c34f274a0ed6258fadca85bd69fb", + "SHA1": "7e732acb7cfad9ba043a9350cdeff25d742becb8", + "SHA256": "7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", "DbgPrint", - "KeSetTimerEx", - "KeInsertQueueDpc", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeSetImportanceDpc", - "KeInitializeDpc", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeSetPriorityThread", - "KeWaitForSingleObject", "ZwClose", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeInitializeMutex", - "KeReleaseMutex", - "KeReadStateMutex", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeResetEvent", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "ProbeForRead", - "ProbeForWrite", - "MmHighestUserAddress", - "MmSystemRangeStart", - "KeSetTargetProcessorDpc", - "KeNumberProcessors", - "PsGetVersion", - "MmIsAddressValid", - "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocateContiguousMemorySpecifyCache", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory" + "ZwOpenSection", + "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "CN=Vektor T13 Security Service", - "ValidFrom": "2018-04-19 00:15:30", - "ValidTo": "2039-12-31 23:59:59", - "Signature": "6a53b7553edfd579a2a4dd005b893883cc26c3e314683b8b92b95b8b60e33d6c9841d1761bd52c2e5a69f9bec38e457bf5a06f43fdb4d4f601a2ae0b0c7e16e180b8447308fca66dcbdf34c0a4319e96af6f96f4b9037bfd7f1360efe2fd24efe837d59c64e895cee83d63952d217672932decd29af822e80d0d25a580d53e0c", - "SignatureAlgorithmOID": "1.3.14.3.2.29" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Taiwan, ??=New Taipei City, ??=Private Organization, serialNumber=84948057, C=TW, ST=Taiwan, L=New Taipei City, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", + "ValidFrom": "2017-09-14 00:00:00", + "ValidTo": "2018-09-14 23:59:59", + "Signature": "a088ab497bb3998b21a495dc947134af2f4fef067e37e6438b4f52f7773769bf583eaad5bf427552ca96f2dae2a60791066346a80c59c22fb22a98c6260fdccac7ed90a0148ce9dad3eebf008f1e3c206f952eea6748b256984b851e809d49c0923cb7224b48c96a83387aebbc70d44d19b1f865e59239b959dd2ecc6746062f1d9dd5ef426ed347184c9aad9d196279ca6e774e0d09b3f270fbe037e554c69c85d0a7d06b81047b0677e33011600c4dc4c08ff159f4ac344f96589cae7aec5166bc7a626b4d6fccbc07505872f781f9a2e4a0a0d5b1539790287a114be16b1c2a1648fbeeb9d95beb171ab1c4007c5c23f044c782cdfbb1703a13ee833197ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "c3b2c606d320e0bf4f71f1e73668a938", - "Issuer": "CN=Vektor T13 Security Service" + "SerialNumber": "48e28f46a3e4ac760dfa9a58fa6c6363", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] + } + ], + "Tags": [ + "MsIo32.sys" + ], + "yara": false + }, + { + "Id": "b03798af-d25a-400b-9236-4643a802846f", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create RwDrv.sys binPath=C:\\windows\\temp\\RwDrv.sys type=kernel && sc.exe start RwDrv.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe.yara" }, { - "FileName": "VBoxDrv.sys", - "MD5": "02a1d77ef13bd41cad04abcce896d0b9", - "SHA1": "59c0fa0d61576d9eb839c9c7e15d57047ee7fe29", - "SHA256": "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "RwDrv.sys", + "MD5": "f853abe0dc162601e66e4a346faed854", + "SHA1": "35b28b15835aa0775b57f460d8a03e53dc1fb30f", + "SHA256": "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe", "Authentihash": { - "MD5": "49f3b147b53aa5ebce9ddce9a20fe9ff", - "SHA1": "46064d1e248e2c9d24950d6a5dcf68a2c12aeb9d", - "SHA256": "7e5abe4530eff3838d44516f95c15d8b3ec6cec44ca7b67998e50641c939d12a" + "MD5": "9996409a6c7c91374a597ea9d1f7799c", + "SHA1": "5851f58c92f8fd548c42f10c258d1e95afe7ce88", + "SHA256": "1fd7a44b042d397ad5a6417e4aa4b30eb2e40df6274d3ac7155ecc68c88cdb6d" }, - "Description": "VirtualBox Support Driver", - "Company": "Vektor T13 Security Service", - "InternalName": "VBoxDrv", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "1.4.2.119230", - "Product": "Antidetect 2019 Public", - "ProductVersion": "1.4.2.119230", - "Copyright": "Copyright (C) 2009-2019 Oracle Corporation", + "Description": "RwDrv Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RwDrv Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2011 RW-Everything", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "ASMAtomicBitClear", - "ASMAtomicXchgU16", - "ASMAtomicXchgU8", - "ASMGetCS", - "ASMGetDS", - "ASMGetES", - "ASMGetFS", - "ASMGetGS", - "ASMGetIDTR", - "ASMGetSS", - "ASMMultU64ByU32DivByU32", - "ASMNopPause", - "RTAssertAreQuiet", - "RTAssertMayPanic", - "RTAssertMsg1", - "RTAssertMsg1Weak", - "RTAssertMsg2AddV", - "RTAssertMsg2V", - "RTAssertMsg2Weak", - "RTAssertMsg2WeakV", - "RTAssertSetMayPanic", - "RTAssertSetQuiet", - "RTAssertShouldPanic", - "RTAvlPVDestroy", - "RTAvlPVDoWithAll", - "RTAvlPVGet", - "RTAvlPVGetBestFit", - "RTAvlPVInsert", - "RTAvlPVRemove", - "RTAvlPVRemoveBestFit", - "RTCrc32", - "RTCrc32Finish", - "RTCrc32Process", - "RTCrc32Start", - "RTErrConvertFromErrno", - "RTErrConvertFromNtStatus", - "RTErrConvertToErrno", - "RTErrInfoAdd", - "RTErrInfoAddF", - "RTErrInfoAddV", - "RTErrInfoSet", - "RTErrInfoSetF", - "RTErrInfoSetV", - "RTErrVarsAreEqual", - "RTErrVarsHaveChanged", - "RTErrVarsRestore", - "RTErrVarsSave", - "RTHandleTableAllocWithCtx", - "RTHandleTableCreate", - "RTHandleTableCreateEx", - "RTHandleTableDestroy", - "RTHandleTableFreeWithCtx", - "RTHandleTableLookupWithCtx", - "RTLatin1CalcUtf8Len", - "RTLatin1CalcUtf8LenEx", - "RTLatin1ToUtf8ExTag", - "RTLatin1ToUtf8Tag", - "RTLogClearFileDelayFlag", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDefaultInstanceEx", - "RTLogDestinations", - "RTLogDestroy", - "RTLogDumpPrintfV", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGetDefaultInstanceEx", - "RTLogGetDestinations", - "RTLogGetFlags", - "RTLogGetGroupSettings", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelGetDefaultInstance", - "RTLogRelGetDefaultInstanceEx", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetBuffering", - "RTLogRelSetDefaultInstance", - "RTLogSetBuffering", - "RTLogSetCustomPrefixCallback", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAllocExTag", - "RTMemAllocTag", - "RTMemAllocVarTag", - "RTMemAllocZTag", - "RTMemAllocZVarTag", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDupExTag", - "RTMemDupTag", - "RTMemExecAllocTag", - "RTMemExecFree", - "RTMemFree", - "RTMemFreeEx", - "RTMemReallocTag", - "RTMemTmpAllocTag", - "RTMemTmpAllocZTag", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpCurSetIndex", - "RTMpCurSetIndexAndId", - "RTMpGetArraySize", - "RTMpGetCount", - "RTMpGetCpuGroupCounts", - "RTMpGetMaxCpuGroupCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCoreCount", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetPresentCoreCount", - "RTMpGetPresentCount", - "RTMpGetPresentSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuPresent", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnAllIsConcurrentSafe", - "RTMpOnOthers", - "RTMpOnPair", - "RTMpOnPairIsConcurrentExecSupported", - "RTMpOnSpecific", - "RTMpPokeCpu", - "RTMpSetIndexFromCpuGroupMember", - "RTNetIPv4AddDataChecksum", - "RTNetIPv4AddTCPChecksum", - "RTNetIPv4AddUDPChecksum", - "RTNetIPv4FinalizeChecksum", - "RTNetIPv4HdrChecksum", - "RTNetIPv4IsDHCPValid", - "RTNetIPv4IsHdrValid", - "RTNetIPv4IsTCPSizeValid", - "RTNetIPv4IsTCPValid", - "RTNetIPv4IsUDPSizeValid", - "RTNetIPv4IsUDPValid", - "RTNetIPv4PseudoChecksum", - "RTNetIPv4PseudoChecksumBits", - "RTNetIPv4TCPChecksum", - "RTNetIPv4UDPChecksum", - "RTNetIPv6PseudoChecksum", - "RTNetIPv6PseudoChecksumBits", - "RTNetIPv6PseudoChecksumEx", - "RTNetTCPChecksum", - "RTNetUDPChecksum", - "RTOnceReset", - "RTOnceSlow", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0AssertPanicSystem", - "RTR0Init", - "RTR0MemAreKrnlAndUsrDifferent", - "RTR0MemKernelCopyFrom", - "RTR0MemKernelCopyTo", - "RTR0MemKernelIsValidAddr", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocContTag", - "RTR0MemObjAllocLowTag", - "RTR0MemObjAllocPageTag", - "RTR0MemObjAllocPhysExTag", - "RTR0MemObjAllocPhysNCTag", - "RTR0MemObjAllocPhysTag", - "RTR0MemObjEnterPhysTag", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernelTag", - "RTR0MemObjLockUserTag", - "RTR0MemObjMapKernelExTag", - "RTR0MemObjMapKernelTag", - "RTR0MemObjMapUserTag", - "RTR0MemObjProtect", - "RTR0MemObjReserveKernelTag", - "RTR0MemObjReserveUserTag", - "RTR0MemObjSize", - "RTR0MemUserCopyFrom", - "RTR0MemUserCopyTo", - "RTR0MemUserIsValidAddr", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTR0TermForced", - "RTSemEventCreate", - "RTSemEventCreateEx", - "RTSemEventDestroy", - "RTSemEventGetResolution", - "RTSemEventMultiCreate", - "RTSemEventMultiCreateEx", - "RTSemEventMultiDestroy", - "RTSemEventMultiGetResolution", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitEx", - "RTSemEventMultiWaitExDebug", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitEx", - "RTSemEventWaitExDebug", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSemMutexCreate", - "RTSemMutexCreateEx", - "RTSemMutexDestroy", - "RTSemMutexIsOwned", - "RTSemMutexRelease", - "RTSemMutexRequest", - "RTSemMutexRequestDebug", - "RTSemMutexRequestNoResume", - "RTSemMutexRequestNoResumeDebug", - "RTSemSpinMutexCreate", - "RTSemSpinMutexDestroy", - "RTSemSpinMutexRelease", - "RTSemSpinMutexRequest", - "RTSemSpinMutexTryRequest", - "RTSpinlockAcquire", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTStrAAppendNTag", - "RTStrAAppendTag", - "RTStrATruncateTag", - "RTStrAllocExTag", - "RTStrAllocTag", - "RTStrCalcLatin1Len", - "RTStrCalcLatin1LenEx", - "RTStrCalcUtf16Len", - "RTStrCalcUtf16LenEx", - "RTStrCat", - "RTStrConvertHexBytes", - "RTStrCopy", - "RTStrCopyEx", - "RTStrCopyP", - "RTStrDupExTag", - "RTStrDupNTag", - "RTStrDupTag", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrFree", - "RTStrGetCpExInternal", - "RTStrGetCpInternal", - "RTStrGetCpNExInternal", - "RTStrIsValidEncoding", - "RTStrNCmp", - "RTStrPrevCp", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrPurgeComplementSet", - "RTStrPurgeEncoding", - "RTStrPutCpInternal", - "RTStrReallocTag", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToLatin1ExTag", - "RTStrToLatin1Tag", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTStrToUni", - "RTStrToUniEx", - "RTStrToUtf16BigExTag", - "RTStrToUtf16BigTag", - "RTStrToUtf16ExTag", - "RTStrToUtf16Tag", - "RTStrUniLen", - "RTStrUniLenEx", - "RTStrValidateEncoding", - "RTStrValidateEncodingEx", - "RTTermDeregisterCallback", - "RTTermRegisterCallback", - "RTTermRunCallbacks", - "RTThreadCreate", - "RTThreadCreateF", - "RTThreadCreateV", - "RTThreadCtxHookCreate", - "RTThreadCtxHookDestroy", - "RTThreadCtxHookDisable", - "RTThreadCtxHookEnable", - "RTThreadCtxHookIsEnabled", - "RTThreadFromNative", - "RTThreadGetName", - "RTThreadGetNative", - "RTThreadGetType", - "RTThreadIsInInterrupt", - "RTThreadIsInitialized", - "RTThreadIsMain", - "RTThreadIsSelfAlive", - "RTThreadIsSelfKnown", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptIsPending", - "RTThreadPreemptIsPendingTrusty", - "RTThreadPreemptIsPossible", - "RTThreadPreemptRestore", - "RTThreadSelf", - "RTThreadSelfName", - "RTThreadSetName", - "RTThreadSetType", - "RTThreadSleep", - "RTThreadUserReset", - "RTThreadUserSignal", - "RTThreadUserWait", - "RTThreadUserWaitNoResume", - "RTThreadWait", - "RTThreadWaitNoResume", - "RTThreadYield", - "RTTimeExplode", - "RTTimeFromString", - "RTTimeImplode", - "RTTimeIsLeapYear", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNormalize", - "RTTimeNow", - "RTTimeSpecFromString", - "RTTimeSpecToString", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimeToString", - "RTTimerCanDoHighResolution", - "RTTimerChangeInterval", - "RTTimerCreate", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "RTUuidClear", - "RTUuidCompare", - "RTUuidCompare2Strs", - "RTUuidCompareStr", - "RTUuidFromStr", - "RTUuidFromUtf16", - "RTUuidIsNull", - "RTUuidToStr", - "RTUuidToUtf16", - "SUPGetCpuHzFromGipForAsyncMode", - "SUPGetGIP", - "SUPGetTscDeltaSlow", - "SUPIsTscFreqCompatible", - "SUPIsTscFreqCompatibleEx", - "SUPR0BadContext", - "SUPR0ChangeCR4", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetCurrentGdtRw", - "SUPR0GetKernelFeatures", - "SUPR0GetPagingMode", - "SUPR0GetSessionGVM", - "SUPR0GetSessionVM", - "SUPR0GetSvmUsability", - "SUPR0GetVmxUsability", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0PageProtect", - "SUPR0Printf", - "SUPR0QueryUcodeRev", - "SUPR0QueryVTCaps", - "SUPR0ResumeVTxOnCpu", - "SUPR0SetSessionVM", - "SUPR0SuspendVTxOnCpu", - "SUPR0TracerDeregisterDrv", - "SUPR0TracerDeregisterImpl", - "SUPR0TracerFireProbe", - "SUPR0TracerRegisterDrv", - "SUPR0TracerRegisterImpl", - "SUPR0TracerRegisterModule", - "SUPR0TracerUmodProbeFire", - "SUPR0TscDeltaMeasureBySetIndex", - "SUPR0UnlockMem", - "SUPReadTscWithDelta", - "SUPSemEventClose", - "SUPSemEventCreate", - "SUPSemEventGetResolution", - "SUPSemEventMultiClose", - "SUPSemEventMultiCreate", - "SUPSemEventMultiGetResolution", - "SUPSemEventMultiReset", - "SUPSemEventMultiSignal", - "SUPSemEventMultiWait", - "SUPSemEventMultiWaitNoResume", - "SUPSemEventMultiWaitNsAbsIntr", - "SUPSemEventMultiWaitNsRelIntr", - "SUPSemEventSignal", - "SUPSemEventWait", - "SUPSemEventWaitNoResume", - "SUPSemEventWaitNsAbsIntr", - "SUPSemEventWaitNsRelIntr", - "g_pSUPGlobalInfoPage", - "g_pszRTAssertExpr", - "g_pszRTAssertFile", - "g_pszRTAssertFunction", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2", - "g_u32RTAssertLine" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "strchr", - "IoDeleteDevice", - "IoCreateDevice", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", - "__C_specific_handler", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "IoIs32bitProcess", - "ZwSetSystemInformation", - "ExRegisterCallback", - "ExCreateCallback", - "MmGetSystemRoutineAddress", + "IoRegisterPlugPlayNotification", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoFreeWorkItem", + "KeInitializeEvent", "RtlQueryRegistryValues", - "DbgPrint", - "KeSetTimerEx", - "KeInsertQueueDpc", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeSetImportanceDpc", - "KeInitializeDpc", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeSetPriorityThread", - "KeWaitForSingleObject", - "ZwClose", - "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeAcquireSpinLockRaiseToDpc", "KeReleaseSpinLock", - "KeInitializeMutex", - "KeReleaseMutex", - "KeReadStateMutex", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeResetEvent", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "ProbeForRead", - "ProbeForWrite", - "MmHighestUserAddress", - "MmSystemRangeStart", - "KeSetTargetProcessorDpc", - "KeNumberProcessors", - "PsGetVersion", - "MmIsAddressValid", "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreeContiguousMemory", "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocateContiguousMemorySpecifyCache", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", "MmGetPhysicalAddress", - "MmAllocateContiguousMemory" + "IoGetDeviceObjectPointer", + "IoBuildAsynchronousFsdRequest", + "ExInterlockedInsertTailList", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "IoUnregisterPlugPlayNotification", + "IofCompleteRequest", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "IoCreateDevice", + "IoQueueWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", + "IoAllocateWorkItem", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -1702,365 +915,104 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "CN=Vektor T13 Technology", - "ValidFrom": "2018-08-10 07:42:52", - "ValidTo": "2039-12-31 23:59:59", - "Signature": "4819acb135277102eb22d1ebf53707b6651b1dac668cbe264acefb52a0567dee778627ae98f2f8a69142e210ed9a585a826bea9339108f6cc8567a8a0d3b471dde8e932b4d7b466e657e0592faa7578e548c1d1f3b746190fac243e75735ad18bb9cf901d94d92ed4bfbe7729d439bdd300a6cb5fb75d17364033f92a8d15398", - "SignatureAlgorithmOID": "1.3.14.3.2.29" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4d87df1b3d1e239b405dc85d0a0bad22", - "Issuer": "CN=Vektor T13 Technology" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "VBoxDrv.sys", - "MD5": "962a33a191dbe56915fd196e3a868cf0", - "SHA1": "449ff4f5ce2fdddac05a6c82e45a7e802b1c1305", - "SHA256": "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c", + "FileName": "RwDrv.sys", + "MD5": "4ad30223df1361726ff64417f8515272", + "SHA1": "3f6a997b04d2299ba0e9f505803e8d60d0755f44", + "SHA256": "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f", "Authentihash": { - "MD5": "5491106d0dc46b737e07072122359638", - "SHA1": "2fa597885c165e354736143e9645570e3637b57b", - "SHA256": "c62bf9d0cc1edfffc15f3f002cd7f51efe3372320ec89d9dc96011000915c186" + "MD5": "a3b9e0285d00597ea1531664a051be06", + "SHA1": "e7fac017b371a43276e03bf5f71d437e8d377930", + "SHA256": "0a3090ae46b3ce5f4cc6ba2d4dd265033e23c813d5c1e9c7a20a84d5d167dae3" }, - "Description": "VirtualBox Support Driver", - "Company": "Sun Microsystems, Inc.", - "InternalName": "VBoxDrv.sys", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "3.0.0.r49315", - "Product": "Sun VirtualBox", - "ProductVersion": "3.0.0.r49315", - "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", + "Description": "RW-Everything Read & Write Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2008 RW-Everything", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "?RTThreadAdopt@@YAHW4RTTHREADTYPE@@IPEBDPEAPEAURTTHREADINT@@@Z", - "AssertMsg1", - "AssertMsg2", - "RTAssertShouldPanic", - "RTAvlPVDestroy", - "RTAvlPVDoWithAll", - "RTAvlPVGet", - "RTAvlPVGetBestFit", - "RTAvlPVInsert", - "RTAvlPVRemove", - "RTAvlPVRemoveBestFit", - "RTErrConvertFromNtStatus", - "RTHandleTableAllocWithCtx", - "RTHandleTableCreate", - "RTHandleTableCreateEx", - "RTHandleTableDestroy", - "RTHandleTableFreeWithCtx", - "RTHandleTableLookupWithCtx", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCopyGroupsAndFlags", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDestroy", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetDefaultInstance", - "RTLogSetCustomPrefixCallback", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDup", - "RTMemDupEx", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTMpPokeCpu", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0Init", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapKernelEx", - "RTR0MemObjMapUser", - "RTR0MemObjProtect", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTThreadCreate", - "RTThreadCreateF", - "RTThreadCreateV", - "RTThreadFromNative", - "RTThreadGetName", - "RTThreadGetNative", - "RTThreadGetType", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptIsPending", - "RTThreadPreemptIsPendingTrusty", - "RTThreadPreemptRestore", - "RTThreadSelf", - "RTThreadSelfName", - "RTThreadSetName", - "RTThreadSetType", - "RTThreadSleep", - "RTThreadUserReset", - "RTThreadUserSignal", - "RTThreadUserWait", - "RTThreadUserWaitNoResume", - "RTThreadWait", - "RTThreadWaitNoResume", - "RTThreadYield", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNow", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetPagingMode", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0PageProtect", - "SUPR0UnlockMem", - "SUPSemEventClose", - "SUPSemEventCreate", - "SUPSemEventMultiClose", - "SUPSemEventMultiCreate", - "SUPSemEventMultiReset", - "SUPSemEventMultiSignal", - "SUPSemEventMultiWait", - "SUPSemEventMultiWaitNoResume", - "SUPSemEventSignal", - "SUPSemEventWait", - "SUPSemEventWaitNoResume", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "ExRegisterCallback", - "ExCreateCallback", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", "IoCreateDevice", - "IoGetStackLimits", - "memchr", - "strncmp", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForSingleObject", - "KeResetEvent", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeDelayExecutionThread", - "ZwYieldExecution", - "ExFreePoolWithTag", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", "ExAllocatePoolWithTag", - "KeQueryActiveProcessors", - "strchr", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "KeSetTimerEx", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "__C_specific_handler", - "PsGetVersion", - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "MmUnmapIoSpace", - "MmUnlockPages", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "KeSetPriorityThread", - "ZwClose", - "ObReferenceObjectByHandle", - "PsCreateSystemThread" + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -2068,31 +1020,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", - "ValidFrom": "2008-06-11 00:00:00", - "ValidTo": "2011-06-11 23:59:59", - "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -2101,14033 +1046,82 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2014-03-07 00:00:00", + "ValidTo": "2017-05-05 23:59:59", + "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "VBoxDrv.sys", - "MD5": "3e87e3346441539d3a90278a120766df", - "SHA1": "ce5681896e7631b6e83cccb7aa056a33e72a1bbe", - "SHA256": "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4", + "FileName": "RwDrv.sys", + "MD5": "969f1d19449dc5c2535dd5786093f651", + "SHA1": "78834ff75e2ff8b7456e85114802e58bc9fda457", + "SHA256": "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14", "Authentihash": { - "MD5": "d8e8d4c6d5dd6ba5ca58979f569cba95", - "SHA1": "c9027b3e1c731d0a16acd94c947f446df1a23318", - "SHA256": "681de794238060ec929aa5cf6c4701069f113a8524d31fb2f411648968ca17de" + "MD5": "a36411168cc8b448c6864d890c7727ea", + "SHA1": "c2f2ac17f06be23c0b71f929ea63356123f3a72f", + "SHA256": "aa7f25d4857a4b443222934bcbb0904348a799fc884096f653d921817c0b34aa" }, - "Description": "VirtualBox Support Driver", - "Company": "Pinduoduo Ltd Corp", - "InternalName": "VBoxDrv", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "1.2.0.137904", - "Product": "Pinduoduo Secure VDI", - "ProductVersion": "1.2.0.137904", - "Copyright": "Copyright (C) 2015-2021 Pinduoduo Corporation", + "Description": "RW-Everything Read & Write Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2008 RW-Everything", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "?RTAsn1VideotexString_CheckSanity@@YAHPEBURTASN1STRING@@IPEAURTERRINFO@@PEBD@Z", - "?RTAsn1VideotexString_Clone@@YAHPEAURTASN1STRING@@PEBU1@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTAsn1VideotexString_Compare@@YAHPEBURTASN1STRING@@0@Z", - "?RTAsn1VideotexString_DecodeAsn1@@YAHPEAURTASN1CURSOR@@IPEAURTASN1STRING@@PEBD@Z", - "?RTAsn1VideotexString_Delete@@YAXPEAURTASN1STRING@@@Z", - "?RTAsn1VideotexString_Enum@@YAHPEAURTASN1STRING@@P6AHPEAURTASN1CORE@@PEBDIPEAX@ZI3@Z", - "?RTAsn1VideotexString_Init@@YAHPEAURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrPkcs7Cert_SetAcV1@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrPkcs7Cert_SetAcV2@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrPkcs7Cert_SetExtendedCert@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrPkcs7Cert_SetOtherCert@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrPkcs7Cert_SetX509Cert@@YAHPEAURTCRPKCS7CERT@@PEBURTCRX509CERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrSpcLink_SetFile@@YAHPEAURTCRSPCLINK@@PEBURTCRSPCSTRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrSpcLink_SetMoniker@@YAHPEAURTCRSPCLINK@@PEBURTCRSPCSERIALIZEDOBJECT@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrSpcLink_SetUrl@@YAHPEAURTCRSPCLINK@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrSpcString_SetAscii@@YAHPEAURTCRSPCSTRING@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrSpcString_SetUcs2@@YAHPEAURTCRSPCSTRING@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrTafTrustAnchorChoice_SetCertificate@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRX509CERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrTafTrustAnchorChoice_SetTaInfo@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRTAFTRUSTANCHORINFO@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrTafTrustAnchorChoice_SetTbsCert@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRX509TBSCERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280@@YA_NPEBURTCRX509ATTRIBUTETYPEANDVALUE@@0@Z", - "?RTCrX509GeneralName_SetDirectoryName@@YAHPEAURTCRX509GENERALNAME@@PEBURTCRX509NAME@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetDnsType@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetEdiPartyName@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1DYNTYPE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetIpAddress@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1OCTETSTRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetOtherName@@YAHPEAURTCRX509GENERALNAME@@PEBURTCRX509OTHERNAME@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetRegisteredId@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1OBJID@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetRfc822@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetUri@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509GeneralName_SetX400Address@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1DYNTYPE@@PEBURTASN1ALLOCATORVTABLE@@@Z", - "?RTCrX509RelativeDistinguishedName_MatchByRfc5280@@YA_NPEBURTCRX509ATTRIBUTETYPEANDVALUES@@0@Z", - "ASMAtomicBitClear", - "ASMAtomicXchgU16", - "ASMAtomicXchgU8", - "ASMCpuIdExSlow", - "ASMGetCS", - "ASMGetDS", - "ASMGetES", - "ASMGetFS", - "ASMGetFlags", - "ASMGetGS", - "ASMGetIDTR", - "ASMGetSS", - "ASMMemFirstMismatchingU8", - "ASMMemFirstNonZero", - "ASMMultU64ByU32DivByU32", - "ASMNopPause", - "ASMSetFlags", - "RTAsn1BitString_AreContentBitsValid", - "RTAsn1BitString_CheckSanity", - "RTAsn1BitString_Clone", - "RTAsn1BitString_Compare", - "RTAsn1BitString_DecodeAsn1", - "RTAsn1BitString_DecodeAsn1Ex", - "RTAsn1BitString_Delete", - "RTAsn1BitString_Enum", - "RTAsn1BitString_GetAsUInt64", - "RTAsn1BitString_Init", - "RTAsn1BitString_RefreshContent", - "RTAsn1BmpString_CheckSanity", - "RTAsn1BmpString_Clone", - "RTAsn1BmpString_Compare", - "RTAsn1BmpString_DecodeAsn1", - "RTAsn1BmpString_Delete", - "RTAsn1BmpString_Enum", - "RTAsn1BmpString_Init", - "RTAsn1Boolean_CheckSanity", - "RTAsn1Boolean_Clone", - "RTAsn1Boolean_Compare", - "RTAsn1Boolean_DecodeAsn1", - "RTAsn1Boolean_Delete", - "RTAsn1Boolean_Enum", - "RTAsn1Boolean_Init", - "RTAsn1Boolean_InitDefault", - "RTAsn1Boolean_Set", - "RTAsn1ContentAllocZ", - "RTAsn1ContentDup", - "RTAsn1ContentFree", - "RTAsn1ContentReallocZ", - "RTAsn1ContextTagN_Clone", - "RTAsn1ContextTagN_Init", - "RTAsn1Core_ChangeTag", - "RTAsn1Core_CheckSanity", - "RTAsn1Core_Clone", - "RTAsn1Core_CloneContent", - "RTAsn1Core_CloneNoContent", - "RTAsn1Core_Compare", - "RTAsn1Core_CompareEx", - "RTAsn1Core_DecodeAsn1", - "RTAsn1Core_Delete", - "RTAsn1Core_Enum", - "RTAsn1Core_Init", - "RTAsn1Core_InitDefault", - "RTAsn1Core_InitEx", - "RTAsn1Core_ResetImplict", - "RTAsn1Core_SetTagAndFlags", - "RTAsn1CursorCheckEnd", - "RTAsn1CursorCheckOctStrEnd", - "RTAsn1CursorCheckSeqEnd", - "RTAsn1CursorCheckSetEnd", - "RTAsn1CursorGetBitString", - "RTAsn1CursorGetBitStringEx", - "RTAsn1CursorGetBmpString", - "RTAsn1CursorGetBoolean", - "RTAsn1CursorGetContextTagNCursor", - "RTAsn1CursorGetCore", - "RTAsn1CursorGetDynType", - "RTAsn1CursorGetIa5String", - "RTAsn1CursorGetInteger", - "RTAsn1CursorGetNull", - "RTAsn1CursorGetObjId", - "RTAsn1CursorGetOctetString", - "RTAsn1CursorGetSequenceCursor", - "RTAsn1CursorGetSetCursor", - "RTAsn1CursorGetString", - "RTAsn1CursorGetTime", - "RTAsn1CursorGetUtf8String", - "RTAsn1CursorInitAllocation", - "RTAsn1CursorInitArrayAllocation", - "RTAsn1CursorInitPrimary", - "RTAsn1CursorInitSub", - "RTAsn1CursorInitSubFromCore", - "RTAsn1CursorIsEnd", - "RTAsn1CursorIsNextEx", - "RTAsn1CursorMatchTagClassFlagsEx", - "RTAsn1CursorPeek", - "RTAsn1CursorReadHdr", - "RTAsn1CursorSetInfo", - "RTAsn1CursorSetInfoV", - "RTAsn1Dummy_InitEx", - "RTAsn1Dump", - "RTAsn1DynType_CheckSanity", - "RTAsn1DynType_Clone", - "RTAsn1DynType_Compare", - "RTAsn1DynType_DecodeAsn1", - "RTAsn1DynType_Delete", - "RTAsn1DynType_Enum", - "RTAsn1DynType_Init", - "RTAsn1EncodePrepare", - "RTAsn1EncodeRecalcHdrSize", - "RTAsn1EncodeToBuffer", - "RTAsn1EncodeWrite", - "RTAsn1EncodeWriteHeader", - "RTAsn1GeneralString_CheckSanity", - "RTAsn1GeneralString_Clone", - "RTAsn1GeneralString_Compare", - "RTAsn1GeneralString_DecodeAsn1", - "RTAsn1GeneralString_Delete", - "RTAsn1GeneralString_Enum", - "RTAsn1GeneralString_Init", - "RTAsn1GeneralizedTime_CheckSanity", - "RTAsn1GeneralizedTime_Clone", - "RTAsn1GeneralizedTime_Compare", - "RTAsn1GeneralizedTime_DecodeAsn1", - "RTAsn1GeneralizedTime_Delete", - "RTAsn1GeneralizedTime_Enum", - "RTAsn1GeneralizedTime_Init", - "RTAsn1GraphicString_CheckSanity", - "RTAsn1GraphicString_Clone", - "RTAsn1GraphicString_Compare", - "RTAsn1GraphicString_DecodeAsn1", - "RTAsn1GraphicString_Delete", - "RTAsn1GraphicString_Enum", - "RTAsn1GraphicString_Init", - "RTAsn1Ia5String_CheckSanity", - "RTAsn1Ia5String_Clone", - "RTAsn1Ia5String_Compare", - "RTAsn1Ia5String_DecodeAsn1", - "RTAsn1Ia5String_Delete", - "RTAsn1Ia5String_Enum", - "RTAsn1Ia5String_Init", - "RTAsn1Integer_CheckSanity", - "RTAsn1Integer_Clone", - "RTAsn1Integer_Compare", - "RTAsn1Integer_DecodeAsn1", - "RTAsn1Integer_Delete", - "RTAsn1Integer_Enum", - "RTAsn1Integer_FromBigNum", - "RTAsn1Integer_Init", - "RTAsn1Integer_InitDefault", - "RTAsn1Integer_InitU64", - "RTAsn1Integer_ToBigNum", - "RTAsn1Integer_ToString", - "RTAsn1Integer_UnsignedCompare", - "RTAsn1Integer_UnsignedCompareWithU32", - "RTAsn1Integer_UnsignedCompareWithU64", - "RTAsn1Integer_UnsignedLastBit", - "RTAsn1MemAllocZ", - "RTAsn1MemDup", - "RTAsn1MemFree", - "RTAsn1MemFreeArray", - "RTAsn1MemInitAllocation", - "RTAsn1MemInitArrayAllocation", - "RTAsn1MemResizeArray", - "RTAsn1Null_CheckSanity", - "RTAsn1Null_Clone", - "RTAsn1Null_Compare", - "RTAsn1Null_DecodeAsn1", - "RTAsn1Null_Delete", - "RTAsn1Null_Enum", - "RTAsn1Null_Init", - "RTAsn1NumericString_CheckSanity", - "RTAsn1NumericString_Clone", - "RTAsn1NumericString_Compare", - "RTAsn1NumericString_DecodeAsn1", - "RTAsn1NumericString_Delete", - "RTAsn1NumericString_Enum", - "RTAsn1NumericString_Init", - "RTAsn1ObjIdCountComponents", - "RTAsn1ObjIdGetComponentsAsUInt32", - "RTAsn1ObjIdGetLastComponentsAsUInt32", - "RTAsn1ObjId_CheckSanity", - "RTAsn1ObjId_Clone", - "RTAsn1ObjId_Compare", - "RTAsn1ObjId_CompareWithString", - "RTAsn1ObjId_DecodeAsn1", - "RTAsn1ObjId_Delete", - "RTAsn1ObjId_Enum", - "RTAsn1ObjId_Init", - "RTAsn1ObjId_InitFromString", - "RTAsn1ObjId_StartsWith", - "RTAsn1OctetString_AreContentBytesValid", - "RTAsn1OctetString_CheckSanity", - "RTAsn1OctetString_Clone", - "RTAsn1OctetString_Compare", - "RTAsn1OctetString_DecodeAsn1", - "RTAsn1OctetString_Delete", - "RTAsn1OctetString_Enum", - "RTAsn1OctetString_Init", - "RTAsn1OctetString_RefreshContent", - "RTAsn1PrintableString_CheckSanity", - "RTAsn1PrintableString_Clone", - "RTAsn1PrintableString_Compare", - "RTAsn1PrintableString_DecodeAsn1", - "RTAsn1PrintableString_Delete", - "RTAsn1PrintableString_Enum", - "RTAsn1PrintableString_Init", - "RTAsn1QueryObjIdName", - "RTAsn1SeqOfBitStrings_CheckSanity", - "RTAsn1SeqOfBitStrings_Clone", - "RTAsn1SeqOfBitStrings_Compare", - "RTAsn1SeqOfBitStrings_DecodeAsn1", - "RTAsn1SeqOfBitStrings_Delete", - "RTAsn1SeqOfBitStrings_Enum", - "RTAsn1SeqOfBitStrings_Erase", - "RTAsn1SeqOfBitStrings_Init", - "RTAsn1SeqOfBitStrings_InsertEx", - "RTAsn1SeqOfBooleans_CheckSanity", - "RTAsn1SeqOfBooleans_Clone", - "RTAsn1SeqOfBooleans_Compare", - "RTAsn1SeqOfBooleans_DecodeAsn1", - "RTAsn1SeqOfBooleans_Delete", - "RTAsn1SeqOfBooleans_Enum", - "RTAsn1SeqOfBooleans_Erase", - "RTAsn1SeqOfBooleans_Init", - "RTAsn1SeqOfBooleans_InsertEx", - "RTAsn1SeqOfCore_Clone", - "RTAsn1SeqOfCore_Init", - "RTAsn1SeqOfCores_CheckSanity", - "RTAsn1SeqOfCores_Clone", - "RTAsn1SeqOfCores_Compare", - "RTAsn1SeqOfCores_DecodeAsn1", - "RTAsn1SeqOfCores_Delete", - "RTAsn1SeqOfCores_Enum", - "RTAsn1SeqOfCores_Erase", - "RTAsn1SeqOfCores_Init", - "RTAsn1SeqOfCores_InsertEx", - "RTAsn1SeqOfIntegers_CheckSanity", - "RTAsn1SeqOfIntegers_Clone", - "RTAsn1SeqOfIntegers_Compare", - "RTAsn1SeqOfIntegers_DecodeAsn1", - "RTAsn1SeqOfIntegers_Delete", - "RTAsn1SeqOfIntegers_Enum", - "RTAsn1SeqOfIntegers_Erase", - "RTAsn1SeqOfIntegers_Init", - "RTAsn1SeqOfIntegers_InsertEx", - "RTAsn1SeqOfObjIds_CheckSanity", - "RTAsn1SeqOfObjIds_Clone", - "RTAsn1SeqOfObjIds_Compare", - "RTAsn1SeqOfObjIds_DecodeAsn1", - "RTAsn1SeqOfObjIds_Delete", - "RTAsn1SeqOfObjIds_Enum", - "RTAsn1SeqOfObjIds_Erase", - "RTAsn1SeqOfObjIds_Init", - "RTAsn1SeqOfObjIds_InsertEx", - "RTAsn1SeqOfOctetStrings_CheckSanity", - "RTAsn1SeqOfOctetStrings_Clone", - "RTAsn1SeqOfOctetStrings_Compare", - "RTAsn1SeqOfOctetStrings_DecodeAsn1", - "RTAsn1SeqOfOctetStrings_Delete", - "RTAsn1SeqOfOctetStrings_Enum", - "RTAsn1SeqOfOctetStrings_Erase", - "RTAsn1SeqOfOctetStrings_Init", - "RTAsn1SeqOfOctetStrings_InsertEx", - "RTAsn1SeqOfStrings_CheckSanity", - "RTAsn1SeqOfStrings_Clone", - "RTAsn1SeqOfStrings_Compare", - "RTAsn1SeqOfStrings_DecodeAsn1", - "RTAsn1SeqOfStrings_Delete", - "RTAsn1SeqOfStrings_Enum", - "RTAsn1SeqOfStrings_Erase", - "RTAsn1SeqOfStrings_Init", - "RTAsn1SeqOfStrings_InsertEx", - "RTAsn1SeqOfTimes_CheckSanity", - "RTAsn1SeqOfTimes_Clone", - "RTAsn1SeqOfTimes_Compare", - "RTAsn1SeqOfTimes_DecodeAsn1", - "RTAsn1SeqOfTimes_Delete", - "RTAsn1SeqOfTimes_Enum", - "RTAsn1SeqOfTimes_Erase", - "RTAsn1SeqOfTimes_Init", - "RTAsn1SeqOfTimes_InsertEx", - "RTAsn1SequenceCore_Clone", - "RTAsn1SequenceCore_Init", - "RTAsn1SetCore_Clone", - "RTAsn1SetCore_Init", - "RTAsn1SetOfBitStrings_CheckSanity", - "RTAsn1SetOfBitStrings_Clone", - "RTAsn1SetOfBitStrings_Compare", - "RTAsn1SetOfBitStrings_DecodeAsn1", - "RTAsn1SetOfBitStrings_Delete", - "RTAsn1SetOfBitStrings_Enum", - "RTAsn1SetOfBitStrings_Erase", - "RTAsn1SetOfBitStrings_Init", - "RTAsn1SetOfBitStrings_InsertEx", - "RTAsn1SetOfBooleans_CheckSanity", - "RTAsn1SetOfBooleans_Clone", - "RTAsn1SetOfBooleans_Compare", - "RTAsn1SetOfBooleans_DecodeAsn1", - "RTAsn1SetOfBooleans_Delete", - "RTAsn1SetOfBooleans_Enum", - "RTAsn1SetOfBooleans_Erase", - "RTAsn1SetOfBooleans_Init", - "RTAsn1SetOfBooleans_InsertEx", - "RTAsn1SetOfCore_Clone", - "RTAsn1SetOfCore_Init", - "RTAsn1SetOfCores_CheckSanity", - "RTAsn1SetOfCores_Clone", - "RTAsn1SetOfCores_Compare", - "RTAsn1SetOfCores_DecodeAsn1", - "RTAsn1SetOfCores_Delete", - "RTAsn1SetOfCores_Enum", - "RTAsn1SetOfCores_Erase", - "RTAsn1SetOfCores_Init", - "RTAsn1SetOfCores_InsertEx", - "RTAsn1SetOfIntegers_CheckSanity", - "RTAsn1SetOfIntegers_Clone", - "RTAsn1SetOfIntegers_Compare", - "RTAsn1SetOfIntegers_DecodeAsn1", - "RTAsn1SetOfIntegers_Delete", - "RTAsn1SetOfIntegers_Enum", - "RTAsn1SetOfIntegers_Erase", - "RTAsn1SetOfIntegers_Init", - "RTAsn1SetOfIntegers_InsertEx", - "RTAsn1SetOfObjIdSeqs_CheckSanity", - "RTAsn1SetOfObjIdSeqs_Clone", - "RTAsn1SetOfObjIdSeqs_Compare", - "RTAsn1SetOfObjIdSeqs_DecodeAsn1", - "RTAsn1SetOfObjIdSeqs_Delete", - "RTAsn1SetOfObjIdSeqs_Enum", - "RTAsn1SetOfObjIdSeqs_Erase", - "RTAsn1SetOfObjIdSeqs_Init", - "RTAsn1SetOfObjIdSeqs_InsertEx", - "RTAsn1SetOfObjIds_CheckSanity", - "RTAsn1SetOfObjIds_Clone", - "RTAsn1SetOfObjIds_Compare", - "RTAsn1SetOfObjIds_DecodeAsn1", - "RTAsn1SetOfObjIds_Delete", - "RTAsn1SetOfObjIds_Enum", - "RTAsn1SetOfObjIds_Erase", - "RTAsn1SetOfObjIds_Init", - "RTAsn1SetOfObjIds_InsertEx", - "RTAsn1SetOfOctetStrings_CheckSanity", - "RTAsn1SetOfOctetStrings_Clone", - "RTAsn1SetOfOctetStrings_Compare", - "RTAsn1SetOfOctetStrings_DecodeAsn1", - "RTAsn1SetOfOctetStrings_Delete", - "RTAsn1SetOfOctetStrings_Enum", - "RTAsn1SetOfOctetStrings_Erase", - "RTAsn1SetOfOctetStrings_Init", - "RTAsn1SetOfOctetStrings_InsertEx", - "RTAsn1SetOfStrings_CheckSanity", - "RTAsn1SetOfStrings_Clone", - "RTAsn1SetOfStrings_Compare", - "RTAsn1SetOfStrings_DecodeAsn1", - "RTAsn1SetOfStrings_Delete", - "RTAsn1SetOfStrings_Enum", - "RTAsn1SetOfStrings_Erase", - "RTAsn1SetOfStrings_Init", - "RTAsn1SetOfStrings_InsertEx", - "RTAsn1SetOfTimes_CheckSanity", - "RTAsn1SetOfTimes_Clone", - "RTAsn1SetOfTimes_Compare", - "RTAsn1SetOfTimes_DecodeAsn1", - "RTAsn1SetOfTimes_Delete", - "RTAsn1SetOfTimes_Enum", - "RTAsn1SetOfTimes_Erase", - "RTAsn1SetOfTimes_Init", - "RTAsn1SetOfTimes_InsertEx", - "RTAsn1String_CheckSanity", - "RTAsn1String_Clone", - "RTAsn1String_Compare", - "RTAsn1String_CompareEx", - "RTAsn1String_CompareValues", - "RTAsn1String_CompareWithString", - "RTAsn1String_DecodeAsn1", - "RTAsn1String_Delete", - "RTAsn1String_Enum", - "RTAsn1String_Init", - "RTAsn1String_InitEx", - "RTAsn1String_InitWithValue", - "RTAsn1String_QueryUtf8", - "RTAsn1String_QueryUtf8Len", - "RTAsn1String_RecodeAsUtf8", - "RTAsn1T61String_CheckSanity", - "RTAsn1T61String_Clone", - "RTAsn1T61String_Compare", - "RTAsn1T61String_DecodeAsn1", - "RTAsn1T61String_Delete", - "RTAsn1T61String_Enum", - "RTAsn1T61String_Init", - "RTAsn1Time_CheckSanity", - "RTAsn1Time_Clone", - "RTAsn1Time_Compare", - "RTAsn1Time_CompareWithTimeSpec", - "RTAsn1Time_DecodeAsn1", - "RTAsn1Time_Delete", - "RTAsn1Time_Enum", - "RTAsn1Time_Init", - "RTAsn1Time_InitEx", - "RTAsn1UniversalString_CheckSanity", - "RTAsn1UniversalString_Clone", - "RTAsn1UniversalString_Compare", - "RTAsn1UniversalString_DecodeAsn1", - "RTAsn1UniversalString_Delete", - "RTAsn1UniversalString_Enum", - "RTAsn1UniversalString_Init", - "RTAsn1UtcTime_CheckSanity", - "RTAsn1UtcTime_Clone", - "RTAsn1UtcTime_Compare", - "RTAsn1UtcTime_DecodeAsn1", - "RTAsn1UtcTime_Delete", - "RTAsn1UtcTime_Enum", - "RTAsn1UtcTime_Init", - "RTAsn1Utf8String_CheckSanity", - "RTAsn1Utf8String_Clone", - "RTAsn1Utf8String_Compare", - "RTAsn1Utf8String_DecodeAsn1", - "RTAsn1Utf8String_Delete", - "RTAsn1Utf8String_Enum", - "RTAsn1Utf8String_Init", - "RTAsn1VisibleString_CheckSanity", - "RTAsn1VisibleString_Clone", - "RTAsn1VisibleString_Compare", - "RTAsn1VisibleString_DecodeAsn1", - "RTAsn1VisibleString_Delete", - "RTAsn1VisibleString_Enum", - "RTAsn1VisibleString_Init", - "RTAsn1VtCheckSanity", - "RTAsn1VtClone", - "RTAsn1VtCompare", - "RTAsn1VtDeepEnum", - "RTAsn1VtDelete", - "RTAssertAreQuiet", - "RTAssertMayPanic", - "RTAssertMsg1", - "RTAssertMsg1Weak", - "RTAssertMsg2AddV", - "RTAssertMsg2V", - "RTAssertMsg2Weak", - "RTAssertMsg2WeakV", - "RTAssertSetMayPanic", - "RTAssertSetQuiet", - "RTAssertShouldPanic", - "RTAvlPVDestroy", - "RTAvlPVDoWithAll", - "RTAvlPVGet", - "RTAvlPVGetBestFit", - "RTAvlPVInsert", - "RTAvlPVRemove", - "RTAvlPVRemoveBestFit", - "RTBigNumAdd", - "RTBigNumAssign", - "RTBigNumBitWidth", - "RTBigNumByteWidth", - "RTBigNumClone", - "RTBigNumCompare", - "RTBigNumCompareWithS64", - "RTBigNumCompareWithU64", - "RTBigNumDestroy", - "RTBigNumDivide", - "RTBigNumDivideLong", - "RTBigNumExponentiate", - "RTBigNumInit", - "RTBigNumInitZero", - "RTBigNumModExp", - "RTBigNumModulo", - "RTBigNumMultiply", - "RTBigNumNegate", - "RTBigNumNegateThis", - "RTBigNumShiftLeft", - "RTBigNumShiftRight", - "RTBigNumSubtract", - "RTBigNumToBytesBigEndian", - "RTCrCertCtxRelease", - "RTCrCertCtxRetain", - "RTCrDigestClone", - "RTCrDigestCreate", - "RTCrDigestCreateByObjId", - "RTCrDigestCreateByObjIdString", - "RTCrDigestCreateByType", - "RTCrDigestFinal", - "RTCrDigestFindByObjId", - "RTCrDigestFindByObjIdString", - "RTCrDigestFindByType", - "RTCrDigestGetAlgorithmOid", - "RTCrDigestGetConsumedSize", - "RTCrDigestGetFlags", - "RTCrDigestGetHash", - "RTCrDigestGetHashSize", - "RTCrDigestGetType", - "RTCrDigestIsFinalized", - "RTCrDigestMatch", - "RTCrDigestRelease", - "RTCrDigestReset", - "RTCrDigestRetain", - "RTCrDigestTypeToAlgorithmOid", - "RTCrDigestTypeToHashSize", - "RTCrDigestTypeToName", - "RTCrDigestUpdate", - "RTCrKeyCreateFromPublicAlgorithmAndBits", - "RTCrKeyCreateFromSubjectPublicKeyInfo", - "RTCrKeyGetBitCount", - "RTCrKeyGetType", - "RTCrKeyHasPrivatePart", - "RTCrKeyHasPublicPart", - "RTCrKeyQueryRsaModulus", - "RTCrKeyQueryRsaPrivateExponent", - "RTCrKeyRelease", - "RTCrKeyRetain", - "RTCrPkcs7Attribute_CheckSanity", - "RTCrPkcs7Attribute_Clone", - "RTCrPkcs7Attribute_Compare", - "RTCrPkcs7Attribute_DecodeAsn1", - "RTCrPkcs7Attribute_Delete", - "RTCrPkcs7Attribute_Enum", - "RTCrPkcs7Attribute_Init", - "RTCrPkcs7Attributes_CheckSanity", - "RTCrPkcs7Attributes_Clone", - "RTCrPkcs7Attributes_Compare", - "RTCrPkcs7Attributes_DecodeAsn1", - "RTCrPkcs7Attributes_Delete", - "RTCrPkcs7Attributes_Enum", - "RTCrPkcs7Attributes_Erase", - "RTCrPkcs7Attributes_Init", - "RTCrPkcs7Attributes_InsertEx", - "RTCrPkcs7Cert_CheckSanity", - "RTCrPkcs7Cert_Clone", - "RTCrPkcs7Cert_Compare", - "RTCrPkcs7Cert_DecodeAsn1", - "RTCrPkcs7Cert_Delete", - "RTCrPkcs7Cert_Enum", - "RTCrPkcs7Cert_Init", - "RTCrPkcs7ContentInfo_CheckSanity", - "RTCrPkcs7ContentInfo_Clone", - "RTCrPkcs7ContentInfo_Compare", - "RTCrPkcs7ContentInfo_DecodeAsn1", - "RTCrPkcs7ContentInfo_Delete", - "RTCrPkcs7ContentInfo_Enum", - "RTCrPkcs7ContentInfo_Init", - "RTCrPkcs7ContentInfo_IsSignedData", - "RTCrPkcs7DigestInfo_CheckSanity", - "RTCrPkcs7DigestInfo_Clone", - "RTCrPkcs7DigestInfo_Compare", - "RTCrPkcs7DigestInfo_DecodeAsn1", - "RTCrPkcs7DigestInfo_Delete", - "RTCrPkcs7DigestInfo_Enum", - "RTCrPkcs7DigestInfo_Init", - "RTCrPkcs7IssuerAndSerialNumber_CheckSanity", - "RTCrPkcs7IssuerAndSerialNumber_Clone", - "RTCrPkcs7IssuerAndSerialNumber_Compare", - "RTCrPkcs7IssuerAndSerialNumber_DecodeAsn1", - "RTCrPkcs7IssuerAndSerialNumber_Delete", - "RTCrPkcs7IssuerAndSerialNumber_Enum", - "RTCrPkcs7IssuerAndSerialNumber_Init", - "RTCrPkcs7SetOfCerts_CheckSanity", - "RTCrPkcs7SetOfCerts_Clone", - "RTCrPkcs7SetOfCerts_Compare", - "RTCrPkcs7SetOfCerts_DecodeAsn1", - "RTCrPkcs7SetOfCerts_Delete", - "RTCrPkcs7SetOfCerts_Enum", - "RTCrPkcs7SetOfCerts_Erase", - "RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber", - "RTCrPkcs7SetOfCerts_Init", - "RTCrPkcs7SetOfCerts_InsertEx", - "RTCrPkcs7SetOfContentInfos_CheckSanity", - "RTCrPkcs7SetOfContentInfos_Clone", - "RTCrPkcs7SetOfContentInfos_Compare", - "RTCrPkcs7SetOfContentInfos_DecodeAsn1", - "RTCrPkcs7SetOfContentInfos_Delete", - "RTCrPkcs7SetOfContentInfos_Enum", - "RTCrPkcs7SetOfContentInfos_Erase", - "RTCrPkcs7SetOfContentInfos_Init", - "RTCrPkcs7SetOfContentInfos_InsertEx", - "RTCrPkcs7SetOfSignedData_CheckSanity", - "RTCrPkcs7SetOfSignedData_Clone", - "RTCrPkcs7SetOfSignedData_Compare", - "RTCrPkcs7SetOfSignedData_DecodeAsn1", - "RTCrPkcs7SetOfSignedData_Delete", - "RTCrPkcs7SetOfSignedData_Enum", - "RTCrPkcs7SetOfSignedData_Erase", - "RTCrPkcs7SetOfSignedData_Init", - "RTCrPkcs7SetOfSignedData_InsertEx", - "RTCrPkcs7SignedData_CheckSanity", - "RTCrPkcs7SignedData_Clone", - "RTCrPkcs7SignedData_Compare", - "RTCrPkcs7SignedData_DecodeAsn1", - "RTCrPkcs7SignedData_Delete", - "RTCrPkcs7SignedData_Enum", - "RTCrPkcs7SignedData_Init", - "RTCrPkcs7SignerInfo_CheckSanity", - "RTCrPkcs7SignerInfo_Clone", - "RTCrPkcs7SignerInfo_Compare", - "RTCrPkcs7SignerInfo_DecodeAsn1", - "RTCrPkcs7SignerInfo_Delete", - "RTCrPkcs7SignerInfo_Enum", - "RTCrPkcs7SignerInfo_GetMsTimestamp", - "RTCrPkcs7SignerInfo_GetSigningTime", - "RTCrPkcs7SignerInfo_Init", - "RTCrPkcs7SignerInfos_CheckSanity", - "RTCrPkcs7SignerInfos_Clone", - "RTCrPkcs7SignerInfos_Compare", - "RTCrPkcs7SignerInfos_DecodeAsn1", - "RTCrPkcs7SignerInfos_Delete", - "RTCrPkcs7SignerInfos_Enum", - "RTCrPkcs7SignerInfos_Erase", - "RTCrPkcs7SignerInfos_Init", - "RTCrPkcs7SignerInfos_InsertEx", - "RTCrPkcs7VerifyCertCallbackCodeSigning", - "RTCrPkcs7VerifyCertCallbackDefault", - "RTCrPkcs7VerifySignedData", - "RTCrPkcs7VerifySignedDataWithExternalData", - "RTCrPkixGetCiperOidFromSignatureAlgorithm", - "RTCrPkixPubKeyVerifySignature", - "RTCrPkixPubKeyVerifySignedDigest", - "RTCrPkixPubKeyVerifySignedDigestByCertPubKeyInfo", - "RTCrPkixSignatureCreate", - "RTCrPkixSignatureCreateByObjId", - "RTCrPkixSignatureCreateByObjIdString", - "RTCrPkixSignatureRelease", - "RTCrPkixSignatureRetain", - "RTCrPkixSignatureSign", - "RTCrPkixSignatureVerify", - "RTCrPkixSignatureVerifyBitString", - "RTCrPkixSignatureVerifyOctetString", - "RTCrRsaDigestInfo_CheckSanity", - "RTCrRsaDigestInfo_Clone", - "RTCrRsaDigestInfo_Compare", - "RTCrRsaDigestInfo_DecodeAsn1", - "RTCrRsaDigestInfo_Delete", - "RTCrRsaDigestInfo_Enum", - "RTCrRsaDigestInfo_Init", - "RTCrRsaOtherPrimeInfo_CheckSanity", - "RTCrRsaOtherPrimeInfo_Clone", - "RTCrRsaOtherPrimeInfo_Compare", - "RTCrRsaOtherPrimeInfo_DecodeAsn1", - "RTCrRsaOtherPrimeInfo_Delete", - "RTCrRsaOtherPrimeInfo_Enum", - "RTCrRsaOtherPrimeInfo_Init", - "RTCrRsaOtherPrimeInfos_CheckSanity", - "RTCrRsaOtherPrimeInfos_Clone", - "RTCrRsaOtherPrimeInfos_Compare", - "RTCrRsaOtherPrimeInfos_DecodeAsn1", - "RTCrRsaOtherPrimeInfos_Delete", - "RTCrRsaOtherPrimeInfos_Enum", - "RTCrRsaOtherPrimeInfos_Erase", - "RTCrRsaOtherPrimeInfos_Init", - "RTCrRsaOtherPrimeInfos_InsertEx", - "RTCrRsaPrivateKey_CheckSanity", - "RTCrRsaPrivateKey_Clone", - "RTCrRsaPrivateKey_Compare", - "RTCrRsaPrivateKey_DecodeAsn1", - "RTCrRsaPrivateKey_Delete", - "RTCrRsaPrivateKey_Enum", - "RTCrRsaPrivateKey_Init", - "RTCrRsaPublicKey_CheckSanity", - "RTCrRsaPublicKey_Clone", - "RTCrRsaPublicKey_Compare", - "RTCrRsaPublicKey_DecodeAsn1", - "RTCrRsaPublicKey_Delete", - "RTCrRsaPublicKey_Enum", - "RTCrRsaPublicKey_Init", - "RTCrSpcAttributeTypeAndOptionalValue_CheckSanity", - "RTCrSpcAttributeTypeAndOptionalValue_Clone", - "RTCrSpcAttributeTypeAndOptionalValue_Compare", - "RTCrSpcAttributeTypeAndOptionalValue_DecodeAsn1", - "RTCrSpcAttributeTypeAndOptionalValue_Delete", - "RTCrSpcAttributeTypeAndOptionalValue_Enum", - "RTCrSpcAttributeTypeAndOptionalValue_Init", - "RTCrSpcIndirectDataContent_CheckSanity", - "RTCrSpcIndirectDataContent_CheckSanityEx", - "RTCrSpcIndirectDataContent_Clone", - "RTCrSpcIndirectDataContent_Compare", - "RTCrSpcIndirectDataContent_DecodeAsn1", - "RTCrSpcIndirectDataContent_Delete", - "RTCrSpcIndirectDataContent_Enum", - "RTCrSpcIndirectDataContent_GetPeImageObjAttrib", - "RTCrSpcIndirectDataContent_Init", - "RTCrSpcLink_CheckSanity", - "RTCrSpcLink_Clone", - "RTCrSpcLink_Compare", - "RTCrSpcLink_DecodeAsn1", - "RTCrSpcLink_Delete", - "RTCrSpcLink_Enum", - "RTCrSpcLink_Init", - "RTCrSpcPeImageData_CheckSanity", - "RTCrSpcPeImageData_Clone", - "RTCrSpcPeImageData_Compare", - "RTCrSpcPeImageData_DecodeAsn1", - "RTCrSpcPeImageData_Delete", - "RTCrSpcPeImageData_Enum", - "RTCrSpcPeImageData_Init", - "RTCrSpcSerializedObjectAttribute_CheckSanity", - "RTCrSpcSerializedObjectAttribute_Clone", - "RTCrSpcSerializedObjectAttribute_Compare", - "RTCrSpcSerializedObjectAttribute_DecodeAsn1", - "RTCrSpcSerializedObjectAttribute_Delete", - "RTCrSpcSerializedObjectAttribute_Enum", - "RTCrSpcSerializedObjectAttribute_Init", - "RTCrSpcSerializedObjectAttributes_CheckSanity", - "RTCrSpcSerializedObjectAttributes_Clone", - "RTCrSpcSerializedObjectAttributes_Compare", - "RTCrSpcSerializedObjectAttributes_DecodeAsn1", - "RTCrSpcSerializedObjectAttributes_Delete", - "RTCrSpcSerializedObjectAttributes_Enum", - "RTCrSpcSerializedObjectAttributes_Erase", - "RTCrSpcSerializedObjectAttributes_Init", - "RTCrSpcSerializedObjectAttributes_InsertEx", - "RTCrSpcSerializedObject_CheckSanity", - "RTCrSpcSerializedObject_Clone", - "RTCrSpcSerializedObject_Compare", - "RTCrSpcSerializedObject_DecodeAsn1", - "RTCrSpcSerializedObject_Delete", - "RTCrSpcSerializedObject_Enum", - "RTCrSpcSerializedObject_Init", - "RTCrSpcSerializedPageHashes_CheckSanity", - "RTCrSpcSerializedPageHashes_Clone", - "RTCrSpcSerializedPageHashes_Compare", - "RTCrSpcSerializedPageHashes_DecodeAsn1", - "RTCrSpcSerializedPageHashes_Delete", - "RTCrSpcSerializedPageHashes_Enum", - "RTCrSpcSerializedPageHashes_Init", - "RTCrSpcSerializedPageHashes_UpdateDerivedData", - "RTCrSpcString_CheckSanity", - "RTCrSpcString_Clone", - "RTCrSpcString_Compare", - "RTCrSpcString_DecodeAsn1", - "RTCrSpcString_Delete", - "RTCrSpcString_Enum", - "RTCrSpcString_Init", - "RTCrStoreCertAddEncoded", - "RTCrStoreCertByIssuerAndSerialNo", - "RTCrStoreCertCount", - "RTCrStoreCertFindAll", - "RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280", - "RTCrStoreCertSearchDestroy", - "RTCrStoreCertSearchNext", - "RTCrStoreCreateInMem", - "RTCrStoreRelease", - "RTCrStoreRetain", - "RTCrTafCertPathControls_CheckSanity", - "RTCrTafCertPathControls_Clone", - "RTCrTafCertPathControls_Compare", - "RTCrTafCertPathControls_DecodeAsn1", - "RTCrTafCertPathControls_Delete", - "RTCrTafCertPathControls_Enum", - "RTCrTafCertPathControls_Init", - "RTCrTafTrustAnchorChoice_CheckSanity", - "RTCrTafTrustAnchorChoice_Clone", - "RTCrTafTrustAnchorChoice_Compare", - "RTCrTafTrustAnchorChoice_DecodeAsn1", - "RTCrTafTrustAnchorChoice_Delete", - "RTCrTafTrustAnchorChoice_Enum", - "RTCrTafTrustAnchorChoice_Init", - "RTCrTafTrustAnchorInfo_CheckSanity", - "RTCrTafTrustAnchorInfo_Clone", - "RTCrTafTrustAnchorInfo_Compare", - "RTCrTafTrustAnchorInfo_DecodeAsn1", - "RTCrTafTrustAnchorInfo_Delete", - "RTCrTafTrustAnchorInfo_Enum", - "RTCrTafTrustAnchorInfo_Init", - "RTCrTafTrustAnchorList_CheckSanity", - "RTCrTafTrustAnchorList_Clone", - "RTCrTafTrustAnchorList_Compare", - "RTCrTafTrustAnchorList_DecodeAsn1", - "RTCrTafTrustAnchorList_Delete", - "RTCrTafTrustAnchorList_Enum", - "RTCrTafTrustAnchorList_Erase", - "RTCrTafTrustAnchorList_Init", - "RTCrTafTrustAnchorList_InsertEx", - "RTCrTspAccuracy_CheckSanity", - "RTCrTspAccuracy_Clone", - "RTCrTspAccuracy_Compare", - "RTCrTspAccuracy_DecodeAsn1", - "RTCrTspAccuracy_Delete", - "RTCrTspAccuracy_Enum", - "RTCrTspAccuracy_Init", - "RTCrTspMessageImprint_CheckSanity", - "RTCrTspMessageImprint_Clone", - "RTCrTspMessageImprint_Compare", - "RTCrTspMessageImprint_DecodeAsn1", - "RTCrTspMessageImprint_Delete", - "RTCrTspMessageImprint_Enum", - "RTCrTspMessageImprint_Init", - "RTCrTspTstInfo_CheckSanity", - "RTCrTspTstInfo_Clone", - "RTCrTspTstInfo_Compare", - "RTCrTspTstInfo_DecodeAsn1", - "RTCrTspTstInfo_Delete", - "RTCrTspTstInfo_Enum", - "RTCrTspTstInfo_Init", - "RTCrX509AlgorithmIdentifier_CheckSanity", - "RTCrX509AlgorithmIdentifier_Clone", - "RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest", - "RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid", - "RTCrX509AlgorithmIdentifier_Compare", - "RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest", - "RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid", - "RTCrX509AlgorithmIdentifier_CompareWithString", - "RTCrX509AlgorithmIdentifier_DecodeAsn1", - "RTCrX509AlgorithmIdentifier_Delete", - "RTCrX509AlgorithmIdentifier_Enum", - "RTCrX509AlgorithmIdentifier_Init", - "RTCrX509AlgorithmIdentifier_QueryDigestSize", - "RTCrX509AlgorithmIdentifier_QueryDigestType", - "RTCrX509AlgorithmIdentifiers_CheckSanity", - "RTCrX509AlgorithmIdentifiers_Clone", - "RTCrX509AlgorithmIdentifiers_Compare", - "RTCrX509AlgorithmIdentifiers_DecodeAsn1", - "RTCrX509AlgorithmIdentifiers_Delete", - "RTCrX509AlgorithmIdentifiers_Enum", - "RTCrX509AlgorithmIdentifiers_Erase", - "RTCrX509AlgorithmIdentifiers_Init", - "RTCrX509AlgorithmIdentifiers_InsertEx", - "RTCrX509AttributeTypeAndValue_CheckSanity", - "RTCrX509AttributeTypeAndValue_Clone", - "RTCrX509AttributeTypeAndValue_Compare", - "RTCrX509AttributeTypeAndValue_DecodeAsn1", - "RTCrX509AttributeTypeAndValue_Delete", - "RTCrX509AttributeTypeAndValue_Enum", - "RTCrX509AttributeTypeAndValue_Init", - "RTCrX509AttributeTypeAndValues_CheckSanity", - "RTCrX509AttributeTypeAndValues_Clone", - "RTCrX509AttributeTypeAndValues_Compare", - "RTCrX509AttributeTypeAndValues_DecodeAsn1", - "RTCrX509AttributeTypeAndValues_Delete", - "RTCrX509AttributeTypeAndValues_Enum", - "RTCrX509AttributeTypeAndValues_Erase", - "RTCrX509AttributeTypeAndValues_Init", - "RTCrX509AttributeTypeAndValues_InsertEx", - "RTCrX509AuthorityKeyIdentifier_CheckSanity", - "RTCrX509AuthorityKeyIdentifier_Clone", - "RTCrX509AuthorityKeyIdentifier_Compare", - "RTCrX509AuthorityKeyIdentifier_DecodeAsn1", - "RTCrX509AuthorityKeyIdentifier_Delete", - "RTCrX509AuthorityKeyIdentifier_Enum", - "RTCrX509AuthorityKeyIdentifier_Init", - "RTCrX509BasicConstraints_CheckSanity", - "RTCrX509BasicConstraints_Clone", - "RTCrX509BasicConstraints_Compare", - "RTCrX509BasicConstraints_DecodeAsn1", - "RTCrX509BasicConstraints_Delete", - "RTCrX509BasicConstraints_Enum", - "RTCrX509BasicConstraints_Init", - "RTCrX509CertPathsBuild", - "RTCrX509CertPathsCreate", - "RTCrX509CertPathsCreateEx", - "RTCrX509CertPathsDumpAll", - "RTCrX509CertPathsDumpOne", - "RTCrX509CertPathsGetPathCount", - "RTCrX509CertPathsGetPathLength", - "RTCrX509CertPathsGetPathNodeCert", - "RTCrX509CertPathsGetPathVerifyResult", - "RTCrX509CertPathsQueryPathInfo", - "RTCrX509CertPathsRelease", - "RTCrX509CertPathsRetain", - "RTCrX509CertPathsSetTrustedStore", - "RTCrX509CertPathsSetUntrustedArray", - "RTCrX509CertPathsSetUntrustedSet", - "RTCrX509CertPathsSetUntrustedStore", - "RTCrX509CertPathsSetValidTime", - "RTCrX509CertPathsSetValidTimeSpec", - "RTCrX509CertPathsValidateAll", - "RTCrX509CertPathsValidateOne", - "RTCrX509CertificatePolicies_CheckSanity", - "RTCrX509CertificatePolicies_Clone", - "RTCrX509CertificatePolicies_Compare", - "RTCrX509CertificatePolicies_DecodeAsn1", - "RTCrX509CertificatePolicies_Delete", - "RTCrX509CertificatePolicies_Enum", - "RTCrX509CertificatePolicies_Erase", - "RTCrX509CertificatePolicies_Init", - "RTCrX509CertificatePolicies_InsertEx", - "RTCrX509Certificate_CheckSanity", - "RTCrX509Certificate_Clone", - "RTCrX509Certificate_Compare", - "RTCrX509Certificate_DecodeAsn1", - "RTCrX509Certificate_Delete", - "RTCrX509Certificate_Enum", - "RTCrX509Certificate_Init", - "RTCrX509Certificate_IsSelfSigned", - "RTCrX509Certificate_MatchIssuerAndSerialNumber", - "RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280", - "RTCrX509Certificate_VerifySignature", - "RTCrX509Certificate_VerifySignatureSelfSigned", - "RTCrX509Certificates_CheckSanity", - "RTCrX509Certificates_Clone", - "RTCrX509Certificates_Compare", - "RTCrX509Certificates_DecodeAsn1", - "RTCrX509Certificates_Delete", - "RTCrX509Certificates_Enum", - "RTCrX509Certificates_Erase", - "RTCrX509Certificates_FindByIssuerAndSerialNumber", - "RTCrX509Certificates_Init", - "RTCrX509Certificates_InsertEx", - "RTCrX509Extension_CheckSanity", - "RTCrX509Extension_Clone", - "RTCrX509Extension_Compare", - "RTCrX509Extension_DecodeAsn1", - "RTCrX509Extension_Delete", - "RTCrX509Extension_Enum", - "RTCrX509Extension_ExtnValue_DecodeAsn1", - "RTCrX509Extension_Init", - "RTCrX509Extensions_CheckSanity", - "RTCrX509Extensions_Clone", - "RTCrX509Extensions_Compare", - "RTCrX509Extensions_DecodeAsn1", - "RTCrX509Extensions_Delete", - "RTCrX509Extensions_Enum", - "RTCrX509Extensions_Erase", - "RTCrX509Extensions_Init", - "RTCrX509Extensions_InsertEx", - "RTCrX509GeneralName_CheckSanity", - "RTCrX509GeneralName_Clone", - "RTCrX509GeneralName_Compare", - "RTCrX509GeneralName_ConstraintMatch", - "RTCrX509GeneralName_DecodeAsn1", - "RTCrX509GeneralName_Delete", - "RTCrX509GeneralName_Enum", - "RTCrX509GeneralName_Init", - "RTCrX509GeneralNames_CheckSanity", - "RTCrX509GeneralNames_Clone", - "RTCrX509GeneralNames_Compare", - "RTCrX509GeneralNames_DecodeAsn1", - "RTCrX509GeneralNames_Delete", - "RTCrX509GeneralNames_Enum", - "RTCrX509GeneralNames_Erase", - "RTCrX509GeneralNames_Init", - "RTCrX509GeneralNames_InsertEx", - "RTCrX509GeneralSubtree_CheckSanity", - "RTCrX509GeneralSubtree_Clone", - "RTCrX509GeneralSubtree_Compare", - "RTCrX509GeneralSubtree_ConstraintMatch", - "RTCrX509GeneralSubtree_DecodeAsn1", - "RTCrX509GeneralSubtree_Delete", - "RTCrX509GeneralSubtree_Enum", - "RTCrX509GeneralSubtree_Init", - "RTCrX509GeneralSubtrees_CheckSanity", - "RTCrX509GeneralSubtrees_Clone", - "RTCrX509GeneralSubtrees_Compare", - "RTCrX509GeneralSubtrees_DecodeAsn1", - "RTCrX509GeneralSubtrees_Delete", - "RTCrX509GeneralSubtrees_Enum", - "RTCrX509GeneralSubtrees_Erase", - "RTCrX509GeneralSubtrees_Init", - "RTCrX509GeneralSubtrees_InsertEx", - "RTCrX509NameConstraints_CheckSanity", - "RTCrX509NameConstraints_Clone", - "RTCrX509NameConstraints_Compare", - "RTCrX509NameConstraints_DecodeAsn1", - "RTCrX509NameConstraints_Delete", - "RTCrX509NameConstraints_Enum", - "RTCrX509NameConstraints_Init", - "RTCrX509Name_CheckSanity", - "RTCrX509Name_Clone", - "RTCrX509Name_Compare", - "RTCrX509Name_ConstraintMatch", - "RTCrX509Name_DecodeAsn1", - "RTCrX509Name_Delete", - "RTCrX509Name_Enum", - "RTCrX509Name_Erase", - "RTCrX509Name_FormatAsString", - "RTCrX509Name_GetShortRdn", - "RTCrX509Name_Init", - "RTCrX509Name_InsertEx", - "RTCrX509Name_MatchByRfc5280", - "RTCrX509Name_MatchWithString", - "RTCrX509Name_RecodeAsUtf8", - "RTCrX509OldAuthorityKeyIdentifier_CheckSanity", - "RTCrX509OldAuthorityKeyIdentifier_Clone", - "RTCrX509OldAuthorityKeyIdentifier_Compare", - "RTCrX509OldAuthorityKeyIdentifier_DecodeAsn1", - "RTCrX509OldAuthorityKeyIdentifier_Delete", - "RTCrX509OldAuthorityKeyIdentifier_Enum", - "RTCrX509OldAuthorityKeyIdentifier_Init", - "RTCrX509OtherName_CheckSanity", - "RTCrX509OtherName_Clone", - "RTCrX509OtherName_Compare", - "RTCrX509OtherName_DecodeAsn1", - "RTCrX509OtherName_Delete", - "RTCrX509OtherName_Enum", - "RTCrX509OtherName_Init", - "RTCrX509PolicyConstraints_CheckSanity", - "RTCrX509PolicyConstraints_Clone", - "RTCrX509PolicyConstraints_Compare", - "RTCrX509PolicyConstraints_DecodeAsn1", - "RTCrX509PolicyConstraints_Delete", - "RTCrX509PolicyConstraints_Enum", - "RTCrX509PolicyConstraints_Init", - "RTCrX509PolicyInformation_CheckSanity", - "RTCrX509PolicyInformation_Clone", - "RTCrX509PolicyInformation_Compare", - "RTCrX509PolicyInformation_DecodeAsn1", - "RTCrX509PolicyInformation_Delete", - "RTCrX509PolicyInformation_Enum", - "RTCrX509PolicyInformation_Init", - "RTCrX509PolicyMapping_CheckSanity", - "RTCrX509PolicyMapping_Clone", - "RTCrX509PolicyMapping_Compare", - "RTCrX509PolicyMapping_DecodeAsn1", - "RTCrX509PolicyMapping_Delete", - "RTCrX509PolicyMapping_Enum", - "RTCrX509PolicyMapping_Init", - "RTCrX509PolicyMappings_CheckSanity", - "RTCrX509PolicyMappings_Clone", - "RTCrX509PolicyMappings_Compare", - "RTCrX509PolicyMappings_DecodeAsn1", - "RTCrX509PolicyMappings_Delete", - "RTCrX509PolicyMappings_Enum", - "RTCrX509PolicyMappings_Erase", - "RTCrX509PolicyMappings_Init", - "RTCrX509PolicyMappings_InsertEx", - "RTCrX509PolicyQualifierInfo_CheckSanity", - "RTCrX509PolicyQualifierInfo_Clone", - "RTCrX509PolicyQualifierInfo_Compare", - "RTCrX509PolicyQualifierInfo_DecodeAsn1", - "RTCrX509PolicyQualifierInfo_Delete", - "RTCrX509PolicyQualifierInfo_Enum", - "RTCrX509PolicyQualifierInfo_Init", - "RTCrX509PolicyQualifierInfos_CheckSanity", - "RTCrX509PolicyQualifierInfos_Clone", - "RTCrX509PolicyQualifierInfos_Compare", - "RTCrX509PolicyQualifierInfos_DecodeAsn1", - "RTCrX509PolicyQualifierInfos_Delete", - "RTCrX509PolicyQualifierInfos_Enum", - "RTCrX509PolicyQualifierInfos_Erase", - "RTCrX509PolicyQualifierInfos_Init", - "RTCrX509PolicyQualifierInfos_InsertEx", - "RTCrX509SubjectPublicKeyInfo_CheckSanity", - "RTCrX509SubjectPublicKeyInfo_Clone", - "RTCrX509SubjectPublicKeyInfo_Compare", - "RTCrX509SubjectPublicKeyInfo_DecodeAsn1", - "RTCrX509SubjectPublicKeyInfo_Delete", - "RTCrX509SubjectPublicKeyInfo_Enum", - "RTCrX509SubjectPublicKeyInfo_Init", - "RTCrX509TbsCertificate_CheckSanity", - "RTCrX509TbsCertificate_Clone", - "RTCrX509TbsCertificate_Compare", - "RTCrX509TbsCertificate_DecodeAsn1", - "RTCrX509TbsCertificate_Delete", - "RTCrX509TbsCertificate_Enum", - "RTCrX509TbsCertificate_Init", - "RTCrX509TbsCertificate_ReprocessExtensions", - "RTCrX509Validity_CheckSanity", - "RTCrX509Validity_Clone", - "RTCrX509Validity_Compare", - "RTCrX509Validity_DecodeAsn1", - "RTCrX509Validity_Delete", - "RTCrX509Validity_Enum", - "RTCrX509Validity_Init", - "RTCrX509Validity_IsValidAtTimeSpec", - "RTCrc32", - "RTCrc32Finish", - "RTCrc32Process", - "RTCrc32Start", - "RTErrConvertFromErrno", - "RTErrConvertFromNtStatus", - "RTErrConvertToErrno", - "RTErrInfoAdd", - "RTErrInfoAddF", - "RTErrInfoAddV", - "RTErrInfoLogAndAdd", - "RTErrInfoLogAndAddF", - "RTErrInfoLogAndAddV", - "RTErrInfoLogAndSet", - "RTErrInfoLogAndSetF", - "RTErrInfoLogAndSetV", - "RTErrInfoSet", - "RTErrInfoSetF", - "RTErrInfoSetV", - "RTErrVarsAreEqual", - "RTErrVarsHaveChanged", - "RTErrVarsRestore", - "RTErrVarsSave", - "RTHandleTableAllocWithCtx", - "RTHandleTableCreate", - "RTHandleTableCreateEx", - "RTHandleTableDestroy", - "RTHandleTableFreeWithCtx", - "RTHandleTableLookupWithCtx", - "RTLatin1CalcUtf8Len", - "RTLatin1CalcUtf8LenEx", - "RTLatin1ToUtf8ExTag", - "RTLatin1ToUtf8Tag", - "RTLdrArchName", - "RTLdrClose", - "RTLdrEnumDbgInfo", - "RTLdrEnumSegments", - "RTLdrEnumSymbols", - "RTLdrGetArch", - "RTLdrGetBits", - "RTLdrGetEndian", - "RTLdrGetFormat", - "RTLdrGetFunction", - "RTLdrGetHostArch", - "RTLdrGetSymbol", - "RTLdrGetSymbolEx", - "RTLdrGetType", - "RTLdrHashImage", - "RTLdrLinkAddressToRva", - "RTLdrLinkAddressToSegOffset", - "RTLdrOpenWithReader", - "RTLdrQueryForwarderInfo", - "RTLdrQueryProp", - "RTLdrQueryPropEx", - "RTLdrRelocate", - "RTLdrRvaToSegOffset", - "RTLdrSegOffsetToRva", - "RTLdrSize", - "RTLdrUnwindFrame", - "RTLdrVerifySignature", - "RTLogClearFileDelayFlag", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDefaultInstanceEx", - "RTLogDestinations", - "RTLogDestroy", - "RTLogDumpPrintfV", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGetDefaultInstanceEx", - "RTLogGetDestinations", - "RTLogGetFlags", - "RTLogGetGroupSettings", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelGetDefaultInstance", - "RTLogRelGetDefaultInstanceEx", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetBuffering", - "RTLogRelSetDefaultInstance", - "RTLogSetBuffering", - "RTLogSetCustomPrefixCallback", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMd2", - "RTMd2Final", - "RTMd2Init", - "RTMd2Update", - "RTMd5", - "RTMd5Final", - "RTMd5FromString", - "RTMd5Init", - "RTMd5ToString", - "RTMd5Update", - "RTMemAllocExTag", - "RTMemAllocTag", - "RTMemAllocVarTag", - "RTMemAllocZTag", - "RTMemAllocZVarTag", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDupExTag", - "RTMemDupTag", - "RTMemExecAllocTag", - "RTMemExecFree", - "RTMemFree", - "RTMemFreeEx", - "RTMemFreeZ", - "RTMemReallocTag", - "RTMemReallocZTag", - "RTMemSaferAllocZExTag", - "RTMemSaferAllocZTag", - "RTMemSaferFree", - "RTMemSaferReallocZExTag", - "RTMemSaferReallocZTag", - "RTMemSaferScramble", - "RTMemSaferUnscramble", - "RTMemTmpAllocTag", - "RTMemTmpAllocZTag", - "RTMemTmpFree", - "RTMemTmpFreeZ", - "RTMemWipeThoroughly", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpCurSetIndex", - "RTMpCurSetIndexAndId", - "RTMpGetArraySize", - "RTMpGetCount", - "RTMpGetCpuGroupCounts", - "RTMpGetMaxCpuGroupCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCoreCount", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetPresentCoreCount", - "RTMpGetPresentCount", - "RTMpGetPresentSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuPresent", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnAllIsConcurrentSafe", - "RTMpOnOthers", - "RTMpOnPair", - "RTMpOnPairIsConcurrentExecSupported", - "RTMpOnSpecific", - "RTMpPokeCpu", - "RTMpSetIndexFromCpuGroupMember", - "RTNetIPv4AddDataChecksum", - "RTNetIPv4AddTCPChecksum", - "RTNetIPv4AddUDPChecksum", - "RTNetIPv4FinalizeChecksum", - "RTNetIPv4HdrChecksum", - "RTNetIPv4IsDHCPValid", - "RTNetIPv4IsHdrValid", - "RTNetIPv4IsTCPSizeValid", - "RTNetIPv4IsTCPValid", - "RTNetIPv4IsUDPSizeValid", - "RTNetIPv4IsUDPValid", - "RTNetIPv4PseudoChecksum", - "RTNetIPv4PseudoChecksumBits", - "RTNetIPv4TCPChecksum", - "RTNetIPv4UDPChecksum", - "RTNetIPv6PseudoChecksum", - "RTNetIPv6PseudoChecksumBits", - "RTNetIPv6PseudoChecksumEx", - "RTNetTCPChecksum", - "RTNetUDPChecksum", - "RTNtPathExpand8dot3Path", - "RTNtPathExpand8dot3PathA", - "RTNtPathFindPossible8dot3Name", - "RTOnceReset", - "RTOnceSlow", - "RTPathChangeToUnixSlashes", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0AssertPanicSystem", - "RTR0DbgKrnlInfoGetSymbol", - "RTR0DbgKrnlInfoOpen", - "RTR0DbgKrnlInfoQueryMember", - "RTR0DbgKrnlInfoQuerySize", - "RTR0DbgKrnlInfoQuerySymbol", - "RTR0DbgKrnlInfoRelease", - "RTR0DbgKrnlInfoRetain", - "RTR0Init", - "RTR0MemAreKrnlAndUsrDifferent", - "RTR0MemKernelCopyFrom", - "RTR0MemKernelCopyTo", - "RTR0MemKernelIsValidAddr", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocContTag", - "RTR0MemObjAllocLowTag", - "RTR0MemObjAllocPageTag", - "RTR0MemObjAllocPhysExTag", - "RTR0MemObjAllocPhysNCTag", - "RTR0MemObjAllocPhysTag", - "RTR0MemObjEnterPhysTag", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernelTag", - "RTR0MemObjLockUserTag", - "RTR0MemObjMapKernelExTag", - "RTR0MemObjMapKernelTag", - "RTR0MemObjMapUserExTag", - "RTR0MemObjMapUserTag", - "RTR0MemObjProtect", - "RTR0MemObjReserveKernelTag", - "RTR0MemObjReserveUserTag", - "RTR0MemObjSize", - "RTR0MemUserCopyFrom", - "RTR0MemUserCopyTo", - "RTR0MemUserIsValidAddr", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTR0TermForced", - "RTRandAdvBytes", - "RTRandAdvCreateParkMiller", - "RTRandAdvCreateSystemFaster", - "RTRandAdvDestroy", - "RTRandAdvRestoreState", - "RTRandAdvS32", - "RTRandAdvS32Ex", - "RTRandAdvS64", - "RTRandAdvS64Ex", - "RTRandAdvSaveState", - "RTRandAdvSeed", - "RTRandAdvU32", - "RTRandAdvU32Ex", - "RTRandAdvU64", - "RTRandAdvU64Ex", - "RTRandBytes", - "RTRandS32", - "RTRandS32Ex", - "RTRandS64", - "RTRandS64Ex", - "RTRandU32", - "RTRandU32Ex", - "RTRandU64", - "RTRandU64Ex", - "RTSemEventCreate", - "RTSemEventCreateEx", - "RTSemEventDestroy", - "RTSemEventGetResolution", - "RTSemEventMultiCreate", - "RTSemEventMultiCreateEx", - "RTSemEventMultiDestroy", - "RTSemEventMultiGetResolution", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitEx", - "RTSemEventMultiWaitExDebug", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitEx", - "RTSemEventWaitExDebug", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSemMutexCreate", - "RTSemMutexCreateEx", - "RTSemMutexDestroy", - "RTSemMutexIsOwned", - "RTSemMutexRelease", - "RTSemMutexRequest", - "RTSemMutexRequestDebug", - "RTSemMutexRequestNoResume", - "RTSemMutexRequestNoResumeDebug", - "RTSemSpinMutexCreate", - "RTSemSpinMutexDestroy", - "RTSemSpinMutexRelease", - "RTSemSpinMutexRequest", - "RTSemSpinMutexTryRequest", - "RTSha1", - "RTSha1Check", - "RTSha1Final", - "RTSha1FromString", - "RTSha1Init", - "RTSha1ToString", - "RTSha1Update", - "RTSha224", - "RTSha224Check", - "RTSha224Final", - "RTSha224Init", - "RTSha224Update", - "RTSha256", - "RTSha256Check", - "RTSha256Final", - "RTSha256FromString", - "RTSha256Init", - "RTSha256ToString", - "RTSha256Update", - "RTSha384", - "RTSha384Check", - "RTSha384Final", - "RTSha384Init", - "RTSha384Update", - "RTSha512", - "RTSha512Check", - "RTSha512Final", - "RTSha512FromString", - "RTSha512Init", - "RTSha512ToString", - "RTSha512Update", - "RTSha512t224", - "RTSha512t224Check", - "RTSha512t224Final", - "RTSha512t224Init", - "RTSha512t224Update", - "RTSha512t256", - "RTSha512t256Check", - "RTSha512t256Final", - "RTSha512t256Init", - "RTSha512t256Update", - "RTSpinlockAcquire", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTStrAAppendNTag", - "RTStrAAppendTag", - "RTStrATruncateTag", - "RTStrAllocExTag", - "RTStrAllocTag", - "RTStrCalcLatin1Len", - "RTStrCalcLatin1LenEx", - "RTStrCalcUtf16Len", - "RTStrCalcUtf16LenEx", - "RTStrCat", - "RTStrCmp", - "RTStrConvertHexBytes", - "RTStrConvertHexBytesEx", - "RTStrCopy", - "RTStrCopyEx", - "RTStrCopyP", - "RTStrDupExTag", - "RTStrDupNTag", - "RTStrDupTag", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatR80", - "RTStrFormatR80u2", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatU128", - "RTStrFormatU16", - "RTStrFormatU256", - "RTStrFormatU32", - "RTStrFormatU512", - "RTStrFormatU64", - "RTStrFormatU8", - "RTStrFormatV", - "RTStrFree", - "RTStrGetCpExInternal", - "RTStrGetCpInternal", - "RTStrGetCpNExInternal", - "RTStrICmp", - "RTStrICmpAscii", - "RTStrIStr", - "RTStrIsValidEncoding", - "RTStrNCmp", - "RTStrNICmp", - "RTStrNLen", - "RTStrPrevCp", - "RTStrPrintHexBytes", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrPurgeComplementSet", - "RTStrPurgeEncoding", - "RTStrPutCpInternal", - "RTStrReallocTag", - "RTStrStrip", - "RTStrStripL", - "RTStrStripR", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToLatin1ExTag", - "RTStrToLatin1Tag", - "RTStrToLower", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTStrToUni", - "RTStrToUniEx", - "RTStrToUpper", - "RTStrToUtf16BigExTag", - "RTStrToUtf16BigTag", - "RTStrToUtf16ExTag", - "RTStrToUtf16Tag", - "RTStrUniLen", - "RTStrUniLenEx", - "RTStrValidateEncoding", - "RTStrValidateEncodingEx", - "RTTermDeregisterCallback", - "RTTermRegisterCallback", - "RTTermRunCallbacks", - "RTThreadCreate", - "RTThreadCreateF", - "RTThreadCreateV", - "RTThreadCtxHookCreate", - "RTThreadCtxHookDestroy", - "RTThreadCtxHookDisable", - "RTThreadCtxHookEnable", - "RTThreadCtxHookIsEnabled", - "RTThreadFromNative", - "RTThreadGetName", - "RTThreadGetNative", - "RTThreadGetType", - "RTThreadIsInInterrupt", - "RTThreadIsInitialized", - "RTThreadIsMain", - "RTThreadIsSelfAlive", - "RTThreadIsSelfKnown", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptIsPending", - "RTThreadPreemptIsPendingTrusty", - "RTThreadPreemptIsPossible", - "RTThreadPreemptRestore", - "RTThreadSelf", - "RTThreadSelfName", - "RTThreadSetName", - "RTThreadSetType", - "RTThreadSleep", - "RTThreadUserReset", - "RTThreadUserSignal", - "RTThreadUserWait", - "RTThreadUserWaitNoResume", - "RTThreadWait", - "RTThreadWaitNoResume", - "RTThreadYield", - "RTTimeCompare", - "RTTimeConvertToZulu", - "RTTimeExplode", - "RTTimeFromRfc2822", - "RTTimeFromString", - "RTTimeImplode", - "RTTimeIsLeapYear", - "RTTimeLocalNormalize", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNormalize", - "RTTimeNow", - "RTTimeSpecFromString", - "RTTimeSpecToString", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimeToRfc2822", - "RTTimeToString", - "RTTimeToStringEx", - "RTTimerCanDoHighResolution", - "RTTimerChangeInterval", - "RTTimerCreate", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "RTUInt128MulByU64", - "RTUtf16AllocTag", - "RTUtf16BigCalcUtf8Len", - "RTUtf16BigCalcUtf8LenEx", - "RTUtf16BigGetCpExInternal", - "RTUtf16BigToUtf8ExTag", - "RTUtf16BigToUtf8Tag", - "RTUtf16CalcUtf8Len", - "RTUtf16CalcUtf8LenEx", - "RTUtf16CatAscii", - "RTUtf16Cmp", - "RTUtf16CmpUtf8", - "RTUtf16CopyAscii", - "RTUtf16DupExTag", - "RTUtf16DupTag", - "RTUtf16End", - "RTUtf16Free", - "RTUtf16GetCpExInternal", - "RTUtf16GetCpInternal", - "RTUtf16ICmpAscii", - "RTUtf16IsValidEncoding", - "RTUtf16Len", - "RTUtf16LittleCalcUtf8Len", - "RTUtf16LittleCalcUtf8LenEx", - "RTUtf16LittleToUtf8ExTag", - "RTUtf16LittleToUtf8Tag", - "RTUtf16PurgeComplementSet", - "RTUtf16PutCpInternal", - "RTUtf16ReallocTag", - "RTUtf16ToUtf8ExTag", - "RTUtf16ToUtf8Tag", - "RTUtf16ValidateEncoding", - "RTUtf16ValidateEncodingEx", - "RTUuidClear", - "RTUuidCompare", - "RTUuidCompare2Strs", - "RTUuidCompareStr", - "RTUuidFromStr", - "RTUuidFromUtf16", - "RTUuidIsNull", - "RTUuidToStr", - "RTUuidToUtf16", - "SUPGetCpuHzFromGipForAsyncMode", - "SUPGetGIP", - "SUPGetTscDeltaSlow", - "SUPIsTscFreqCompatible", - "SUPIsTscFreqCompatibleEx", - "SUPR0BadContext", - "SUPR0ChangeCR4", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetCurrentGdtRw", - "SUPR0GetDefaultLogInstanceEx", - "SUPR0GetDefaultLogRelInstanceEx", - "SUPR0GetHwvirtMsrs", - "SUPR0GetKernelFeatures", - "SUPR0GetPagingMode", - "SUPR0GetSessionGVM", - "SUPR0GetSessionVM", - "SUPR0GetSvmUsability", - "SUPR0GetVTSupport", - "SUPR0GetVmxUsability", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0IoCtlCleanup", - "SUPR0IoCtlPerform", - "SUPR0IoCtlSetupForHandle", - "SUPR0LdrIsLockOwnerByMod", - "SUPR0LdrLock", - "SUPR0LdrModByName", - "SUPR0LdrModRelease", - "SUPR0LdrModRetain", - "SUPR0LdrUnlock", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0PageProtect", - "SUPR0Printf", - "SUPR0QueryUcodeRev", - "SUPR0QueryVTCaps", - "SUPR0ResumeVTxOnCpu", - "SUPR0SetSessionVM", - "SUPR0SuspendVTxOnCpu", - "SUPR0TracerDeregisterDrv", - "SUPR0TracerDeregisterImpl", - "SUPR0TracerFireProbe", - "SUPR0TracerRegisterDrv", - "SUPR0TracerRegisterImpl", - "SUPR0TracerRegisterModule", - "SUPR0TracerUmodProbeFire", - "SUPR0TscDeltaMeasureBySetIndex", - "SUPR0UnlockMem", - "SUPReadTscWithDelta", - "SUPSemEventClose", - "SUPSemEventCreate", - "SUPSemEventGetResolution", - "SUPSemEventMultiClose", - "SUPSemEventMultiCreate", - "SUPSemEventMultiGetResolution", - "SUPSemEventMultiReset", - "SUPSemEventMultiSignal", - "SUPSemEventMultiWait", - "SUPSemEventMultiWaitNoResume", - "SUPSemEventMultiWaitNsAbsIntr", - "SUPSemEventMultiWaitNsRelIntr", - "SUPSemEventSignal", - "SUPSemEventWait", - "SUPSemEventWaitNoResume", - "SUPSemEventWaitNsAbsIntr", - "SUPSemEventWaitNsRelIntr", - "g_RTAsn1BitString_Vtable", - "g_RTAsn1Boolean_Vtable", - "g_RTAsn1Core_Vtable", - "g_RTAsn1DefaultAllocator", - "g_RTAsn1Integer_Vtable", - "g_RTAsn1Null_Vtable", - "g_RTAsn1ObjId_Vtable", - "g_RTAsn1OctetString_Vtable", - "g_RTAsn1SaferAllocator", - "g_RTAsn1String_Vtable", - "g_RTAsn1Time_Vtable", - "g_aRTUniLowerRanges", - "g_aRTUniUpperRanges", - "g_abRTZero16K", - "g_abRTZero32K", - "g_abRTZero4K", - "g_abRTZero64K", - "g_abRTZero8K", - "g_abRTZeroPage", - "g_pSUPGlobalInfoPage", - "g_pszRTAssertExpr", - "g_pszRTAssertFile", - "g_pszRTAssertFunction", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2", - "g_u32RTAssertLine" - ], - "ImportedFunctions": [ - "strchr", - "IoDeleteDevice", - "IoCreateDevice", - "RtlInitUnicodeString", - "IofCompleteRequest", - "PsGetCurrentProcessId", - "PsGetCurrentThreadId", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "IoFileObjectType", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "ObQueryNameString", - "PsGetProcessImageFileName", - "ZwClose", - "PsGetProcessId", - "IoGetCurrentProcess", - "LpcPortObjectType", - "__C_specific_handler", - "PsLookupProcessByProcessId", - "ZwQuerySystemInformation", - "ObReferenceObjectByName", - "PsGetProcessSessionId", - "PsThreadType", - "PsLookupThreadByThreadId", - "ObOpenObjectByPointer", - "PsProcessType", - "PsInitialSystemProcess", - "PsIsProcessBeingDebugged", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "IoIs32bitProcess", - "ZwSetSystemInformation", - "ObfReferenceObject", - "ExGetPreviousMode", - "PsGetProcessInheritedFromUniqueProcessId", - "IoThreadToProcess", - "PsSetCreateProcessNotifyRoutine", - "DbgPrint", - "ZwRequestWaitReplyPort", - "MmGetSystemRoutineAddress", - "PsGetVersion", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "RtlQueryRegistryValues", - "ZwReadFile", - "ZwQueryInformationFile", - "RtlEqualSid", - "ZwQuerySecurityObject", - "ZwQueryObject", - "ZwCreateFile", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "__chkstk", - "ZwQueryInformationThread", - "ZwQueryInformationProcess", - "KeSetTimerEx", - "KeInsertQueueDpc", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeInitializeDpc", - "KeInitializeTimer", - "KeQueryTimeIncrement", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeSetPriorityThread", - "PsCreateSystemThread", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeInitializeMutex", - "KeReleaseMutex", - "KeReadStateMutex", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeResetEvent", - "ProbeForRead", - "ProbeForWrite", - "MmHighestUserAddress", - "MmSystemRangeStart", - "KeNumberProcessors", - "ZwQueryDirectoryFile", - "MmIsAddressValid", - "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreeContiguousMemory", - "IoFreeMdl", - "ExFreePool", - "MmUnmapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ExAllocatePool", - "MmProtectMdlSystemAddress", - "MmAllocateContiguousMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPages", - "IoBuildPartialMdl", - "MmGetPhysicalAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CN, ST=Guangdong, L=Heyuan, O=No Organization Affiliation, OU=Individual Developer, CN=Huiping Zhong", - "ValidFrom": "2013-07-18 00:00:00", - "ValidTo": "2014-07-18 23:59:59", - "Signature": "b0adb278c1270674ee67a03d06eae088afed344bb288e3ee4374147d355eed1ad772a5217c265921af4b61b4e582ddbe3f09682ea4dc7f8fc250945aaf2099899dbc855ff62d5f4ac58536f542b0d1f5a0e1ed5a039bbcd0f89f6286fb5cfe8daf551661b2685c7b61db150cb4dce8f0b0cdf5a4747c67ae1b363e5f58c90c48318145dd6609fc5b31e734d0ab3fa09a4ee243018ff40a82b223b99fcbece516fb04e0e1785939df2ffc6f74bcf54f818fa340534c55db6086a8352edba5323477dea3e7341782f969cf26f12d224cb2ae462fe50527da03c96cde8c262b10fee42da29a6271d2b6cbb21bd9625e451f63d54b88ccf4395ff6339582362aad87", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "77769240d819a3f2eb2e7f8baffecd26", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" - } - ] - } - ] - }, - { - "FileName": "VBoxDrv.sys", - "MD5": "e3bdb307b32b13b8f7e621e8d5cc8cd3", - "SHA1": "58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c", - "SHA256": "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924", - "Authentihash": { - "MD5": "eb532e54636f61b9af61f97d46ca8cae", - "SHA1": "018d626382f2453ef584b732e1e03ceab51e84db", - "SHA256": "6ab14c5c89759695dbb4b310b7cad68d9ec2007277e3b4f3abb883bd05ef557c" - }, - "Description": "VirtualBox Support Driver", - "Company": "Sun Microsystems, Inc.", - "InternalName": "VBoxDrv.sys", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "2.2.0.r45846", - "Product": "Sun VirtualBox", - "ProductVersion": "2.2.0.r45846", - "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "AssertMsg1", - "AssertMsg2", - "RTAssertShouldPanic", - "RTErrConvertFromNtStatus", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCopyGroupsAndFlags", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDestroy", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetDefaultInstance", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDup", - "RTMemDupEx", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0Init", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapKernelEx", - "RTR0MemObjMapUser", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptRestore", - "RTThreadSleep", - "RTThreadYield", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNow", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetPagingMode", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAlloc", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0UnlockMem", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2" - ], - "ImportedFunctions": [ - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "ExRegisterCallback", - "ExCreateCallback", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IoGetStackLimits", - "memchr", - "strncmp", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForSingleObject", - "KeResetEvent", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeDelayExecutionThread", - "ZwYieldExecution", - "ExFreePoolWithTag", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", - "ExAllocatePoolWithTag", - "KeQueryActiveProcessors", - "strchr", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "KeSetTimerEx", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "MmUnmapIoSpace", - "MmUnlockPages", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocatePagesForMdl", - "__C_specific_handler", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows", - "ValidFrom": "2021-09-02 18:23:41", - "ValidTo": "2022-09-01 18:23:41", - "Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", - "ValidFrom": "2011-10-19 18:41:42", - "ValidTo": "2026-10-19 18:51:42", - "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" - } - ] - } - ] - }, - { - "FileName": "VBoxDrv.sys", - "MD5": "443689645455987cb347154b391f734d", - "SHA1": "2fed7eddd63f10ed4649d9425b94f86140f91385", - "SHA256": "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada", - "Authentihash": { - "MD5": "ed53ea124ed4c30df39c29a4f5b01182", - "SHA1": "2903352a4e038c68c044a48edebd118af7e80098", - "SHA256": "79e3b14b68f1fcf805ccfe7bc2dc81b98346d2e83a6335816b276970e2e2691a" - }, - "Description": "VirtualBox Support Driver", - "Company": "Sun Microsystems, Inc.", - "InternalName": "VBoxDrv.sys", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "2.2.4.r47978", - "Product": "Sun VirtualBox", - "ProductVersion": "2.2.4.r47978", - "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "AssertMsg1", - "AssertMsg2", - "RTAssertShouldPanic", - "RTErrConvertFromNtStatus", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCopyGroupsAndFlags", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDestroy", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetDefaultInstance", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDup", - "RTMemDupEx", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0Init", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapKernelEx", - "RTR0MemObjMapUser", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptRestore", - "RTThreadSleep", - "RTThreadYield", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNow", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetPagingMode", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAlloc", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0UnlockMem", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2" - ], - "ImportedFunctions": [ - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "ExRegisterCallback", - "ExCreateCallback", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IoGetStackLimits", - "memchr", - "strncmp", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForSingleObject", - "KeResetEvent", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeDelayExecutionThread", - "ZwYieldExecution", - "ExFreePoolWithTag", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", - "ExAllocatePoolWithTag", - "KeQueryActiveProcessors", - "strchr", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "KeSetTimerEx", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "MmUnmapIoSpace", - "MmUnlockPages", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocatePagesForMdl", - "__C_specific_handler", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", - "ValidFrom": "2008-06-11 00:00:00", - "ValidTo": "2011-06-11 23:59:59", - "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "VBoxDrv.sys", - "MD5": "6beb1d8146f5a4aaa2f7b8c0c9bced30", - "SHA1": "07f62d9b6321bed0008e106e9ce4240cb3f76da2", - "SHA256": "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40", - "Authentihash": { - "MD5": "71bbd7b5164d35bc41d5a7f61a2d81f0", - "SHA1": "eec7692de436743eed432729fb620c5da3d5318f", - "SHA256": "1c9c86ba5ae540bb5729626cdaec89ca421f8129e4bbf6e1ea49c532b44ea0c9" - }, - "Description": "VirtualBox Support Driver", - "Company": "Vektor T13 Security Service", - "InternalName": "VBoxDrv", - "OriginalFilename": "VBoxDrv.sys", - "FileVersion": "1.4.0.119230", - "Product": "Antidetect 2019 Public", - "ProductVersion": "1.4.0.119230", - "Copyright": "Copyright (C) 2009-2019 Oracle Corporation", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "ASMAtomicBitClear", - "ASMAtomicXchgU16", - "ASMAtomicXchgU8", - "ASMGetCS", - "ASMGetDS", - "ASMGetES", - "ASMGetFS", - "ASMGetGS", - "ASMGetIDTR", - "ASMGetSS", - "ASMMultU64ByU32DivByU32", - "ASMNopPause", - "RTAssertAreQuiet", - "RTAssertMayPanic", - "RTAssertMsg1", - "RTAssertMsg1Weak", - "RTAssertMsg2AddV", - "RTAssertMsg2V", - "RTAssertMsg2Weak", - "RTAssertMsg2WeakV", - "RTAssertSetMayPanic", - "RTAssertSetQuiet", - "RTAssertShouldPanic", - "RTAvlPVDestroy", - "RTAvlPVDoWithAll", - "RTAvlPVGet", - "RTAvlPVGetBestFit", - "RTAvlPVInsert", - "RTAvlPVRemove", - "RTAvlPVRemoveBestFit", - "RTCrc32", - "RTCrc32Finish", - "RTCrc32Process", - "RTCrc32Start", - "RTErrConvertFromErrno", - "RTErrConvertFromNtStatus", - "RTErrConvertToErrno", - "RTErrInfoAdd", - "RTErrInfoAddF", - "RTErrInfoAddV", - "RTErrInfoSet", - "RTErrInfoSetF", - "RTErrInfoSetV", - "RTErrVarsAreEqual", - "RTErrVarsHaveChanged", - "RTErrVarsRestore", - "RTErrVarsSave", - "RTHandleTableAllocWithCtx", - "RTHandleTableCreate", - "RTHandleTableCreateEx", - "RTHandleTableDestroy", - "RTHandleTableFreeWithCtx", - "RTHandleTableLookupWithCtx", - "RTLatin1CalcUtf8Len", - "RTLatin1CalcUtf8LenEx", - "RTLatin1ToUtf8ExTag", - "RTLatin1ToUtf8Tag", - "RTLogClearFileDelayFlag", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDefaultInstanceEx", - "RTLogDestinations", - "RTLogDestroy", - "RTLogDumpPrintfV", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGetDefaultInstanceEx", - "RTLogGetDestinations", - "RTLogGetFlags", - "RTLogGetGroupSettings", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelGetDefaultInstance", - "RTLogRelGetDefaultInstanceEx", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetBuffering", - "RTLogRelSetDefaultInstance", - "RTLogSetBuffering", - "RTLogSetCustomPrefixCallback", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAllocExTag", - "RTMemAllocTag", - "RTMemAllocVarTag", - "RTMemAllocZTag", - "RTMemAllocZVarTag", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDupExTag", - "RTMemDupTag", - "RTMemExecAllocTag", - "RTMemExecFree", - "RTMemFree", - "RTMemFreeEx", - "RTMemReallocTag", - "RTMemTmpAllocTag", - "RTMemTmpAllocZTag", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpCurSetIndex", - "RTMpCurSetIndexAndId", - "RTMpGetArraySize", - "RTMpGetCount", - "RTMpGetCpuGroupCounts", - "RTMpGetMaxCpuGroupCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCoreCount", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetPresentCoreCount", - "RTMpGetPresentCount", - "RTMpGetPresentSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuPresent", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnAllIsConcurrentSafe", - "RTMpOnOthers", - "RTMpOnPair", - "RTMpOnPairIsConcurrentExecSupported", - "RTMpOnSpecific", - "RTMpPokeCpu", - "RTMpSetIndexFromCpuGroupMember", - "RTNetIPv4AddDataChecksum", - "RTNetIPv4AddTCPChecksum", - "RTNetIPv4AddUDPChecksum", - "RTNetIPv4FinalizeChecksum", - "RTNetIPv4HdrChecksum", - "RTNetIPv4IsDHCPValid", - "RTNetIPv4IsHdrValid", - "RTNetIPv4IsTCPSizeValid", - "RTNetIPv4IsTCPValid", - "RTNetIPv4IsUDPSizeValid", - "RTNetIPv4IsUDPValid", - "RTNetIPv4PseudoChecksum", - "RTNetIPv4PseudoChecksumBits", - "RTNetIPv4TCPChecksum", - "RTNetIPv4UDPChecksum", - "RTNetIPv6PseudoChecksum", - "RTNetIPv6PseudoChecksumBits", - "RTNetIPv6PseudoChecksumEx", - "RTNetTCPChecksum", - "RTNetUDPChecksum", - "RTOnceReset", - "RTOnceSlow", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0AssertPanicSystem", - "RTR0Init", - "RTR0MemAreKrnlAndUsrDifferent", - "RTR0MemKernelCopyFrom", - "RTR0MemKernelCopyTo", - "RTR0MemKernelIsValidAddr", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocContTag", - "RTR0MemObjAllocLowTag", - "RTR0MemObjAllocPageTag", - "RTR0MemObjAllocPhysExTag", - "RTR0MemObjAllocPhysNCTag", - "RTR0MemObjAllocPhysTag", - "RTR0MemObjEnterPhysTag", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernelTag", - "RTR0MemObjLockUserTag", - "RTR0MemObjMapKernelExTag", - "RTR0MemObjMapKernelTag", - "RTR0MemObjMapUserTag", - "RTR0MemObjProtect", - "RTR0MemObjReserveKernelTag", - "RTR0MemObjReserveUserTag", - "RTR0MemObjSize", - "RTR0MemUserCopyFrom", - "RTR0MemUserCopyTo", - "RTR0MemUserIsValidAddr", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTR0TermForced", - "RTSemEventCreate", - "RTSemEventCreateEx", - "RTSemEventDestroy", - "RTSemEventGetResolution", - "RTSemEventMultiCreate", - "RTSemEventMultiCreateEx", - "RTSemEventMultiDestroy", - "RTSemEventMultiGetResolution", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitEx", - "RTSemEventMultiWaitExDebug", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitEx", - "RTSemEventWaitExDebug", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSemMutexCreate", - "RTSemMutexCreateEx", - "RTSemMutexDestroy", - "RTSemMutexIsOwned", - "RTSemMutexRelease", - "RTSemMutexRequest", - "RTSemMutexRequestDebug", - "RTSemMutexRequestNoResume", - "RTSemMutexRequestNoResumeDebug", - "RTSemSpinMutexCreate", - "RTSemSpinMutexDestroy", - "RTSemSpinMutexRelease", - "RTSemSpinMutexRequest", - "RTSemSpinMutexTryRequest", - "RTSpinlockAcquire", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTStrAAppendNTag", - "RTStrAAppendTag", - "RTStrATruncateTag", - "RTStrAllocExTag", - "RTStrAllocTag", - "RTStrCalcLatin1Len", - "RTStrCalcLatin1LenEx", - "RTStrCalcUtf16Len", - "RTStrCalcUtf16LenEx", - "RTStrCat", - "RTStrConvertHexBytes", - "RTStrCopy", - "RTStrCopyEx", - "RTStrCopyP", - "RTStrDupExTag", - "RTStrDupNTag", - "RTStrDupTag", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrFree", - "RTStrGetCpExInternal", - "RTStrGetCpInternal", - "RTStrGetCpNExInternal", - "RTStrIsValidEncoding", - "RTStrNCmp", - "RTStrPrevCp", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrPurgeComplementSet", - "RTStrPurgeEncoding", - "RTStrPutCpInternal", - "RTStrReallocTag", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToLatin1ExTag", - "RTStrToLatin1Tag", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTStrToUni", - "RTStrToUniEx", - "RTStrToUtf16BigExTag", - "RTStrToUtf16BigTag", - "RTStrToUtf16ExTag", - "RTStrToUtf16Tag", - "RTStrUniLen", - "RTStrUniLenEx", - "RTStrValidateEncoding", - "RTStrValidateEncodingEx", - "RTTermDeregisterCallback", - "RTTermRegisterCallback", - "RTTermRunCallbacks", - "RTThreadCreate", - "RTThreadCreateF", - "RTThreadCreateV", - "RTThreadCtxHookCreate", - "RTThreadCtxHookDestroy", - "RTThreadCtxHookDisable", - "RTThreadCtxHookEnable", - "RTThreadCtxHookIsEnabled", - "RTThreadFromNative", - "RTThreadGetName", - "RTThreadGetNative", - "RTThreadGetType", - "RTThreadIsInInterrupt", - "RTThreadIsInitialized", - "RTThreadIsMain", - "RTThreadIsSelfAlive", - "RTThreadIsSelfKnown", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptIsPending", - "RTThreadPreemptIsPendingTrusty", - "RTThreadPreemptIsPossible", - "RTThreadPreemptRestore", - "RTThreadSelf", - "RTThreadSelfName", - "RTThreadSetName", - "RTThreadSetType", - "RTThreadSleep", - "RTThreadUserReset", - "RTThreadUserSignal", - "RTThreadUserWait", - "RTThreadUserWaitNoResume", - "RTThreadWait", - "RTThreadWaitNoResume", - "RTThreadYield", - "RTTimeExplode", - "RTTimeFromString", - "RTTimeImplode", - "RTTimeIsLeapYear", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNormalize", - "RTTimeNow", - "RTTimeSpecFromString", - "RTTimeSpecToString", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimeToString", - "RTTimerCanDoHighResolution", - "RTTimerChangeInterval", - "RTTimerCreate", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "RTUuidClear", - "RTUuidCompare", - "RTUuidCompare2Strs", - "RTUuidCompareStr", - "RTUuidFromStr", - "RTUuidFromUtf16", - "RTUuidIsNull", - "RTUuidToStr", - "RTUuidToUtf16", - "SUPGetCpuHzFromGipForAsyncMode", - "SUPGetGIP", - "SUPGetTscDeltaSlow", - "SUPIsTscFreqCompatible", - "SUPIsTscFreqCompatibleEx", - "SUPR0BadContext", - "SUPR0ChangeCR4", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetCurrentGdtRw", - "SUPR0GetKernelFeatures", - "SUPR0GetPagingMode", - "SUPR0GetSessionGVM", - "SUPR0GetSessionVM", - "SUPR0GetSvmUsability", - "SUPR0GetVmxUsability", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0PageProtect", - "SUPR0Printf", - "SUPR0QueryUcodeRev", - "SUPR0QueryVTCaps", - "SUPR0ResumeVTxOnCpu", - "SUPR0SetSessionVM", - "SUPR0SuspendVTxOnCpu", - "SUPR0TracerDeregisterDrv", - "SUPR0TracerDeregisterImpl", - "SUPR0TracerFireProbe", - "SUPR0TracerRegisterDrv", - "SUPR0TracerRegisterImpl", - "SUPR0TracerRegisterModule", - "SUPR0TracerUmodProbeFire", - "SUPR0TscDeltaMeasureBySetIndex", - "SUPR0UnlockMem", - "SUPReadTscWithDelta", - "SUPSemEventClose", - "SUPSemEventCreate", - "SUPSemEventGetResolution", - "SUPSemEventMultiClose", - "SUPSemEventMultiCreate", - "SUPSemEventMultiGetResolution", - "SUPSemEventMultiReset", - "SUPSemEventMultiSignal", - "SUPSemEventMultiWait", - "SUPSemEventMultiWaitNoResume", - "SUPSemEventMultiWaitNsAbsIntr", - "SUPSemEventMultiWaitNsRelIntr", - "SUPSemEventSignal", - "SUPSemEventWait", - "SUPSemEventWaitNoResume", - "SUPSemEventWaitNsAbsIntr", - "SUPSemEventWaitNsRelIntr", - "g_pSUPGlobalInfoPage", - "g_pszRTAssertExpr", - "g_pszRTAssertFile", - "g_pszRTAssertFunction", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2", - "g_u32RTAssertLine" - ], - "ImportedFunctions": [ - "strchr", - "IoDeleteDevice", - "IoCreateDevice", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", - "__C_specific_handler", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "IoIs32bitProcess", - "ZwSetSystemInformation", - "ExRegisterCallback", - "ExCreateCallback", - "MmGetSystemRoutineAddress", - "RtlQueryRegistryValues", - "DbgPrint", - "KeSetTimerEx", - "KeInsertQueueDpc", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeSetImportanceDpc", - "KeInitializeDpc", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeSetPriorityThread", - "KeWaitForSingleObject", - "ZwClose", - "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeInitializeMutex", - "KeReleaseMutex", - "KeReadStateMutex", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeResetEvent", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "ProbeForRead", - "ProbeForWrite", - "MmHighestUserAddress", - "MmSystemRangeStart", - "KeSetTargetProcessorDpc", - "KeNumberProcessors", - "PsGetVersion", - "MmIsAddressValid", - "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocateContiguousMemorySpecifyCache", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "CN=Vektor T13 Technology", - "ValidFrom": "2018-08-10 07:42:52", - "ValidTo": "2039-12-31 23:59:59", - "Signature": "4819acb135277102eb22d1ebf53707b6651b1dac668cbe264acefb52a0567dee778627ae98f2f8a69142e210ed9a585a826bea9339108f6cc8567a8a0d3b471dde8e932b4d7b466e657e0592faa7578e548c1d1f3b746190fac243e75735ad18bb9cf901d94d92ed4bfbe7729d439bdd300a6cb5fb75d17364033f92a8d15398", - "SignatureAlgorithmOID": "1.3.14.3.2.29" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4d87df1b3d1e239b405dc85d0a0bad22", - "Issuer": "CN=Vektor T13 Technology" - } - ] - } - ] - } - ], - "Tags": [ - "VBoxDrv.sys" - ] - }, - { - "Id": "043773c5-120a-4c6b-8485-8f1f5c47fd3e", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create aswArPot.sys binPath=C:\\windows\\temp\\aswArPot.sys type=kernel && sc.exe start aswArPot.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "aswArPot.sys", - "MD5": "c61876aaca6ce822be18adb9d9bd4260", - "SHA1": "186b6523e8e2fa121d6d3b8cb106e9a5b918af4f", - "SHA256": "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d", - "Authentihash": { - "MD5": "18893a7dd0bc23f4f4aa7b8350f0e75e", - "SHA1": "27021d09730a1d7694137e123ba3a63cd0b9e040", - "SHA256": "fab3f1dbc49bd9f0219156fe49d4423c311f529f7d3653f5f69d2b10b9b0bc98" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.7.4031.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "18.7.4031.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "56a9e9b5334f8698a0ede27c64140982", - "SHA1": "762a5b4c7beb2af675617dca6dcd6afd36ce0afd", - "SHA256": "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917", - "Authentihash": { - "MD5": "a75fd1dc0e0b04ba483ab56147868c5f", - "SHA1": "aad76f7285cc00fffce801147036331610943062", - "SHA256": "1faa125c9442b20c646411f629dd48afe2d962554c45fc4a8e2d45c1fc611b6c" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.8.130.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.8.130.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "94999245e9580c6228b22ac44c66044c", - "SHA1": "4a04596acf79115f15add3921ce30a96f594d7ce", - "SHA256": "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c", - "Authentihash": { - "MD5": "bd9f1ccc35bd6f7b1b10f29e34167f2d", - "SHA1": "e6822211c3f40414dd0d8ec6416db8b050859cd5", - "SHA256": "a801e12c32c0eb197b3cc507d096afc16a32dca6bc71d080e1ae2c17ad13b2ca" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.3.68.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.3.68.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "93a23503e26773c27ed1da06bb79e7a4", - "SHA1": "da03799bb0025a476e3e15cc5f426e5412aeef02", - "SHA256": "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8", - "Authentihash": { - "MD5": "c53ff2c139c291d9afe0a4831d0ca8b3", - "SHA1": "e6fb86d4de7362af1e3cd957bcc4e2e887aa5016", - "SHA256": "29a560a11292c4224a401392e091a8f08230fdfea35521035e2bfda0b3d1f952" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.8.4057.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "18.8.4057.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "25190f667f31318dd9a2e36383d5709f", - "SHA1": "6dac7a8fa9589caae0db9d6775361d26011c80b2", - "SHA256": "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf", - "Authentihash": { - "MD5": "7d20fc4bf882c254e43049b35c40abe5", - "SHA1": "38ec7b2b736b7544fae9891c066a3f7231145ba2", - "SHA256": "9e51062d4249945e77c7d3fdecc9797ffc38017465c8068a5f1296bf85ae558c" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.3.4224.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.3.4224.0", - "Copyright": "Copyright (c) 2019 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "e7273e17ac85dc4272c4c4400091a19e", - "SHA1": "94b014123412fbe8709b58ec72594f8053037ae9", - "SHA256": "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4", - "Authentihash": { - "MD5": "8c2b0e47a2de7bd04758041782b1b2a7", - "SHA1": "a7f1025ab664dd61800687724fce31fd3b765d1f", - "SHA256": "60ae64ade82e9364e95f779bbf950571484aa833ece6837489329517012c7757" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.1.3800.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "18.1.3800.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", - "ValidFrom": "2015-07-28 00:00:00", - "ValidTo": "2018-09-25 23:59:59", - "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "812e960977116bf6d6c1ccf8b5dd351f", - "SHA1": "3eea0f5fb180c6f865fc83ac75ef3ad5b1376775", - "SHA256": "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c", - "Authentihash": { - "MD5": "69e30d791a1b6a41c1ddd2d7394e5a86", - "SHA1": "a3c5c7127cd7376ddd3571edccfe8d9ecdc8b623", - "SHA256": "59e004cd839611cbc5f7c061827587dbb120d7aab8d0e44191c0c01aeed9e168" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.3.4239.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.3.4239.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "595363661db3e50acc4de05b0215cc6f", - "SHA1": "ec8c0b2f49756b8784b3523e70cd8821b05b95eb", - "SHA256": "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1", - "Authentihash": { - "MD5": "7890348aaadad057268d7273afd85c2f", - "SHA1": "276a8ba9fddb74586e3f50d49a784c0180619a86", - "SHA256": "68043583bc2f3fc1ca11458e8b921dce2573afdc04bd20ba85eeb806d884eb6f" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.5.3926.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.5.3926.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "6212832f13b296ddbc85b24e22edb5ec", - "SHA1": "492a47426b04f00c0d5b711ad8c872aad3aa3a1d", - "SHA256": "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8", - "Authentihash": { - "MD5": "4031a1ee3682bcfb0b50423708cffc54", - "SHA1": "6f4648a7e5aba2e64d62f00d72da0d5735ebea8a", - "SHA256": "e5183eda50e2c42d2ed10c015be87dff774da180928c076e99888b0d6a931df5" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "17.9.3754.0", - "Product": "Avast Antivirus ", - "ProductVersion": "17.9.3754.0", - "Copyright": "Copyright (c) 2014 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "cc8855fe30a9cdef895177a4cf1a3dad", - "SHA1": "07c244739803f60a75d60347c17edc02d5d10b5d", - "SHA256": "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca", - "Authentihash": { - "MD5": "3e14e8314e37d819e12a94610e0c7efc", - "SHA1": "c9e2da8df3086536c3fb8973c1848a39b9074bd1", - "SHA256": "a465cfa7a0bd76dfe8f261661d348e25d1a6a3975673336f90878618f2e6c21b" - }, - "Description": "Avast Anti Rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.8.137.0", - "Product": "Avast Antivirus ", - "ProductVersion": "20.8.137.0", - "Copyright": "Copyright (c) 2020 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "f83c61adbb154d46dd8f77923aa7e9c3", - "SHA1": "804013a12f2f6ba2e55c4542cbdc50ca01761905", - "SHA256": "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0", - "Authentihash": { - "MD5": "42a26c6ef3e814bccfb68b994460aa0d", - "SHA1": "a8258d25d074281391109908b94130f39f7dbfbf", - "SHA256": "968258fe6b307a7887465c7fb0a0b7b45f973b91deb8638af1428d247430d777" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.7.113.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.7.113.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "a3af4a4fa6cba27284f8289436c2f074", - "SHA1": "ed3f11383a47710fa840e13a7a9286227fa1474c", - "SHA256": "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0", - "Authentihash": { - "MD5": "7f6e8583009bec91a51d479a2eb8b0e4", - "SHA1": "85a0622ec6c77df0ce26c11380044039d908869d", - "SHA256": "d92b2f58c8fca3d3634b0c20578edd5004df571b29790690c97255e6096442c6" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.3.4239.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.3.4239.0", - "Copyright": "Copyright (c) 2019 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "88d5fc86f0dd3a8b42463f8d5503a570", - "SHA1": "d0452363b41385f6a6778f970f3744dde4701d8f", - "SHA256": "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2", - "Authentihash": { - "MD5": "beaca8c2a09b87bf9c63febf94f1de1c", - "SHA1": "3a74bc87abd401e34b291f5118358fef7173af46", - "SHA256": "2cd8e9eb8e4754f07fdfc8c3aae4d7fc0d25b346884c3474db35c757d2994b34" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.3.3860.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "18.3.3860.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", - "ValidFrom": "2015-07-28 00:00:00", - "ValidTo": "2018-09-25 23:59:59", - "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "e4d4a22cbf94e6b0a92fc36d46741f56", - "SHA1": "1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41", - "SHA256": "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c", - "Authentihash": { - "MD5": "19758f499cc41d3fecb06ee83152e7d6", - "SHA1": "bfbb65d893f45a289417b6d45a060759ad4478d5", - "SHA256": "62b89fab85cf77b1e6730d2b55b4f9458f368f89d3ca5672d450e3c3365d8c37" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.1.4132.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.1.4132.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "a22626febc924eb219a953f1ee2b9600", - "SHA1": "f61e56359c663a769073782a0a3ffd3679c2694a", - "SHA256": "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1", - "Authentihash": { - "MD5": "dbff97e1c14c4c58e54ab1c0a5bfb5dc", - "SHA1": "8b374284e8269100798b4471a0dae9a70a2f906c", - "SHA256": "5512aea158c30e4f52c1e27136c1c803c98388d1d8c7269e497728fd0b57d9f5" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.10.171.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.10.171.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "IoDetachDevice", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "IoAttachDeviceToDeviceStackSafe", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IoCreateDevice", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoThreadToProcess", - "PsInitialSystemProcess", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "66e0db8a5b0425459d0430547ecbb3db", - "SHA1": "7cee31d3aaee8771c872626feedeeb5d09db008c", - "SHA256": "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf", - "Authentihash": { - "MD5": "b8a542fc08dd527ce67d711ff876a3db", - "SHA1": "47edc88c38f2abfbc06a5d7d1b54d14ac93acc22", - "SHA256": "f6cb70c945e7b3723de1d334aa2fb97bb8ddb9f68e409deeb9988f446546a57c" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.5.96.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.5.96.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "cb31f1b637056a3d374e22865c41e6d9", - "SHA1": "24b47ba7179755e3b12a59d55ae6b2c3d2bd1505", - "SHA256": "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289", - "Authentihash": { - "MD5": "0f3a942c946055cb40ee138ceb5f57d9", - "SHA1": "2989078f9ab5fc078bf801fcdc49674e3fc1d187", - "SHA256": "5af59d6ca109b5cae3350b48b85274ce181e45be4c7f7156bdf58ca3ca7f4188" - }, - "Description": "Avast Anti Rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.3.68.0", - "Product": "Avast Antivirus ", - "ProductVersion": "20.3.68.0", - "Copyright": "Copyright (c) 2020 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "d0a5b98788e480c12afc65ad3e6d4478", - "SHA1": "6c445ceb38d5b1212ce2e7498888dd9562a57875", - "SHA256": "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b", - "Authentihash": { - "MD5": "8bbe86720ded843c4a0023310a403879", - "SHA1": "2035334476f2c5f82a5e71c04bbf82aa51b2f41b", - "SHA256": "4e89a5a25969953961db2a2a1a5c73c8af48f7af169ac3fd098171556bf0854d" - }, - "Description": "Avast Anti Rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.7.113.0", - "Product": "Avast Antivirus ", - "ProductVersion": "20.7.113.0", - "Copyright": "Copyright (c) 2020 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "84c4d8ae023ca9bb60694fa467141247", - "SHA1": "79f1a6f5486523e6d8dcfef696bc949fc767613d", - "SHA256": "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba", - "Authentihash": { - "MD5": "739b545edae1f711d7c566f740cdc018", - "SHA1": "a3eb3e15e851a8744781889ca4e728bb9c67070f", - "SHA256": "cd3b38875c8b727f18cec382698624679d6413f02cf33d82a7c93b9595860b6d" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.7.4016.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.7.4016.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "14add4f16d80595e6e816abf038141e5", - "SHA1": "218e4bbdd5ce810c48b938307d01501c442b75f4", - "SHA256": "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c", - "Authentihash": { - "MD5": "d81a508b30f8107d9b43c7eef68821b9", - "SHA1": "c1c619cdc11eecf093afe9d9a96a3236d1dab348", - "SHA256": "0bc755f3e24023d931c637b4c734ae3a4d50567c87fd025114e0520413721751" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.6.107.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.6.107.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "53bb10742e10991af4ad280fcb134151", - "SHA1": "d6b1b3311263bfb170f2091d22f373c2215051b7", - "SHA256": "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3", - "Authentihash": { - "MD5": "04a76d94db489fdaf72161aa467b2acb", - "SHA1": "57d45edbab6745991e54c3e50f768eb5714a76cd", - "SHA256": "9d736f624a306d6e2399778dd92ab7f4f7ab33c6ca0528657bc026214f990a4f" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.5.4220.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.5.4220.0", - "Copyright": "Copyright (c) 2019 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsGetThreadId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "PsGetThreadProcess", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsGetProcessId", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "045ef7a39288ba1f4b8d6eca43def44f", - "SHA1": "a0bf00e4ef2b1a79ccf2361c6b303688641ed94c", - "SHA256": "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf", - "Authentihash": { - "MD5": "ef1a7d935ae5e49c42d632f550e6f5e0", - "SHA1": "a62c27dedfb91de6404e2358fdd14b67fdb43767", - "SHA256": "596c497e7e405ceb79ba0ba45f993125d88d50fc18867048d0c7a356ebd0c0ed" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.6.4235.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.6.4235.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsGetThreadId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "PsGetThreadProcess", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsGetProcessId", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "11dc5523bb559f8d2ce637f6a2b70dea", - "SHA1": "0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84", - "SHA256": "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d", - "Authentihash": { - "MD5": "0b253942e96233f5999ffea9ac6cc07a", - "SHA1": "12079ccb38494c101d23667282452f87845868eb", - "SHA256": "03a54ad77fc453c9889e170a811d232a305d46fb7f59582d3f1cb234598507a1" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.5.4220.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.5.4220.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsGetThreadId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "PsGetThreadProcess", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsGetProcessId", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "9f3b5de6fe46429bed794813c6ae8421", - "SHA1": "5236728c7562b047a9371403137a6e169e2026a6", - "SHA256": "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed", - "Authentihash": { - "MD5": "e4d36098f543d3e4d5bbe1bd50cc42cd", - "SHA1": "e51d18476af7dd376eaaedf2a3533b6fbdab95c0", - "SHA256": "c13745de817eb38a092524cd3dae805c8fbde967e635e485243782db955508cc" - }, - "Description": "Avast Anti Rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.4.83.0", - "Product": "Avast Antivirus ", - "ProductVersion": "20.4.83.0", - "Copyright": "Copyright (c) 2020 AVAST Software", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "_wcsicmp", - "KeGetCurrentThread", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "KeQuerySystemTime", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "ZwUnmapViewOfSection", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "IoBuildDeviceIoControlRequest", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "KeBugCheckEx", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "RtlUnwind", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "memcpy", - "memset", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "PsRemoveLoadImageNotifyRoutine", - "ZwQuerySystemInformation", - "RtlAnsiStringToUnicodeString", - "ExAllocatePool", - "MmUnlockPages", - "MmIsAddressValid", - "IoAllocateWorkItem", - "PsGetCurrentThreadId", - "KeDelayExecutionThread", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "KfLowerIrql", - "ExAcquireFastMutex", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "f0aeb731d83f7ab6008c92c97faf6233", - "SHA1": "aaffdc89befa42e375f822366bbded8c245baf94", - "SHA256": "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea", - "Authentihash": { - "MD5": "444a4760f447dafc01a359829e17dcab", - "SHA1": "83f7c19b66f53302e371d9f0987fc4adc37b1e46", - "SHA256": "c8b5fddf52551259d7d936283aa4fdc4579c5e4b030a11267496cdbdc143e15b" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "17.9.3761.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "17.9.3761.0", - "Copyright": "Copyright (C) 2014 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CZ, ST=Jihomoravsky kraj, L=Brno, O=AVG Technologies CZ, s.r.o., CN=AVG Technologies CZ, s.r.o.", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2018-01-20 23:59:59", - "Signature": "3d93ae390468d2f9d7dae44754afe395ca0a9dae3e2e78d96f1fb865662d5336479c70f7f75dd2e478dfeee4afd56418f03491e2758d3b9907892a1d5425ce69fd560ab580589451c26ccb281b08eac55d446d391de4d1eb3b6161ee879927ef9e700c1e827957ebfd201eda47fdf3cbeeec5a61fdad2496055d39804d3525a9fdf1fb15d54f5d7089daebde48a226a4532d815ca0b98808cf072975df3756f8bb5fd97ec97877b6243dc33ae787cae89da9419da2d818ff892179a561b4e3208acfd7b956eeaa3396d91f36cba96269abbc0a54764daab47ada4589de2e318dc0ae82ffa7aa327cc73b42f84e472a834c804f77a3883600e0bd8faf126d7d82", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "266d333ede17a8b472053e4fa3934572", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "700d6a0331befd4ed9cfbb3234b335e7", - "SHA1": "c1a5aacf05c00080e04d692a99c46ab445bf8b6e", - "SHA256": "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882", - "Authentihash": { - "MD5": "200e978d48ef267fa8fe5eef7fe798b8", - "SHA1": "f7979e778214d8d32844e6b65b8f4a56c3a12354", - "SHA256": "6c919efdad21b7d9884903b9d539fbb50dc418ff2c2753c12b35b9ace4c96d73" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.8.4057.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.8.4057.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "9eb524c5f92e5b80374b8261292fdeb5", - "SHA1": "80ea425e193bd0e05161e8e1dc34fb0eae5f9017", - "SHA256": "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9", - "Authentihash": { - "MD5": "996cd1b1cf33931bfaf2217e22fc82f0", - "SHA1": "ba761efd5a552ccdd4363277acf95cd54b9dff4c", - "SHA256": "3b38427f167fde644868a62f0aa1ed03790137905c97024ac21729fa6153eca2" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.7.4246.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.7.4246.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsGetThreadId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "PsGetThreadProcess", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsGetProcessId", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "9496585198d726000ea505abc39dbfe9", - "SHA1": "19977d45e98b48c901596fb0a49a7623cee4c782", - "SHA256": "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5", - "Authentihash": { - "MD5": "e7f217b2e9cafd1fd529fac02570b6ba", - "SHA1": "172b630f5d54c70ce0ee43cf1afdbb6f488eb4b7", - "SHA256": "2537f2ad83f5efc841ed75081d5dfffeb04eea92abfb9844adc091ff2a671b56" - }, - "Description": "AVG Anti Rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.4.83.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "20.4.83.0", - "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", - "ValidFrom": "2020-01-27 00:00:00", - "ValidTo": "2022-10-20 12:00:00", - "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "ceac1347acae9ad9496d4b0593256522", - "SHA1": "36a6f75f05ac348af357fdecbabe1a184fe8d315", - "SHA256": "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7", - "Authentihash": { - "MD5": "d09a1bf39b8055fc11ac2bad634f36c5", - "SHA1": "3016bec15d07a845d6cf40aafbd4d63a06c403f2", - "SHA256": "9e309324897edf07776adbb2b05252d7a2ad8140c6636bc28a5050e4ea183d40" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.1.4132.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.1.4132.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "35c8fdf881909fa28c92b1c2741ac60b", - "SHA1": "d942dac4033dcd681161181d50ce3661d1e12b96", - "SHA256": "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1", - "Authentihash": { - "MD5": "e56d6c4be652c01f178ecef18428f567", - "SHA1": "816088e3f2c6e3be17abe236bc905acc10733fda", - "SHA256": "11f0f2395b3e7a9849bf3f050bfda6b48ae2de856d8541a16b51d9097afb8306" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.2.4181.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.2.4181.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcsrchr", - "towlower", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "MmIsAddressValid", - "RtlAnsiStringToUnicodeString", - "strncmp", - "MmUnlockPages", - "MmUnmapLockedPages", - "IoFreeMdl", - "MmProbeAndLockPages", - "IoAllocateMdl", - "memcpy", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoDriverObjectType", - "_snwprintf", - "ZwClose", - "IoGetBaseFileSystemDeviceObject", - "ObReferenceObjectByHandle", - "ZwOpenFile", - "ExFreePoolWithTag", - "ZwReadFile", - "ExAllocatePoolWithTag", - "ZwSetInformationFile", - "ZwQueryInformationFile", - "PsLookupProcessByProcessId", - "KeSetEvent", - "KeResetEvent", - "ZwMapViewOfSection", - "ZwCreateSection", - "ZwUnmapViewOfSection", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeQueryActiveProcessors", - "_snprintf", - "memset", - "ZwQuerySystemInformation", - "ZwQueryInformationProcess", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsThreadType", - "PsLookupThreadByThreadId", - "KeUnstackDetachProcess", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeWaitForSingleObject", - "KeClearEvent", - "KeQuerySystemTime", - "ZwEnumerateKey", - "ZwOpenKey", - "IoFreeWorkItem", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "strchr", - "strrchr", - "strstr", - "PsGetCurrentProcessId", - "_alldiv", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "RtlVolumeDeviceToDosName", - "IoGetDeviceObjectPointer", - "wcsncpy", - "wcsncmp", - "IoGetDeviceInterfaces", - "_stricmp", - "strncpy", - "IoGetCurrentProcess", - "RtlInitString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "RtlConvertSidToUnicodeString", - "RtlEqualSid", - "SeExports", - "ZwQueryInformationToken", - "PsGetCurrentThreadId", - "ExEventObjectType", - "NtBuildNumber", - "IoFileObjectType", - "IoDeviceObjectType", - "PsSetLoadImageNotifyRoutine", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessWin32Process", - "ExAllocatePool", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "ObQueryNameString", - "_allmul", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "IofCompleteRequest", - "IoGetRequestorProcessId", - "IofCallDriver", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "PsGetVersion", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoCreateDevice", - "PsInitialSystemProcess", - "IoThreadToProcess", - "KeAttachProcess", - "MmMapLockedPages", - "ZwDeleteFile", - "MmUnmapIoSpace", - "MmMapIoSpace", - "PsProcessType", - "KeDetachProcess", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "KeBugCheckEx", - "RtlCompareUnicodeString", - "IoBuildSynchronousFsdRequest", - "ZwTerminateProcess", - "ZwOpenThread", - "IoFreeIrp", - "RtlEqualUnicodeString", - "IoAllocateIrp", - "ZwQueryDirectoryObject", - "ZwOpenDirectoryObject", - "KeBugCheck", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IoBuildDeviceIoControlRequest", - "KeTickCount", - "RtlUnwind", - "_strnicmp", - "_wcsnicmp", - "_wcsicmp", - "wcschr", - "KeDelayExecutionThread", - "MmMapLockedPagesSpecifyCache", - "KeGetCurrentThread", - "wcsstr", - "KeInitializeEvent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "IoIsWdmVersionAvailable", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "ExUnregisterCallback", - "ExCreateCallback", - "ExRegisterCallback", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeGetCurrentIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KfRaiseIrql" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "300d6ac47a146eb8eb159f51bc13f7cf", - "SHA1": "02316decf9e5165b431c599643f6856e86b95e7c", - "SHA256": "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad", - "Authentihash": { - "MD5": "dc4869ad1497f7bd21ae89c9ecbcefca", - "SHA1": "1b7496a00aa6fd9328b41bf48a692f2648f6a7fb", - "SHA256": "60f79c1b60a74b98b4f436d6bbbf5aeb9ce6febbe1443d318eea7581962b75a4" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.3.3848.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.3.3848.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "dcd966874b4c8c952662d2d16ddb4d7c", - "SHA1": "135b261eb03e830c57b1729e3a4653f9c27c7522", - "SHA256": "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c", - "Authentihash": { - "MD5": "31deadc1bcfdcac3b86e05ad2aa9eb1d", - "SHA1": "6a02a8de97682af43b1a5831c4b4991caf94094a", - "SHA256": "f2e97fb72237dbbd8981d13a056dd3544c41d802efd129e1ea7e3f655de661b8" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.2.3820.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.2.3820.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "991230087394738976dbd44f92516cae", - "SHA1": "e2f40590b404a24e775f781525d8ed01f1b1156d", - "SHA256": "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833", - "Authentihash": { - "MD5": "6a9312463a34c79194223951fc89b195", - "SHA1": "6439725334c47247763a76d4ba8ebab4c1caedfa", - "SHA256": "f8e307f2af1c1ae3d5ef6581e651823e3b6bfb9d7b565353cbd50e455c1dc9c8" - }, - "Description": "Avast Anti Rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "20.6.107.0", - "Product": "Avast Antivirus ", - "ProductVersion": "20.6.107.0", - "Copyright": "Copyright (c) 2020 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoThreadToProcess", - "PsInitialSystemProcess", - "IoCreateDevice", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "259381daae0357fbfefe1d92188c496a", - "SHA1": "3f347117d21cd8229dd99fa03d6c92601067c604", - "SHA256": "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2", - "Authentihash": { - "MD5": "63451cd1b804978b26b8b04869749d76", - "SHA1": "2c96a59141c58c42a871671fd2c3dfac9bb43a37", - "SHA256": "72f100edc998bb2fc40a3a7e7d76c6c37f7173b812f5cd7ae62c824b3fc63d57" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.4.3891.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.4.3891.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "16472fca75ab4b5647c99de608949cde", - "SHA1": "24daa825adedcbbb1d098cbe9d68c40389901b64", - "SHA256": "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9", - "Authentihash": { - "MD5": "f778cb0515b1db1cb133286ed8e3f284", - "SHA1": "7ab72d197214b2792893a14b80ed6e5a546d0b9b", - "SHA256": "5eb493fc07a9573176f87297a002183d8e60104619a7b83940ce6e83ac54cd7b" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.6.3979.0", - "Product": "Avast Antivirus ", - "ProductVersion": "18.6.3979.0", - "Copyright": "Copyright (c) 2018 AVAST Software", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcsrchr", - "towlower", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "MmIsAddressValid", - "RtlAnsiStringToUnicodeString", - "strncmp", - "MmUnlockPages", - "MmUnmapLockedPages", - "IoFreeMdl", - "MmProbeAndLockPages", - "IoAllocateMdl", - "memcpy", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoDriverObjectType", - "_snwprintf", - "ZwClose", - "IoGetBaseFileSystemDeviceObject", - "ObReferenceObjectByHandle", - "ZwOpenFile", - "ExFreePoolWithTag", - "ZwReadFile", - "ExAllocatePoolWithTag", - "ZwSetInformationFile", - "ZwQueryInformationFile", - "PsLookupProcessByProcessId", - "KeSetEvent", - "KeResetEvent", - "ZwMapViewOfSection", - "ZwCreateSection", - "ZwUnmapViewOfSection", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeQueryActiveProcessors", - "_snprintf", - "memset", - "ZwQuerySystemInformation", - "ZwQueryInformationProcess", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsThreadType", - "PsLookupThreadByThreadId", - "KeUnstackDetachProcess", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeWaitForSingleObject", - "KeClearEvent", - "KeQuerySystemTime", - "ZwEnumerateKey", - "ZwOpenKey", - "IoFreeWorkItem", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "strchr", - "strstr", - "PsGetCurrentProcessId", - "_alldiv", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "RtlVolumeDeviceToDosName", - "IoGetDeviceObjectPointer", - "wcsncpy", - "wcsncmp", - "IoGetDeviceInterfaces", - "wcschr", - "strncpy", - "IoGetCurrentProcess", - "RtlInitString", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "RtlConvertSidToUnicodeString", - "RtlEqualSid", - "SeExports", - "ZwQueryInformationToken", - "PsGetCurrentThreadId", - "ExEventObjectType", - "NtBuildNumber", - "IoFileObjectType", - "IoDeviceObjectType", - "PsSetLoadImageNotifyRoutine", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessWin32Process", - "strrchr", - "ExAllocatePool", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "ObQueryNameString", - "_allmul", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "IofCompleteRequest", - "IoGetRequestorProcessId", - "IofCallDriver", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "PsGetVersion", - "IoDetachDevice", - "IoAttachDeviceToDeviceStackSafe", - "IoCreateDevice", - "PsInitialSystemProcess", - "IoThreadToProcess", - "KeAttachProcess", - "MmMapLockedPages", - "ZwDeleteFile", - "PsProcessType", - "KeDetachProcess", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "KeBugCheckEx", - "RtlCompareUnicodeString", - "IoBuildSynchronousFsdRequest", - "ZwTerminateProcess", - "ZwOpenThread", - "IoFreeIrp", - "RtlEqualUnicodeString", - "IoAllocateIrp", - "ZwQueryDirectoryObject", - "ZwOpenDirectoryObject", - "KeBugCheck", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IoBuildDeviceIoControlRequest", - "KeTickCount", - "RtlUnwind", - "_stricmp", - "_strnicmp", - "_wcsicmp", - "_wcsnicmp", - "KeDelayExecutionThread", - "MmMapLockedPagesSpecifyCache", - "KeGetCurrentThread", - "wcsstr", - "KeInitializeEvent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "IoIsWdmVersionAvailable", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "ExUnregisterCallback", - "ExCreateCallback", - "ExRegisterCallback", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeGetCurrentIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KfRaiseIrql" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "0e207ef80361b3d047a2358d0e2206b4", - "SHA1": "9393698058ce1187eb87e8c148cfe4804761142d", - "SHA256": "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258", - "Authentihash": { - "MD5": "57dfa53fc7b8280adbe9a32a00241e17", - "SHA1": "20812c39a2bb52c80eec322d8fecbef4d8138a73", - "SHA256": "00716eab8a3277128fb5ea8b1ac863e4b81b40674f7c6eb0f201e96341fd87c9" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.7.4246.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.7.4246.0", - "Copyright": "Copyright (c) 2019 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsGetThreadId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "PsGetThreadProcess", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "PsGetProcessId", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "a4531040276080441974d9e00d8d4cfa", - "SHA1": "d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793", - "SHA256": "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6", - "Authentihash": { - "MD5": "2288e600dfcf6eb8f176f9c5df5e7fcf", - "SHA1": "2cc6204ab44715a8d7c5189c524d8213a917e00a", - "SHA256": "e27fa56ceff3fe7d5a723c5f4192ce6aa16994f88cf05935645f9e398292376a" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.4.4211.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "19.4.4211.0", - "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", - "ValidFrom": "2018-01-30 00:00:00", - "ValidTo": "2021-01-22 12:00:00", - "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "7fbd3b4488a12eab56c54e7bb91516f3", - "SHA1": "61d44c9a1ef992bc29502f725d1672d551b9bc3f", - "SHA256": "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9", - "Authentihash": { - "MD5": "e9dca8f16d7d0074a212dd73f33f94f1", - "SHA1": "b844ef5bb029ccfd144dc6f3d705b7c3d0e6efdb", - "SHA256": "47f64d6753f40388382097351a26dad54b8fdf59529a24acc65e9ced440ee2c6" - }, - "Description": "AVG anti rootkit", - "Company": "AVG Technologies CZ, s.r.o.", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "18.2.3827.0", - "Product": "AVG Internet Security System ", - "ProductVersion": "18.2.3827.0", - "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "IoCreateDevice", - "PsProcessType", - "KeDetachProcess", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "IoBuildDeviceIoControlRequest", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", - "ValidFrom": "2015-07-28 00:00:00", - "ValidTo": "2018-09-25 23:59:59", - "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "aswArPot.sys", - "MD5": "65e6718a547495c692e090d7887d247b", - "SHA1": "51b9867c391be3ce56ba7e1c3cba8c76777245b2", - "SHA256": "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3", - "Authentihash": { - "MD5": "2be74c85587978badcc47079d1eb1c5b", - "SHA1": "eaaaeba2313000a501688f7b8416fec2b705ef7a", - "SHA256": "fca5f90ce2b210e6026cbf6f2c281fe17a08ddb2e936200847823ef83eaab1eb" - }, - "Description": "Avast anti rootkit", - "Company": "AVAST Software", - "InternalName": "aswArPot.sys", - "OriginalFilename": "aswArPot.sys", - "FileVersion": "19.2.4157.0", - "Product": "Avast Antivirus ", - "ProductVersion": "19.2.4157.0", - "Copyright": "Copyright (c) 2019 AVAST Software", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "wcschr", - "MmUnmapLockedPages", - "_stricmp", - "_wcsicmp", - "towlower", - "_strnicmp", - "ExAllocatePoolWithTag", - "PsGetProcessWin32Process", - "KeClearEvent", - "RtlVolumeDeviceToDosName", - "KeQueryActiveProcessors", - "RtlConvertSidToUnicodeString", - "IoBuildDeviceIoControlRequest", - "ExFreePoolWithTag", - "KeResetEvent", - "ExReleaseFastMutex", - "IoGetBaseFileSystemDeviceObject", - "strncmp", - "ZwOpenThreadTokenEx", - "RtlAnsiStringToUnicodeString", - "ExAcquireFastMutex", - "PsSetLoadImageNotifyRoutine", - "_snwprintf", - "NtBuildNumber", - "PsRemoveCreateThreadNotifyRoutine", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "_wcsnicmp", - "ZwReadFile", - "strstr", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "wcsncpy", - "RtlEqualSid", - "strchr", - "IoFreeWorkItem", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateThreadNotifyRoutine", - "RtlUnicodeStringToAnsiString", - "_snprintf", - "RtlGetVersion", - "ZwQuerySystemInformation", - "RtlInitString", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ZwOpenProcessTokenEx", - "ZwSetInformationFile", - "tolower", - "KeDelayExecutionThread", - "ObQueryNameString", - "strncpy", - "IoFileObjectType", - "IoDriverObjectType", - "wcsrchr", - "wcsstr", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwUnmapViewOfSection", - "ExAllocatePool", - "PsTerminateSystemThread", - "IoGetCurrentProcess", - "ExEventObjectType", - "IoAllocateWorkItem", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "PsRemoveLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "MmProbeAndLockPages", - "PsGetVersion", - "KeRevertToUserAffinityThread", - "PsThreadType", - "IoGetDeviceInterfaces", - "ZwOpenProcess", - "SeExports", - "MmUnlockPages", - "strrchr", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeSetSystemAffinityThread", - "MmIsAddressValid", - "ObfDereferenceObject", - "ZwCreateSection", - "ObReferenceObjectByName", - "IoQueueWorkItem", - "IoDeviceObjectType", - "ZwOpenFile", - "wcsncmp", - "ZwQueryInformationToken", - "ZwQueryInformationFile", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupThreadByThreadId", - "ZwEnumerateKey", - "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "IoThreadToProcess", - "IoAttachDeviceToDeviceStackSafe", - "IoDetachDevice", - "PsInitialSystemProcess", - "IoCreateDevice", - "PsProcessType", - "MmUnmapIoSpace", - "KeDetachProcess", - "MmMapIoSpace", - "KeAttachProcess", - "ZwDeleteFile", - "IoBuildSynchronousFsdRequest", - "NtClose", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "ZwWriteFile", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "ZwOpenDirectoryObject", - "KeBugCheck", - "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeBugCheckEx", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExUnregisterCallback", - "ExRegisterCallback", - "ExCreateCallback", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", - "ValidFrom": "2016-09-06 00:00:00", - "ValidTo": "2019-10-04 12:00:00", - "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - } - ], - "Tags": [ - "aswArPot.sys" - ] - }, - { - "Id": "57fc510a-e649-4599-b83e-8f3605e3d1d9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create aswArPot.sys binPath=C:\\windows\\temp\\aswArPot.sys type=kernel && sc.exe start aswArPot.sys", - "Description": "Avast’s “Anti Rootkit” driver (also used by AVG) has been found to be vulnerable to two high severity attacks that could potentially lead to privilege escalation by running code in the kernel from a non-administrator user.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "CVE-2022-26522, CVE-2022-26523: Both of these vulnerabilities were fixed in version 22.1." - ], - "Acknowledgement": { - "Person": "", - "Handle": "@mattnotmax" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "aswArPot.sys", - "MD5": "a179c4093d05a3e1ee73f6ff07f994aa", - "SHA1": "5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4", - "SHA256": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1", - "Signature": [ - "Avast Software s.r.o.", - "DigiCert High Assurance Code Signing CA-1", - "DigiCert" - ], - "Date": "2021-02-01 14:09:00", - "Publisher": "", - "Company": "AVAST Software", - "Description": "Avast Anti Rootkit", - "Product": "Avast Antivirus ", - "ProductVersion": "21.1.187.0", - "FileVersion": "21.1.187.0", - "MachineType": "AMD64", - "OriginalFilename": "aswArPot.sys", - "Authentihash": { - "MD5": "66d55dcf5fe5e1b60f32880d48207105", - "SHA1": "b8b5e5951f1c4148537e9850f2b577a453e4c045", - "SHA256": "c0c131bc8d6c8b5a2be32474474b1221bce1289c174c87e743ed4a512f5571d4" - }, - "InternalName": "aswArPot", - "Copyright": "Copyright (c) 2021 AVAST Software", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "__C_specific_handler", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "MmIsAddressValid", - "MmUnlockPages", - "ExAllocatePool", - "RtlAnsiStringToUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "ZwQuerySystemInformation", - "PsRemoveLoadImageNotifyRoutine", - "ZwUnmapViewOfSection", - "ZwQuerySymbolicLinkObject", - "MmProbeAndLockPages", - "RtlVolumeDeviceToDosName", - "PsSetLoadImageNotifyRoutine", - "IoGetRequestorProcessId", - "ZwReadFile", - "ObQueryNameString", - "IoDetachDevice", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "towlower", - "NtBuildNumber", - "ExReleaseFastMutex", - "_wcsicmp", - "_snwprintf", - "RtlConvertSidToUnicodeString", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ZwQueryInformationProcess", - "IoAttachDeviceToDeviceStackSafe", - "PsGetProcessId", - "PsCreateSystemThread", - "ZwQueryInformationThread", - "RtlInitUnicodeString", - "ZwOpenSymbolicLinkObject", - "tolower", - "PsRemoveCreateThreadNotifyRoutine", - "IoDeleteDevice", - "IoBuildDeviceIoControlRequest", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetCurrentProcess", - "ObOpenObjectByPointer", - "strncpy", - "KeReleaseSpinLock", - "_strnicmp", - "IoFileObjectType", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "KeSetEvent", - "PsThreadType", - "RtlUnicodeStringToAnsiString", - "ZwQueryInformationToken", - "ZwMapViewOfSection", - "strncmp", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "PsGetThreadId", - "PsGetVersion", - "KeClearEvent", - "IoGetBaseFileSystemDeviceObject", - "wcschr", - "ZwSetInformationFile", - "ZwEnumerateKey", - "IoFreeMdl", - "wcsstr", - "ExAcquireFastMutex", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "_stricmp", - "ExAllocatePoolWithTag", - "RtlInitString", - "IoCreateDevice", - "IofCallDriver", - "IoDeviceObjectType", - "_snprintf", - "ExFreePoolWithTag", - "ZwOpenFile", - "KeSetSystemAffinityThread", - "strstr", - "KeInitializeEvent", - "ObReferenceObjectByName", - "strchr", - "_wcsnicmp", - "KeQueryActiveProcessors", - "RtlEqualSid", - "IoQueueWorkItem", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsSetCreateThreadNotifyRoutine", - "PsGetCurrentThreadId", - "IofCompleteRequest", - "PsGetProcessWin32Process", - "ExEventObjectType", - "ZwQueryInformationFile", - "KeWaitForSingleObject", - "IoCreateSymbolicLink", - "PsSetCreateProcessNotifyRoutine", - "IoDriverObjectType", - "PsLookupThreadByThreadId", - "IoGetDeviceInterfaces", - "ZwClose", - "PsTerminateSystemThread", - "wcsrchr", - "strrchr", - "SeExports", - "KeUnstackDetachProcess", - "KeResetEvent", - "KeRevertToUserAffinityThread", - "ZwOpenProcess", - "wcsncmp", - "ZwOpenKey", - "PsGetThreadProcess", - "IoThreadToProcess", - "PsInitialSystemProcess", - "KeInsertQueueDpc", - "KeNumberProcessors", - "KeInitializeDpc", - "KeSetTargetProcessorDpc", - "PsProcessType", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ZwDeleteFile", - "KeAttachProcess", - "KeDetachProcess", - "RtlCompareUnicodeString", - "ZwWriteFile", - "NtClose", - "ObfReferenceObject", - "IoBuildSynchronousFsdRequest", - "ZwOpenThread", - "ZwTerminateProcess", - "RtlEqualUnicodeString", - "IoFreeIrp", - "ZwQueryDirectoryObject", - "KeBugCheck", - "ZwOpenDirectoryObject", - "IoAllocateIrp", - "KdDebuggerNotPresent", - "ZwSetSecurityObject", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlQueryRegistryValues", - "RtlPrefixUnicodeString", - "ExRegisterCallback", - "ExCreateCallback", - "ExUnregisterCallback", - "strcmp" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", - "ValidFrom": "2019-12-02 00:00:00", - "ValidTo": "2022-10-19 12:00:00", - "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" - } - ] - } - ] - } - ], - "Tags": [ - "aswArPot.sys" - ] - }, - { - "Id": "ca1e8664-841f-4e4b-9e67-3f515cc249c6", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create ndislan.sys binPath=C:\\windows\\temp \\n \\n \\n dislan.sys type=kernel && sc.exe start ndislan.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "ndislan.sys", - "MD5": "47e6ac52431ca47da17248d80bf71389", - "SHA1": "d417c0be261b0c6f44afdec3d5432100e420c3ed", - "SHA256": "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427", - "Signature": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.", - "Date": "4:49 PM 10/12/2012", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", - "Company": "Microsoft Corporation", - "Description": "MS LAN Driver", - "Product": "Microsoft® Windows® Operating System", - "ProductVersion": "6.1.7600.1421", - "FileVersion": "6.1.7600.1421", - "MachineType": "AMD64", - "OriginalFilename": "ndislan.sys", - "Authentihash": { - "MD5": "8bddebd3670d9f154318afd62195a2b8", - "SHA1": "7f57424f2ce7186e3a1951f3710f28d7ce9c8a96", - "SHA256": "9345c3af554c06aa949492f1642a7a03404956d2952cca8a68658b62dccb0825" - }, - "InternalName": "ndislan.sys", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapLockedPages", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "IoFreeMdl", - "strncpy", - "MmMapLockedPagesSpecifyCache", - "ZwQueryValueKey", - "ZwFreeVirtualMemory", - "IofCompleteRequest", - "RtlFreeAnsiString", - "MmProbeAndLockPages", - "MmUnlockPages", - "strrchr", - "IoAllocateMdl", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "RtlAnsiStringToUnicodeString", - "_stricmp", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "NtQuerySystemInformation", - "MmGetSystemRoutineAddress", - "RtlImageDirectoryEntryToData", - "ObMakeTemporaryObject", - "RtlInitAnsiString", - "RtlFreeUnicodeString", - "IoDriverObjectType", - "ObfDereferenceObject", - "IoCreateDriver", - "ObReferenceObjectByName", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "ndislan.sys" - ] - }, - { - "Id": "404f6db5-6be8-44a9-9898-badd56f96721", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create c.sys binPath=C:\\windows\\temp\\c.sys type=kernel && sc.exe start c.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "c.sys", - "SHA256": "cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "c.sys" - ] - }, - { - "Id": "47a351ee-8abe-40d8-bc2b-557390fa0945", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create Lv561av.sys binPath=C:\\windows\\temp\\Lv561av.sys type=kernel && sc.exe start Lv561av.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Lv561av.sys", - "MD5": "b47dee29b5e6e1939567a926c7a3e6a4", - "SHA1": "351cbd352b3ec0d5f4f58c84af732a0bf41b4463", - "SHA256": "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4", - "Signature": [ - "Logitech Inc", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Logitech Inc.", - "Description": "Logitech Video Driver", - "Product": "Logitech Webcam Software", - "ProductVersion": "12.00.1278.0", - "FileVersion": "12.00.1278.0", - "MachineType": "AMD64", - "OriginalFilename": "Lv561av.sys", - "Authentihash": { - "MD5": "92a9fa0ebbb45b600397611e247710b1", - "SHA1": "ed3e97c7290768216c5b3abbd4a29dde856eb3c7", - "SHA256": "c54ffa9a32cd99972ca905dcf99e20f8429e3cfd45bc1ddf4f9af8b3ed688c88" - }, - "InternalName": "Lv561av.sys", - "Copyright": "(c) 1996-2009 Logitech. All rights reserved.", - "Imports": [ - "NTOSKRNL.exe", - "ntoskrnl.exe", - "HAL.DLL", - "USBD.SYS", - "ks.sys" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeWaitForSingleObject", - "IoBuildSynchronousFsdRequest", - "ZwWriteFile", - "ExFreePool", - "RtlQueryRegistryValues", - "RtlInitAnsiString", - "RtlCompareMemory", - "ExAllocatePoolWithTag", - "KeReleaseMutex", - "ZwClose", - "KeDelayExecutionThread", - "DbgPrint", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "ZwCreateFile", - "KeSetPriorityThread", - "ObReferenceObjectByHandle", - "RtlInitUnicodeString", - "PsCreateSystemThread", - "KeSetEvent", - "KeResetEvent", - "RtlWriteRegistryValue", - "KeInitializeMutex", - "swprintf", - "RtlAnsiStringToUnicodeString", - "KeInitializeEvent", - "sprintf", - "PsTerminateSystemThread", - "IoIsWdmVersionAvailable", - "RtlUnicodeStringToInteger", - "IoOpenDeviceRegistryKey", - "ZwQueryValueKey", - "ExDeleteNPagedLookasideList", - "KeAcquireSpinLockRaiseToDpc", - "vsprintf", - "ExInitializeNPagedLookasideList", - "ExpInterlockedPushEntrySList", - "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "ExDeletePagedLookasideList", - "DbgBreakPoint", - "ExQueryDepthSList", - "ExInitializePagedLookasideList", - "ZwOpenKey", - "ZwCreateKey", - "ZwSetValueKey", - "KeBugCheckEx", - "ExAllocatePool", - "IoAllocateWorkItem", - "IoQueueWorkItem", - "IoFreeWorkItem", - "IoAllocateDriverObjectExtension", - "IoGetDriverObjectExtension", - "ExInterlockedInsertTailList", - "ExInterlockedRemoveHeadList", - "IoAllocateIrp", - "IoReleaseRemoveLockEx", - "IoInitializeRemoveLockEx", - "KeInitializeTimerEx", - "KeInitializeDpc", - "KeCancelTimer", - "IoAcquireRemoveLockEx", - "IoReleaseRemoveLockAndWaitEx", - "KeSetTimerEx", - "IoFreeIrp", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "IoGetAttachedDeviceReference", - "KeInitializeSemaphore", - "IoCancelIrp", - "KeReleaseSemaphore", - "KeSetTimer", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "IofCompleteRequest", - "IoInitializeIrp", - "IofCallDriver", - "ExInterlockedInsertHeadList", - "_snwprintf", - "IoCreateSynchronizationEvent", - "ObReferenceObjectByPointer", - "ExEventObjectType", - "KeClearEvent", - "RtlGUIDFromString", - "IoBuildDeviceIoControlRequest", - "IoGetDeviceInterfaces", - "wcsrchr", - "RtlCompareUnicodeString", - "IoGetDeviceObjectPointer", - "PoRequestPowerIrp", - "KeWaitForMultipleObjects", - "__C_specific_handler", - "PsGetCurrentProcessId", - "KeQueryPerformanceCounter", - "USBD_ParseConfigurationDescriptorEx", - "USBD_CreateConfigurationRequestEx", - "KsGenerateEvents", - "KsGetNextSibling", - "KsGetFirstChild", - "KsInitializeDriver", - "KsGetDeviceForDeviceObject", - "KsGetPinFromIrp", - "KsGetObjectFromFileObject", - "KsCreateFilterFactory", - "KsRemoveItemFromObjectBag", - "_KsEdit", - "KsGetFilterFromIrp", - "KsAddItemToObjectBag", - "KsGetDevice", - "KsStreamPointerSetStatusCode", - "KsPinGetReferenceClockInterface", - "KsPinAttemptProcessing", - "KsPinGetLeadingEdgeStreamPointer", - "KsStreamPointerGetIrp", - "KsStreamPointerClone", - "KsStreamPointerUnlock", - "KsStreamPointerDelete", - "KsStreamPointerAdvance", - "KsDefaultAddEventHandler" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Fremont, O=Logitech Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Corp Signing Cert, CN=Logitech Inc", - "ValidFrom": "2008-10-16 00:00:00", - "ValidTo": "2009-10-18 23:59:59", - "Signature": "7396fd0ff8c118ba1edfe61826659c9a4d1caba239a7bb9164af558e6fc65912775dd0bac6f416c6c96c9564305e96c1b145aa763efe80899d84da79088af91a2c4bcff47a7189b3cd60046333c40f990889440f834b085078dcb3c58ced4ef1bef5c2f7bbbfc8c77e6a96a28783a7fb009b0d7c20675834596910c97c14e27a0ff0b9af89cd6f2f8d7b450dbe59db6b5738bed3f2b6740cb0a8ee8afa3fadd4bf11f3553ea047d8d7d3188d63418ed6f0da617e7c4a4044e385e57fcf716eee853aa0a003356c64c93293ef5eb1f7133e8cd72146051f16e031f369e76a955316195d1c62540ec376bdfb60d68bf2718b33355d282c032bcd955b9f794141e5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0d843ade545afbd252e70cc6e845b7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "Lv561av.sys" - ] - }, - { - "Id": "c1ece07b-e92a-4050-95ee-90e03aa82120", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create NetProxyDriver.sys binPath=C:\\windows\\temp\\NetProxyDriver.sys type=kernel type=kernel && sc.exe start NetProxyDriver.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "NetProxyDriver.sys", - "SHA256": "8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "NetProxyDriver.sys" - ] - }, - { - "Id": "6d4b0025-7910-483a-ba73-03970995edc3", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create amifldrv64.sys binPath=C:\\windows\\temp\\amifldrv64.sys type=kernel && sc.exe start amifldrv64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "amifldrv64.sys", - "MD5": "6ab7b8ef0c44e7d2d5909fdb58d37fa5", - "SHA1": "bb962c9a8dda93e94fef504c4159de881e4706fe", - "SHA256": "42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00", - "Signature": [ - "American Megatrends, Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "\"American Megatrends, Inc.\"", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "fc9e48051c2b957ed1cc7b69a29a66c8", - "SHA1": "716bce2ce697883eba0c051ed487de6304d73cd3", - "SHA256": "d7841ee6dac956cc0923368d6722063a19c9fa131e55c6f3b7484cce78d826f0" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmMapLockedPages", - "MmMapLockedPagesSpecifyCache", - "PsGetVersion", - "MmUnmapIoSpace", - "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmBuildMdlForNonPagedPool", - "MmMapIoSpace", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2012-06-26 00:00:00", - "ValidTo": "2015-06-26 23:59:59", - "Signature": "5460beb703f166c9e6162d718f8e007272cb4311c796179a1d9f961bf90afd5019666505230d293cec6536bdeb283d167d4aa10d10e1693a9203ac123052e9a85dd70e698e1d4d27609892c789a423afb9f4db6063873df482e41c4533931ba6e85bf70f6ba1ffeed4dbb4a9d8d64698eca2b119fdb150d1d371cf7bf66f91ee76c743a8da01a13748dcd300def65d094ea4c9298d897e7c2e35c1445445b8570fd3cf14e966c35206d738b2074cc4e1a09e467e4d817a4bb8ba5c4ae69e30682ce55df79f9bc796dc0fc60fba1b5ecca4c3b963e7b666cd1b7eddc0dd4f0f1ec95e1c77aeb4081e4d0e44ff28c243945a6e6e14eaf39b76856e93b0f4843384", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "5ba2905d11f5cfbbc53ab21bfd39defe", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "amifldrv64.sys" - ] - }, - { - "Id": "be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create PhlashNT.sys binPath=C:\\windows\\temp\\PhlashNT.sys type=kernel && sc.exe start PhlashNT.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "PhlashNT.sys", - "MD5": "e9e786bdba458b8b4f9e93d034f73d00", - "SHA1": "c6d349823bbb1f5b44bae91357895dba653c5861", - "SHA256": "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890", - "Signature": [ - "Phoenix Technology Ltd.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Phoenix Technologies, Ltd.", - "Description": "SWinFlash Driver for Windows NT", - "Product": "WinPhlash", - "ProductVersion": "1.6.1.0", - "FileVersion": "1.6.1.0", - "MachineType": "AMD64", - "OriginalFilename": "PHLASHNT.SYS", - "Authentihash": { - "MD5": "5cf72ecb15ffea87586783893b02c43d", - "SHA1": "ef2d7210b761f158a0832083a8407b3ec2f99db9", - "SHA256": "cde02c7db90626bcfbfbbc1315d4ce18d4f15667fa57c16b9ac2b060507c62ad" - }, - "InternalName": "PHLASHNT", - "Copyright": "(c) Phoenix Technologies, Ltd. 2000-2003", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteDevice", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "MmMapLockedPages", - "RtlAssert", - "DbgPrint", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", - "ValidFrom": "2008-11-14 00:00:00", - "ValidTo": "2009-11-14 23:59:59", - "Signature": "addfb0156ef6ad5c431dffc5ef41cefa457136306d15d84146668cbe5be0f54450614be60c40f7b9ecf7b16b10fe5bcaeff5e31433abd8e218e5cfac8ecb246b3d59d8b3aa0b5ae88feab0b12dd24dc2f4cb51fec3a2a302f67903a652d52197b07e77410d4e480d0f2c3003e150f5da93bd09c91977fbc8d7652f4f5bb7c06d672dbda83f7458f6cb52719cd7f393395e1b036a9701608eccb8c1d2f42ccbee6e53e5fc342b9d5b65aac07d35b2d3b69fb8f51184699a46ac6d3ce7de8fa73353f74f58572f5d982d0d56ce29321d35633de97a04f99d73969c4c0b3bce7cdb95ec67c0b78deee1c5af17e49e9d4978db7f4063c9670adf5094c3e5a730d4fe", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "55272d7780471b989f3def09bb221c53", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "PhlashNT.sys" - ] - }, - { - "Id": "4137ecf0-05e7-463a-94da-47b7259d4433", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create 81.sys binPath=C:\\windows\\temp\\81.sys type=kernel && sc.exe start 81.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "81.sys", - "SHA1": "faa870b0cb15c9ac2b9bba5d0470bd501ccd4326", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "81.sys", - "SHA1": "aca8e53483b40a06dfdee81bb364b1622f9156fe", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "81.sys", - "SHA1": "05ac1c64ca16ab0517fe85d4499d08199e63df26", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "81.sys" - ] - }, - { - "Id": "d1441172-cc15-4a96-b782-f440bfb681e1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create b4.sys binPath=C:\\windows\\temp\\b4.sys type=kernel && sc.exe start b4.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "b4.sys", - "SHA256": "dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "b4.sys" - ] - }, - { - "Id": "670dc258-78b5-4552-a16b-b41917c86f8d", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create driver7-x86.sys binPath=C:\\windows\\temp\\driver7-x86.sys type=kernel && sc.exe start driver7-x86.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "driver7-x86.sys", - "MD5": "1f950cfd5ed8dd9de3de004f5416fe20", - "SHA1": "00b4e8b7644d1bf93f5ddb5740b444b445e81b02", - "SHA256": "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "ASUStek", - "Description": "The driver for the ECtool driver-based tools", - "Product": "EC tool", - "ProductVersion": "2.5", - "FileVersion": "2.5.0.2", - "MachineType": "I386", - "OriginalFilename": "Driver7", - "Authentihash": { - "MD5": "c5d6296b11390f68dc48dcec40990676", - "SHA1": "7a3c1908302851a032d45a73e67c4a3e699807a5", - "SHA256": "c67c6f1e03a466dc660bcad6051fc38eb6e9004a4e252abe52c6155f5768ad90" - }, - "InternalName": "Driver7.sys", - "Copyright": "Copyright ", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "ExAllocatePoolWithTag", - "memcpy", - "memset", - "ObfDereferenceObject", - "IoWMIQueryAllData", - "DbgPrint", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "ZwUnmapViewOfSection", - "RtlInitUnicodeString", - "ZwOpenSection", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "ZwClose", - "IoWMIOpenBlock", - "IofCompleteRequest", - "WRITE_PORT_ULONG", - "READ_PORT_USHORT", - "WRITE_PORT_USHORT", - "HalTranslateBusAddress", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_ULONG" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "driver7-x86.sys" - ] - }, - { - "Id": "1ff757df-9a40-4f78-a28a-64830440abf7", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create winio64.sys binPath=C:\\windows\\temp\\winio64.sys type=kernel && sc.exe start winio64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "winio64.sys", - "MD5": "8fc6cafd4e63a3271edf6a1897a892ae", - "SHA1": "f8d7369527cc6976283cc73cd761f93bd1cec49d", - "SHA256": "15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9", - "Authentihash": { - "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", - "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", - "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ObReferenceObjectByHandle", - "ZwUnmapViewOfSection", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "RtlCopyUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", - "ValidFrom": "2011-04-15 20:13:19", - "ValidTo": "2021-04-15 20:23:19", - "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", - "ValidFrom": "2007-10-24 22:03:55", - "ValidTo": "2017-10-24 22:03:55", - "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", - "ValidFrom": "2014-07-24 18:00:20", - "ValidTo": "2017-07-24 09:00:56", - "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0f69", - "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" - } - ] - } - ] - }, - { - "FileName": "WinIo64.sys", - "MD5": "7c0b186d1912686cfcb8cd9cdebabe58", - "SHA1": "6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92", - "SHA256": "dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef", - "Authentihash": { - "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", - "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", - "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ObReferenceObjectByHandle", - "ZwUnmapViewOfSection", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "RtlCopyUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", - "ValidFrom": "2011-04-15 20:13:19", - "ValidTo": "2021-04-15 20:23:19", - "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", - "ValidFrom": "2007-10-24 22:03:55", - "ValidTo": "2017-10-24 22:03:55", - "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", - "ValidFrom": "2014-07-24 18:00:20", - "ValidTo": "2017-07-24 09:00:56", - "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0f69", - "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" - } - ] - } - ] - } - ], - "Tags": [ - "winio64.sys" - ] - }, - { - "Id": "7f645b95-4374-47ae-be1a-e4415308b550", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create WCPU.sys binPath=C:\\windows\\temp\\WCPU.sys type=kernel && sc.exe start WCPU.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WCPU.sys", - "MD5": "c1d063c9422a19944cdaa6714623f2ec", - "SHA1": "f36a47edfacd85e0c6d4d22133dd386aee4eec15", - "SHA256": "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Windows (R) Codename Longhorn DDK provider", - "Description": "ASUS TDE CPU Driver", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "CPU Driver", - "Authentihash": { - "MD5": "1a77777592eb402fe56bcb43d618d02e", - "SHA1": "81e3e81048e0f323eee8d04aa9b291d77caa21e0", - "SHA256": "54bc506b2f0cf66d12d4a2415ab743c2b2a1f3079089e3e0c0c1f3f49dd7335e" - }, - "InternalName": "CPU Driver", - "Copyright": "Copyright by ASUSTek COMPUTER INC. 2006", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwUnmapViewOfSection", - "ZwClose", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", "IofCompleteRequest", - "ObReferenceObjectByHandle", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoDeleteDevice", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "KeBugCheckEx", "IoCreateDevice", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -16145,10 +1139,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -16159,379 +1153,234 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2007-07-03 00:00:00", - "ValidTo": "2008-07-26 23:59:59", - "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "WCPU.sys" - ] - }, - { - "Id": "868c6920-f6cb-4088-8277-095a1358abe1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create GLCKIO2.sys binPath=C:\\windows\\temp\\GLCKIO2.sys type=kernel && sc.exe start GLCKIO2.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "GLCKIO2.sys", - "MD5": "e700a820f117f65e813b216fccbf78c9", - "SHA1": "2dfcb799b3c42ecb0472e27c19b24ac7532775ce", - "SHA256": "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25", - "Signature": [ - "ASUSTeK Computer Inc.", - "DigiCert SHA2 High Assurance Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "505c5b85b442f9159ba715d4867f9ac4", - "SHA1": "83644f9ece6d6ef3517e1829595c52380922ed35", - "SHA256": "25a0854ef48a4dfbc7f04e94d2b11757e3613b241d39d46a19cb389ce42887e4" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "MmGetSystemRoutineAddress", - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "KeBugCheckEx", - "ObReferenceObjectByHandle", - "RtlInitUnicodeString", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2015-07-27 00:00:00", - "ValidTo": "2018-08-01 12:00:00", - "Signature": "2948e468e6568d1fedd506d0da7e29571b2a943cf7e9c221d7724383882eec14c491862ca1e2e56951e303305332234a0434b832e00953a239ab49df85d1fb32325a6a9a8ba53493c9d0c161cad6557aec67738ee61cbfdd01646b97c7f4a8c3f96bb76573bbec2ca86ed604cd9b6c373bf494c2b4841b2d1816b944813f3345f551bd6b22b37be6e0eb71ccfde21911624acb7d8675be96c911a67839285c5f72b991ff235d0fa7361b01ce420eed7425d7b98941b7ab278bd02e8e75f5695560c278ce556ce884921f15fb5688fca91ba4fff3bda818689671e834e37e4d4e1802e7d7e0692087fba38845fb672d5091e8e3c8af16accf318e000a89b53fe5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "081666295845159f57ae88f441bf237e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "GLCKIO2.sys", - "MD5": "d253c19194a18030296ae62a10821640", - "SHA1": "cc51be79ae56bc97211f6b73cc905c3492da8f9d", - "SHA256": "61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0", - "Signature": [ - "ASUSTeK Computer Inc.", - "DigiCert SHA2 High Assurance Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RwDrv.sys", + "MD5": "c2585e2696e21e25c05122e37e75a947", + "SHA1": "f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8", + "SHA256": "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf", "Authentihash": { - "MD5": "86b5239d6b6fe0d6fad286f809d7571a", - "SHA1": "d99b80b3269d735cac43af5e43483e64ca7961c3", - "SHA256": "47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220" + "MD5": "0496b6428ce874959af5387ce44b4eaf", + "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", + "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" }, - "InternalName": "", - "Copyright": "", + "Description": "RwDrv Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RwDrv Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2011 RW-Everything", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "IoRegisterPlugPlayNotification", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoFreeWorkItem", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "KeReleaseSpinLock", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoGetDeviceObjectPointer", + "IoBuildAsynchronousFsdRequest", + "ExInterlockedInsertTailList", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "IoUnregisterPlugPlayNotification", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", + "IoCreateDevice", + "IoQueueWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoAllocateWorkItem", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2015-07-27 00:00:00", - "ValidTo": "2018-08-01 12:00:00", - "Signature": "2948e468e6568d1fedd506d0da7e29571b2a943cf7e9c221d7724383882eec14c491862ca1e2e56951e303305332234a0434b832e00953a239ab49df85d1fb32325a6a9a8ba53493c9d0c161cad6557aec67738ee61cbfdd01646b97c7f4a8c3f96bb76573bbec2ca86ed604cd9b6c373bf494c2b4841b2d1816b944813f3345f551bd6b22b37be6e0eb71ccfde21911624acb7d8675be96c911a67839285c5f72b991ff235d0fa7361b01ce420eed7425d7b98941b7ab278bd02e8e75f5695560c278ce556ce884921f15fb5688fca91ba4fff3bda818689671e834e37e4d4e1802e7d7e0692087fba38845fb672d5091e8e3c8af16accf318e000a89b53fe5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "CN=ccf(TestCo)", + "ValidFrom": "2022-11-26 13:56:19", + "ValidTo": "2039-12-31 23:59:59", + "Signature": "7e36e0c156b1833305532bd71b31ac46e8ecda9e6ae43daa5fa320096f3a11a25088a82063ecbcd7f51700d61bdd85257ba4cc35e4e73f54f5ab8feb6a2ab7ca9d876f5ca6ff8a69dfe683ee68705fdcdc13ced023247ddd1b495d2cb4ffe68981d4c71359c55af660c55965a7c1ba8fdb6d953b1b29b6a60eca2919ed1e7c516171400e52f3b0c2cc770b4c2471395681b2b79868188dc6c04c2adfad8f83886d64c7beaba6cc6fd34b707edc53d4d93aa4245b081fe140c47d63240e896dd95e04fb1c161f64a68200fbdd3fb66a9ce574e436dca6f5edfb340606fc0fc16043590b3a70586d2b3736214164adf83157f1fc43214718418f906e45c1aada4b", + "SignatureAlgorithmOID": "1.3.14.3.2.29" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", + "ValidFrom": "2022-08-01 00:00:00", + "ValidTo": "2031-11-09 23:59:59", + "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-09-21 00:00:00", + "ValidTo": "2033-11-21 23:59:59", + "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "081666295845159f57ae88f441bf237e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + "SerialNumber": "7030126691c282b942598e0cdadcf4bc", + "Issuer": "CN=ccf(TestCo)" } ] } ] - } - ], - "Tags": [ - "GLCKIO2.sys" - ] - }, - { - "Id": "999a11ae-ec2b-4863-baa4-1384ec2b7339", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create NalDrv.sys binPath=C:\\windows\\temp\\NalDrv.sys type=kernel && sc.exe start NalDrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", - "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "NalDrv.sys", - "MD5": "1898ceda3247213c084f43637ef163b3", - "SHA1": "d04e5db5b6c848a29732bfd52029001f23c3da75", - "SHA256": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b", - "Signature": [ - "Intel Corporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Intel Corporation ", - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.7", - "FileVersion": "1.03.0.7 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "iQVW64.SYS", + "FileName": "RwDrv.sys", + "MD5": "7437d4070b5c018e05354c179f1d5e2a", + "SHA1": "03a56369b8b143049a6ec9f6cc4ef91ac2775863", + "SHA256": "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de", "Authentihash": { - "MD5": "1789a16d20ca2b55f491ad71848166a2", - "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", - "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" + "MD5": "7fd75a9a4906445cc73a0a402bae506a", + "SHA1": "cd111bf04815d4d1040a2813efb2d15ccfbd9b74", + "SHA256": "a97e5c6cd926fa47ab1a69963169223cc669bd654a2f128165ba4ebe1d08bd17" }, - "InternalName": "iQVW64.SYS", - "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", + "Description": "RW-Everything Read & Write Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2008 RW-Everything", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "IoRegisterPlugPlayNotification", + "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "IoDeleteDevice", + "IoFreeWorkItem", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", + "RtlQueryRegistryValues", + "KeReleaseSpinLock", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", - "IoDeleteSymbolicLink", + "IoBuildAsynchronousFsdRequest", + "ExInterlockedInsertTailList", + "IoBuildDeviceIoControlRequest", "MmMapIoSpace", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "IoUnregisterPlugPlayNotification", + "IofCompleteRequest", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "IoCreateDevice", + "IoQueueWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", + "IoAllocateWorkItem", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2012-05-17 00:00:00", - "ValidTo": "2015-05-30 23:59:59", - "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -16544,163 +1393,74 @@ ], "Signer": [ { - "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "NalDrv.sys" - ] - }, - { - "Id": "d74fdf19-b4b0-4ec2-9c29-4213b064138b", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-11", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create irec binPath=C:\\windows\\temp\\irec.sys type=kernel && sc.exe start irec.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "https://github.com/alfarom256/HPHardwareDiagnostics-PoC" - ], - "Acknowledgement": { - "Person": "Michael Alfaro", - "Handle": "@_mmpte_software" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "irec.sys", - "MD5": "f1a203406a680cc7e4017844b129dcbf", - "SHA1": "d2fb46277c36498e87d0f47415b7980440d40e3d", - "SHA256": "dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094", + "FileName": "RwDrv.sys", + "MD5": "903c149851e9929ec45daefc544fcd99", + "SHA1": "1901467b6f04a93b35d3ca0727c8a14f3ce3ed52", + "SHA256": "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a", "Authentihash": { - "MD5": "3a6ceda4dfa265ed536cbabe0f1d4466", - "SHA1": "719f659300ba463efeeab5916f0378c64fc1ad4a", - "SHA256": "457e2eb5ee1def0e336463b7f62dcc02fdde307b817cf750907a5f5465c4dcb7" + "MD5": "0496b6428ce874959af5387ce44b4eaf", + "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", + "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "RwDrv Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RwDrv Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2011 RW-Everything", "MachineType": "AMD64", "Imports": [ - "FLTMGR.SYS", - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FltRegisterFilter", - "FltUnregisterFilter", - "FltStartFiltering", - "FltGetFileNameInformation", - "FltReleaseFileNameInformation", - "FltParseFileNameInformation", - "FltAttachVolume", - "FltAllocateContext", - "FltSetInstanceContext", - "FltDeleteInstanceContext", - "FltGetInstanceContext", - "FltReleaseContext", - "FltEnumerateVolumes", - "FltObjectDereference", - "FltCloseCommunicationPort", - "FltGetRequestorProcessId", - "DbgPrint", - "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", + "IoRegisterPlugPlayNotification", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoFreeWorkItem", "KeInitializeEvent", - "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IoFreeIrp", + "RtlQueryRegistryValues", + "KeReleaseSpinLock", + "MmUnmapIoSpace", "IoFreeMdl", + "MmGetPhysicalAddress", "IoGetDeviceObjectPointer", - "ObfReferenceObject", - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoGetDeviceAttachmentBaseRef", - "IoGetStackLimits", - "FsRtlIsNameInExpression", - "strncpy", - "wcsncpy", - "wcsstr", - "RtlInitUnicodeString", - "RtlGetVersion", - "MmGetSystemRoutineAddress", - "MmIsDriverVerifying", + "IoBuildAsynchronousFsdRequest", + "ExInterlockedInsertTailList", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "IoUnregisterPlugPlayNotification", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "ObCloseHandle", - "PsGetCurrentProcessId", - "IoCreateFileSpecifyDeviceObjectHint", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "IoFileObjectType", - "PsProcessType", - "MmHighestUserAddress", - "RtlInt64ToUnicodeString", - "RtlCompareUnicodeString", - "RtlAppendUnicodeStringToString", - "ObQueryNameString", - "ZwQueryObject", - "ZwOpenDirectoryObject", - "_vsnwprintf", - "ObOpenObjectByName", - "ZwQueryDirectoryObject", - "ZwQueryInformationProcess", - "ZwQueryInformationThread", - "IoDriverObjectType", - "_stricmp", - "RtlFreeUnicodeString", - "KeInitializeMutex", - "ExSystemTimeToLocalTime", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessCreateTimeQuadPart", - "ZwOpenProcess", - "RtlConvertSidToUnicodeString", - "PsReferencePrimaryToken", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ZwQueryInformationToken", - "PsGetProcessImageFileName", - "PsGetProcessSectionBaseAddress", - "ZwQuerySystemInformation", - "PsGetProcessId", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalMemoryRanges", - "__C_specific_handler", - "KeDelayExecutionThread", - "ProbeForRead", - "KeBugCheckEx" + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "IoCreateDevice", + "IoQueueWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", + "IoAllocateWorkItem", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -16708,261 +1468,108 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:25:28", - "ValidTo": "2021-12-02 22:25:28", - "Signature": "3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a", + "Subject": "CN=lab,z.com", + "ValidFrom": "2022-07-26 05:54:45", + "ValidTo": "2039-12-31 23:59:59", + "Signature": "3509d504605054d964ca214b28b1926809a3009a7852971a2b9e44a225131f0f772bdd65194ba25e929c2892fbcd99e37100985452a2f5a079b2e356731faf0d2f32dc47c09415c07d529d4f0383a52904b1f2d19ccbf17b5c99829593ff626607b95465f79d0e07bca1164d482e2e9b7f7bc03678804f6179453076e1de7e2a144438534dbe9a91f62d46d6fd3bf6971dfafa79c2c69bf330ba5ff3011f45bff7b21f1ebe80cf9a48f8c1381cf4199dd580a4a55c2f9166a3c7e0ac5f7f942183339ea90fdcfe92f41cb7a26aba213b769f439bb8e6f16862cc65661f92b1c272834ec4da1a39100f238079c5de28067ebbcff9445262e4ba04106ad75facde", + "SignatureAlgorithmOID": "1.3.14.3.2.29" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", + "ValidFrom": "2022-06-09 00:00:00", + "ValidTo": "2031-11-09 23:59:59", + "Signature": "9a1602a501ef81fb0db458b278ada82319d97337da609e51d7cbf82f40b9a31f7c404e333e903ce789017585e8627b1d56e071bade5ec637bc795c62004df8497a514d0632f3c5d2002a2720ea892e1539e02c3ef8757c2c824161350f23d0ed3595d288952943cbe0a658107c538e9f45c9203714c0ed19ba7e7739d25496c7a611df3433f67552424b1c9d8d96d5956c471214245f2641fa1a46bddeb0e5914703ac1808cbcbdb66897f2b9c65bfbe374ebe2df39d4ac3cccc475ec89595add1cbbb2a0620f93f72ea36eb4572927a297b14033cfb4dd648717a10118a0874cd6c1b045cd28a950376515053d62ef74a46c3ae102c714cb087b62737446044", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-03-29 00:00:00", + "ValidTo": "2033-03-14 23:59:59", + "Signature": "0d2d2374a6d1f5f8ea4b993f01e4f60ce4af169dd9b38c9782299c436f012dab38b57011bf84198b3f5de5864fbe933ade2a395a394ed88459a5bc1b98aae86cefd1486919385bcf89391d7070d94edf23226cd5dff659cba1c2ea4c76caa1dca12b96b89b55a91a6b7dd1f502094f82d6a57388c49880dfee4995b7b3ccc5a7ee0ee1ef1e388a9fef11c9314a58b6df387ccbfa5cf7e453bf6e0a7c7ed7de98d52965890fa29cc065f4012265c7ea5e74a65b3592507cf417a687644f3e46891663206bcbf27bd035e34a7048a9b6e71d60bd04221525700672a9443b694711d3eee9c7a03e4f10b93036e4f3aa6909a88b7e64a2659411fb6e32f1f5bb38adcdc09311d532784a4b372a4cf35cdcb685c0bb70305578d698fe546d7f71a9481a78dd46772e1b7ac0338af84a288c12a873cf2df9d323f29e19e00d9428a0ebdb1a51a095828e286ba4ce9d76dea973aa486a5943ae5feaf80f06429ddf066896fe2aa0745b6366de6b2cb878aa4d706df02cf107157e35b4e6b50ca299a5d7156b350e85d6e02ccce00c24b87c520b1e997cefc8c8c58c5869afab3de1cfcc7d15ae14bf8a71dfca97b1d847ea1c85e0454e121c142958cc6fd37fcbbec10e4a6f209caed973325908e72d92a11a11fe3298a65d2b97e08bd39ccc6db50dae47633847175b6f13da6a106e1f49b7445bb4080a875a59047611a1a77702131c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000433a68189e33902987000000000043", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "0dabd5a60a452fb44eadf46f478c7028", + "Issuer": "CN=lab,z.com" } ] } ] - } - ], - "Tags": [ - "irec.sys" - ] - }, - { - "Id": "3d1439e9-9a7d-497a-8c6c-74513f825d6a", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create daxin_blank6.sys binPath=C:\\windows\\temp\\daxin_blank6.sys type=kernel && sc.exe start daxin_blank6.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "daxin_blank6.sys", - "MD5": "0ae30291c6cbfa7be39320badd6e8de0", - "SHA1": "c257aa4094539719a3c7b7950598ef872dbf9518", - "SHA256": "e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217", - "Signature": "Unsigned", - "Date": "2:44 AM 3/26/2009", - "Publisher": "n/a", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "RwDrv.sys", + "MD5": "60e84516c6ec6dfdae7b422d1f7cab06", + "SHA1": "66e95daee3d1244a029d7f3d91915f1f233d1916", + "SHA256": "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d", "Authentihash": { - "MD5": "d59fbf4aa759286d1dd9abb40733f7b2", - "SHA1": "3c34c7c5916b987420fbfb4f3e3fef7400471831", - "SHA256": "a8c558e74ebe35a095a5b79d4bb26c10b18f8ebb449365e742f856d4e032555c" + "MD5": "0496b6428ce874959af5387ce44b4eaf", + "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", + "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "NTOSKRNL.EXE", - "HAL.DLL", - "ntoskrnl.exe", - "NDIS.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnlockPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "IoGetCurrentProcess", - "_stricmp", - "IoFreeWorkItem", - "RtlFreeUnicodeString", - "ZwClose", - "ZwWriteFile", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "_strnicmp", - "RtlUnwind", - "RtlCopyUnicodeString", - "wcsncmp", - "swprintf", - "IoCreateDevice", - "IoCreateSymbolicLink", - "KeInitializeSpinLock", - "ExfInterlockedInsertTailList", - "RtlInitUnicodeString", - "MmMapLockedPagesSpecifyCache", - "IoFreeMdl", - "InterlockedDecrement", - "InterlockedIncrement", - "InterlockedExchange", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "ExfInterlockedRemoveHeadList", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "strncmp", - "ExFreePool", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeInitializeApc", - "KeInsertQueueApc", - "KeAttachProcess", - "KeDetachProcess", - "NtQuerySystemInformation", - "NdisAllocatePacket", - "NdisCopyFromPacketToPacket", - "NdisAllocateMemory", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisSetEvent", - "NdisResetEvent", - "NdisFreeBufferPool", - "NdisFreePacketPool", - "NdisFreeMemory", - "NdisWaitEvent", - "NdisQueryAdapterInstanceName", - "NdisOpenAdapter", - "NdisInitializeEvent", - "NdisAllocatePacketPool", - "NdisRegisterProtocol", - "NdisAllocateBufferPool", - "NdisCloseAdapter", - "NdisDeregisterProtocol" - ], - "Signatures": {} - } - ], - "Tags": [ - "daxin_blank6.sys" - ] - }, - { - "Id": "1d2cdef1-de44-4849-80e5-e2fa288df681", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create iqvw64e.sys binPath=C:\\windows\\temp\\iqvw64e.sys type=kernel && sc.exe start iqvw64e.sys", - "Description": "(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/", - "https://expel.com/blog/well-that-escalated-quickly-how-a-red-team-went-from-domain-user-to-kernel-memory/", - "https://github.com/Exploitables/CVE-2015-2291", - "https://github.com/Tare05/Intel-CVE-2015-2291", - "https://github.com/TheCruZ/kdmapper", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "iqvw64e.sys", - "MD5": "1898ceda3247213c084f43637ef163b3", - "SHA1": "d04e5db5b6c848a29732bfd52029001f23c3da75", - "SHA256": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b", - "Signature": [ - "Intel Corporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Intel Corporation ", - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.7", - "FileVersion": "1.03.0.7 built by: WinDDK", + "Description": "RwDrv Driver", + "Company": "RW-Everything", + "InternalName": "RwDrv.sys", + "OriginalFilename": "RwDrv.sys", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "Product": "RwDrv Driver", + "ProductVersion": "1.00.00.0000", + "Copyright": "Copyright (C) 2011 RW-Everything", "MachineType": "AMD64", - "OriginalFilename": "iQVW64.SYS", - "Authentihash": { - "MD5": "1789a16d20ca2b55f491ad71848166a2", - "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", - "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" - }, - "InternalName": "iQVW64.SYS", - "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "IoRegisterPlugPlayNotification", + "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "IoDeleteDevice", + "IoFreeWorkItem", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", + "RtlQueryRegistryValues", + "KeReleaseSpinLock", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", - "IoDeleteSymbolicLink", + "IoBuildAsynchronousFsdRequest", + "ExInterlockedInsertTailList", + "IoBuildDeviceIoControlRequest", "MmMapIoSpace", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "IoUnregisterPlugPlayNotification", + "IofCompleteRequest", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "IoCreateDevice", + "IoQueueWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", + "IoAllocateWorkItem", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -16973,38 +1580,38 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2012-05-17 00:00:00", - "ValidTo": "2015-05-30 23:59:59", - "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "Subject": "C=TW, CN=ChongKim Chan", + "ValidFrom": "2012-07-31 20:41:59", + "ValidTo": "2013-08-01 20:41:59", + "Signature": "6b86336c2008e3d1a9cb42f4e323c36c782602b06948e63b7cc646ca61b5768677c2cdd5cf24f58d68844079cd6d8e9534b3170a0261fe64ea47971eecf4a84de8174a4a8b5c6ad87894cf5cc8a10ec522db9697504b208442ae34ec6e9a0e85d93470f66374f36c4f1ec3483c136497b2880d8ba4de0342b5aa2c0890ad80e010c8e34ae8792740e677952d3bc05a36a032ab7bbb64051d506f674e0232f66900c8c29dad2df6960012a8bb216f9e83157632545ead40db592c1e7de76f407601b111113e9b087db3e780f21a61e9f7593e96332f0c35162e0900a61c6ba3a88faee64d9fe94cad5705d6d16585603b5bb376161bdcf01b0bb9022bb360aceb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "11218f56dafd7542d5f3d70b213e2a546cff", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -17012,81 +1619,121 @@ } ], "Tags": [ - "iqvw64e.sys" - ] + "RwDrv.sys" + ], + "yara": true }, { - "Id": "ea86fce4-911a-40b4-8d35-61b5a9d556bd", + "Id": "0f59ce3b-20ac-41ba-8010-2abc74827eb8", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create semav6msr64.sys binPath=C:\\windows\\temp\\semav6msr64.sys type=kernel && sc.exe start semav6msr64.sys", + "Command": "sc.exe create cpuz.sys binPath=C:\\windows\\temp\\cpuz.sys type=kernel && sc.exe start cpuz.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "semav6msr64.sys", - "MD5": "07f83829e7429e60298440cd1e601a6a", - "SHA1": "643383938d5e0d4fd30d302af3e9293a4798e392", - "SHA256": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33", + "Filename": "cpuz.sys", + "MD5": "c2eb4539a4f6ab6edd01bdc191619975", + "SHA1": "4d41248078181c7f61e6e4906aa96bbdea320dc2", + "SHA256": "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6", "Signature": [ - "Intel(R) Code Signing External", - "Intel External Basic Issuing CA 3B", - "Intel External Basic Policy CA", - "Sectigo (AddTrust)" + "CPUID", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "Company": "CPUID", + "Description": "CPUID Driver", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "MachineType": "I386", + "OriginalFilename": "cpuz.sys", "Authentihash": { - "MD5": "79553d83580570e382d3b9c7e101df2b", - "SHA1": "e3dbe2aa03847df621591a4cad69a5609de5c237", - "SHA256": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf" + "MD5": "d8a92124984eb0c21f84461d5babd6de", + "SHA1": "6e928611c1afb608bf0df53a0d9f9e59a51199a2", + "SHA256": "4bf6f1b49ed332b31c695ee1e3e8db69d7514a3179f707034eec96de4865e1d2" }, - "InternalName": "", - "Copyright": "", + "InternalName": "cpuz.sys", + "Copyright": "Copyright(C) 2010 CPUID", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeQueryActiveProcessors", - "KeQueryActiveProcessorCount", - "IoDeleteSymbolicLink", - "KeSetSystemAffinityThreadEx", - "RtlInitUnicodeString", - "IoDeleteDevice", + "IofCompleteRequest", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", + "ObfDereferenceObject", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", "MmUnmapIoSpace", + "RtlInitAnsiString", "MmMapIoSpace", - "IofCompleteRequest", - "KeRevertToUserAffinityThreadEx", "IoCreateSymbolicLink", "IoCreateDevice", - "RtlAssert", - "DbgPrint", + "RtlUnwind", + "KeTickCount", "KeBugCheckEx", - "__C_specific_handler" + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -17094,52 +1741,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Code Signing External", - "ValidFrom": "2015-04-16 17:22:30", - "ValidTo": "2016-04-15 17:22:30", - "Signature": "47ef93216b05a90df10512c9bb24dc20894c255a5943bd567c461f9d76dd3bfeebd65fa524ed3774b4894150c798d9647d64b8c45e0516cf03bdbc819185f494db80e56758fbad4b62f3aed983120533327039d23d550ee32f40d785fa8624a10bbcc4bf531db4c07f1a793be86b015098a62884970e3e58268820f7698ae23d609d2e20b4a75ebacbc98f01edb71c12049594593fd65f62c62b59ac0f269eeb113185fb7ae56cc8da9bd4a9abb7d3332d8ce732638afb3b2b786e56c256bf6211362b498b348b7e370c638b634d7fbd947b57e5c9f923612869cf1d9737fc51075ae92763045c2d2fed944763c14521521bab177c2aad1301d43a8679187077", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", - "ValidFrom": "2014-12-09 21:30:38", - "ValidTo": "2017-12-09 21:30:35", - "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000b6712f575e402cf8708400020000b671", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -17147,383 +1787,464 @@ } ], "Tags": [ - "semav6msr64.sys" - ] + "cpuz.sys" + ], + "yara": true }, { - "Id": "3bec7340-bd8b-43ae-8569-d81a66f01dda", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "23f11e19-0776-4dd4-9c9c-7f6b60f8553f", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create ene.sys binPath=C:\\windows\\temp\\ene.sys type=kernel && sc.exe start ene.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create ATSZIO.sys binPath=C:\\windows\\temp\\ATSZIO.sys type=kernel && sc.exe start ATSZIO.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", + "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "FileName": "ene.sys", - "MD5": "fd80c3d38669b302de4b4b736941c0d1", - "SHA1": "c47b890dda9882f9f37eccc27d58d6a774a2901f", - "SHA256": "16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354", - "Authentihash": { - "MD5": "f2d4af4dcb47113b44651d663ee322f8", - "SHA1": "097653d7068265aae9f00e37c904857d944a774c", - "SHA256": "995284d05f947e2db58ece30b6d61653a2b94b2c337e5c75ca8315793e0b3955" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "ZwUnmapViewOfSection", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "ObfDereferenceObject", - "IoCreateDevice", - "RtlAssert", - "ZwOpenSection", - "DbgPrint", - "KeBugCheckEx", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-09-06 21:30:32", - "ValidTo": "2019-09-06 21:30:32", - "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "33000000253a2738690a3451c1000000000025", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece.yara" }, { - "FileName": "ene.sys", - "MD5": "7e6e2ed880c7ab115fca68136051f9ce", - "SHA1": "3cd037fbba8aae82c1b111c9f8755349c98bcb3c", - "SHA256": "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ATSZIO.sys", + "MD5": "b12d1630fd50b2a21fd91e45d522ba3a", + "SHA1": "490109fa6739f114651f4199196c5121d1c6bdf2", + "SHA256": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "ASUSTek Computer Inc.", + "Description": "ATSZIO Driver", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "FileVersion": "0.2.1.7", + "MachineType": "AMD64", + "OriginalFilename": "ATSZIO.sys", "Authentihash": { - "MD5": "6055cbe0b4c535baa8c15473fc97e61a", - "SHA1": "ce280412dd778cafbe6dbb05b8cab42e98d3ae56", - "SHA256": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5" + "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", + "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", + "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "ATSZIO.sys", + "Copyright": "Copyright (C) 2012", "Imports": [ - "cng.sys", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "BCryptCloseAlgorithmProvider", - "BCryptGetProperty", - "BCryptDecrypt", - "BCryptImportKey", - "BCryptDestroyKey", - "BCryptSetProperty", - "BCryptOpenAlgorithmProvider", + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", - "IoDeleteDevice", + "IoCreateSynchronizationEvent", + "KeSetEvent", "IoDeleteSymbolicLink", - "wcsstr", - "ObfDereferenceObject", + "ObReferenceObjectByHandle", "ZwClose", "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetCurrentProcessId", - "RtlTimeToSecondsSince1970", + "MmGetPhysicalAddress", "__C_specific_handler", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "DbgPrint", + "IoDeleteDevice", "RtlInitUnicodeString", - "KeBugCheckEx", - "ObReferenceObjectByHandle", - "HalTranslateBusAddress" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-03-11 17:31:14", - "ValidTo": "2021-03-05 17:31:14", - "Signature": "7dfc7c353c4c04d9d06066e1ca8584637192eb15d1d6e7c5521b0d819d615fb56524985d30535b0573fb8e0d13173d51b27bd23b9a2052738891d67ed360766452b62c4566eb20c90f018229a8e951bf58df5a7d731c1e51217f471d470979f04e900920bfc8715122b331d82f68f73ebf3de36e09d18fbfed2f3c29190a41baafbca0025bf4e36310a04cb8e61c32fda677820aa693a7f5e69d3c3abdb495b12bb8b6d10f65d44fae945d9b0fcf695d4711fc9e1c0ddb1f569c13093e16c389f748d8fe60e8685f02357464564761db4cece391baa742f3ad3bcfa26e01975966ca41939c832bf1147bec870162ce042fd0cf10d048181ec573d317f2c5de21512f13b24de9bac9bb83fc2ceb4f6f766536fe38c03ede1f8b0a3b8828e8d914d73d0a17699ab20264a27a36e0f77c5144cf470bf44d2296290e345bd25c0bc6a08dd963ec39ce0e500599751c652dc20e9906c1ce76c1d86c09058ae8defb3d7b93b68a34ca83a981a30c2403723f7e5c664b1e951050002ad32e976db221c2d8c660047dc6acfe0da16d44c6372a5cd04b016a35193f841b903ba87e2d6e416a2c59469af9f16e249bb891f21ec22f2db0a84a48d7a9e43d2f7e3bdd016d600f57daf21829885ec035287ab332c32738f5e26c6d2502b2f044afb1e048c85c7c9baf76747de14ecdeca3c7481796a741672a047f89dafe2c12c01982a026c4", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000003a6ae333708fda7a7b00000000003a", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "ATSZIO.sys" + ], + "yara": true + }, + { + "Id": "e32bc3da-4db1-4858-a62c-6fbe4db6afbd", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create RTCore64.sys binPath=C:\\windows\\temp\\RTCore64.sys type=kernel && sc.exe start RTCore64.sys", + "Description": "The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/RTCore64_MSI_Afterburner_v.4.6.4.16117" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "ene.sys", - "MD5": "8942e9fa2459b1e179a6535ca16a2fb4", - "SHA1": "3a3342f4ca8cc45c6b86f64b1a7d7659020b429f", - "SHA256": "810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3", - "Authentihash": { - "MD5": "198111fd73515aa7fe4387612f027f0f", - "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", - "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" - }, - "Description": "", + "Filename": "RTCore64.sys", + "MD5": "2d8e4f38b36c334d0a32a7324832501d", + "SHA1": "f6f11ad2cd2b0cf95ed42324876bee1d83e01775", + "SHA256": "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd", + "Signature": [], + "Date": null, + "Publisher": null, "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", - "Copyright": "", + "FileVersion": "", "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "538e5e595c61d2ea8defb7b047784734", + "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", + "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" + }, + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "ZwUnmapViewOfSection", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", "ZwMapViewOfSection", - "ObfDereferenceObject", - "IoCreateDevice", - "RtlAssert", + "ObReferenceObjectByHandle", "ZwOpenSection", - "DbgPrint", - "KeBugCheckEx", + "MmMapIoSpace", + "__C_specific_handler", + "ZwClose", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", - "HalTranslateBusAddress" + "IofCompleteRequest", + "IoDeleteDevice", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2000-05-30 10:48:38", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, postalCode=11071, ST=Taiwan, L=Taipei, ??=12F., No.1,8, Sec. 5, Zhongxiao E. Rd., Xinyi Dist., Taipei City 11071, Taiwan (R.O.C.), O=Ptolemy Tech Co., Ltd, CN=Ptolemy Tech Co., Ltd", - "ValidFrom": "2018-02-21 00:00:00", - "ValidTo": "2019-02-21 23:59:59", - "Signature": "0dbb7a0ba1c1f2522a473c9994cf7cb087a3e1b69a733e84665124c5473bc87e43d639859088db27ede83500cbf39c36a80b24476562cd1ec3363458efbcf5a770b63f75ae5c249b313cb70603564bc0eaa9825b9c3deaa0460462d7e861d487c474f8af3a42163090b6e189ca8b0d1dbf3d87f80bd1ca031140b3e37baadef936611ab23e5a7419c8dc34dc28b0a8f69c0df0c876a53fcbc7f4e6ba3f0e89cd05faed21432cc43d452344b515dc4f8f90bc5c064d3d0271850147eb782b3ac159f496cdacdc5f1c2c0a02503d042cedf7a7e999520ac193276935bdc224ec0df1bc7b9123cbc96ba51ab57aa4ba52764b04b905c74c3e66d0508fe8031819b8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA", - "ValidFrom": "2013-05-09 00:00:00", - "ValidTo": "2028-05-08 23:59:59", - "Signature": "023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "00e7640d3b521f8b0b6fd8ce64c827613b", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ene.sys", - "MD5": "1f3522c5db7b9dcdd7729148f105018e", - "SHA1": "17b3163aecd1f512f1603548ef6eb4947fbec95e", - "SHA256": "910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c", - "Authentihash": { - "MD5": "1da05109a3734c583233491ec8242e11", - "SHA1": "b93b24e5edb56cf7872d73a0a081ae1127ae43d2", - "SHA256": "91b0fdd5bfc596b2f7c9db33e822d24f378c706daf6f92682c5fe1043e547f8d" - }, - "Description": "", + "Filename": "RTCore64.sys", + "MD5": "0ec361f2fba49c73260af351c39ff9cb", + "SHA1": "af50109b112995f8c82be8ef3a88be404510cdde", + "SHA256": "cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812", + "Signature": null, + "Date": null, + "Publisher": null, "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", + "Authentihash": { + "MD5": "63fd0d800cac53db02638349cea2f8e7", + "SHA1": "3856e573765f090afbbb9e5be4c886653402f755", + "SHA256": "ff8d17761c1645bdd1f0eccc69024907bbbfbe5c60679402b7d02f95b16310fe" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "cng.sys", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "BCryptCloseAlgorithmProvider", - "BCryptGetProperty", - "BCryptDecrypt", - "BCryptImportKey", - "BCryptDestroyKey", - "BCryptSetProperty", - "BCryptOpenAlgorithmProvider", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", "IofCompleteRequest", + "MmUnmapIoSpace", + "ZwClose", + "_except_handler3", "IoCreateSymbolicLink", - "IoDeleteDevice", + "IoCreateDevice", + "KeTickCount", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "ZwUnmapViewOfSection", + "IoDeleteDevice", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" + ], + "Signatures": {} + }, + { + "Filename": "RTCore64.sys", + "MD5": "0a2ec9e3e236698185978a5fc76e74e6", + "SHA1": "4fe873544c34243826489997a5ff14ed39dd090d", + "SHA256": "f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3", + "Signature": null, + "Date": null, + "Publisher": null, + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "bcd9f192e2f9321ed549c722f30206e5", + "SHA1": "8498265d4ca81b83ec1454d9ec013d7a9c0c87bf", + "SHA256": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "ZwUnmapViewOfSection", + "MmMapIoSpace", "ZwClose", + "IoDeleteDevice", + "ObReferenceObjectByHandle", + "IoCreateSymbolicLink", "ZwOpenSection", + "KeBugCheckEx", + "RtlInitUnicodeString", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetCurrentProcessId", - "RtlTimeToSecondsSince1970", - "__C_specific_handler", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "IofCompleteRequest", + "IoDeleteSymbolicLink", "MmGetSystemRoutineAddress", - "wcsstr", - "ZwSetSecurityObject", - "IoDeviceObjectType", "IoCreateDevice", "ObOpenObjectByPointer", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", + "ZwSetSecurityObject", + "IoDeviceObjectType", "_snwprintf", "RtlLengthSecurityDescriptor", - "SeExports", + "SeCaptureSecurityDescriptor", + "ExFreePoolWithTag", "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", + "RtlSetDaclSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", + "SeExports", + "wcschr", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", "RtlFreeUnicodeString", - "KeBugCheckEx", - "RtlInitUnicodeString", + "__C_specific_handler", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "Subject": "O=GlobalSign, OU=GlobalSign Root CA , R3, CN=GlobalSign", + "ValidFrom": "2015-06-04 17:47:53", + "ValidTo": "2025-06-04 17:47:53", + "Signature": "6002ac0e090db46a7d590cad66450a180f5ea7255c14f6d35acf9d5e3bc77afc005f6e402b2de1ce6f76ab3cabd9f945cf779052ea21973ad25d3e57ba73ec007577a2754574c76226b054bad5c9c9da6ced66f2ff8b17b27959ca805465da96ca11de2abbc3d43d37fce6fdcb92866eb9ad4d1b68e047d9b08634231cda1ddd6e54edcb0ee17ad54db2a1abceda712fa23e0804ac2a53d713d93c6e338ca7b7b935afa559df305fea3ee8777123f8f9e91edbe214036a8aef64c17be05d56e0e4f2c84ce0d7ef07d3d620fade651998a7c6712b5d94aee9c90b91578690ccde9fd43c1995043efd5c2ba4fc39958fa88787b25bca804fc31638f50eb0edd7caf6fc774477d84ac89d9fff301798d712d590dde53a66e0f12c974799b60f0e56da9b410dc34bd5f0689ccaa5865c866612f23b8304ff46ed2d64d456952b7e799d01831318d568bd91cedd86fb08a0ab0c4564c3d126345e56a26c4c690c8b63ca84187ac573abb352ae8ddce22b03677d862a126f684f6481752d85e5b8ec80059bab3969ee1f316a6a2afb35bd63aac5ee65d3d696a43e99931ebeee3b6c646caecd140afcd88c20a31cf8627fa4c07d1f2c7f3a50c0269396379c8fa51363b473d816ab27487eaafeeb0f487f29989e3b499190f08f3ebadc9f26819d736631a727b6e4a94d04e5ea5331c0fa934a879dfc4a61e063a2ac4f88f4c5781f65", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, serialNumber=22178368, ??=TW, C=TW, ST=New Taipei, L=New Taipei, ??=NO.69, LI,DE ST., ZHONGHE DIST., O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2019-09-16 08:28:21", + "ValidTo": "2022-09-16 08:28:21", + "Signature": "31d3e258a115d41cea97ae1122b5482d2df37785b800cd8b16ee0e42b12a04e5b75d4c3447e1ffb7da8be87e733164fd2ed0020ab3d1010bf21a78cda4d031c4a75cec091a5072b44e8946476eb7c04c69e2e46af012ce640075751baf523140e803c62108f3b9efff3024a0e27138ba6763d36ca957fb480006e9b824f677b980edb98903a116d529b318753b539854a15778dacc6e4db10e4f3c5748b399f7270b244fe83e59743dbe4576c110bde088b2224d91e0c32bc8e4e5c7a61516602b962d66b01a46ccd5814a71bf9e99aac9604179d90230caea6c1229ecd20d2638084d62ff053dcf29675a0a44de07b9e75d5c3f8aeb66900828b949ea9289a8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "6a7bb9e55c0bbf1def6c739c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" } ] } @@ -17531,441 +2252,335 @@ } ], "Tags": [ - "ene.sys" - ] + "RTCore64.sys" + ], + "yara": false }, { - "Id": "95d244a5-fa5b-4bcb-a2fd-39ed6c7ea7a4", - "Author": "Michael Haag", - "Created": "2023-01-09", + "Id": "62e2a967-1f03-4225-a325-122b109208f3", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rtkio64.sys binPath=C:\\windows\\temp\\rtkio64.sys type=kernel && sc.exe start rtkio64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create DirectIo.sys binPath=C:\\windows\\temp\\DirectIo.sys type=kernel && sc.exe start DirectIo.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "rtkio64.sys", - "MD5": "70dcd07d38017b43f710061f37cb4a91", - "SHA1": "99201c9555e5faf6e8d82da793b148311f8aa4b8", - "SHA256": "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129", - "Signature": [ - "Realtek Semiconductor Corp.", - "DigiCert EV Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "Realtek ", - "Description": "Realtek IO Driver", - "Product": "Realtek IO Driver ", - "ProductVersion": "1.008.0823.2017", - "FileVersion": "1.008.0823.2017 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "rtkio64.sys ", + "FileName": "DirectIo.sys", + "MD5": "d77fb9fb256b0c2ec0258c39b80dc513", + "SHA1": "bdfb1a2b08d823009c912808425b357d22480ecc", + "SHA256": "2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d", "Authentihash": { - "MD5": "dbe68427fd1f2194715b4d146dedeae7", - "SHA1": "118ebc5c7ac859d17c14ceeaa8ab973d694fdd7b", - "SHA256": "e46bb410c3bb95a1f3d61ced157c679bfac7dc997534e46b83b234a6fc5cbb14" + "MD5": "79f811fc9166bce5a871174b384370a7", + "SHA1": "79f909fb1ffe781e45351fc683e7cece43cfe465", + "SHA256": "d166b6ffd164dbea53f0f588a979f4c5f1f2a1793fc10cda84a4530b7b22fd0c" }, - "InternalName": "rtkio64.sys ", - "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapLockedPages", - "ExUnregisterCallback", - "ExAllocatePoolWithTag", - "IoWMIRegistrationControl", - "KeQueryActiveProcessors", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "IoWMIWriteEvent", - "IoRegisterShutdownNotification", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmUnmapIoSpace", - "ZwQueryValueKey", - "IoUnregisterShutdownNotification", "ZwClose", + "ZwUnmapViewOfSection", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "ExRegisterCallback", - "RtlCompareMemory", + "memcpy", + "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "ZwOpenSection", + "memset", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", "IoCreateSymbolicLink", - "KeSetSystemAffinityThread", "ObfDereferenceObject", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", "IoCreateDevice", - "ExCreateCallback", - "IoAllocateMdl", - "ZwOpenKey", + "KeTickCount", "KeBugCheckEx", - "MmMapLockedPagesSpecifyCache", - "_vsnprintf", - "__C_specific_handler", - "KeStallExecutionProcessor" + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "DbgPrint", + "RtlInitUnicodeString", + "ExAllocatePool", + "ZwQueryValueKey", + "ZwOpenKey", + "ExFreePoolWithTag", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2016-06-13 00:00:00", - "ValidTo": "2019-01-24 12:00:00", - "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2007-10-16 00:00:00", + "ValidTo": "2009-10-19 23:59:59", + "Signature": "27590ffbf55ce7075377d7997de4f53c5377b36a064eb2342d722f7f5b5e804d5db0d6b466f2fa6673e9edf7d4352b136607ab22d384864154080bffb6606478d4b4ba3ffb40ad82364798d8532ff649ed8579e3f8dac0e00e575ec7c62a3503750608e10ee5f652ff874117ebd2bb6260572159e5fd024be4318a7a46a4e6a2829bbacb2f119e5ae61a4329830f26dabecb26412826b6098d8b8852514c52be67b32a27f889594db3721bdc3bbcf94d37b0dcb3d7a0a2d0c2e34401d24984a290a00337ba6b5d799bda733e61578d34058ec81050678a60cbf8318adc0f1fe800eeb01a5ca9a5f5e11683c96d3a58f35656003c5db4dad59e78a947830c03f7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0320be3eb866526927f999b97b04346e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "6204d256fa7f1bbb6b94137201342edb", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "rtkio64.sys" - ] - }, - { - "Id": "a8e999ee-746f-4788-9102-c1d3d2914f56", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create LgDCatcher.sys binPath=C:\\windows\\temp\\LgDCatcher.sys type=kernel && sc.exe start LgDCatcher.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "LgDCatcher.sys", - "MD5": "ed6348707f177629739df73b97ba1b6e", - "SHA1": "806832983bb8cb1e26001e60ea3b7c3ade4d3471", - "SHA256": "58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59", - "Signature": [ - "雷神(武汉)信息技术有限公司", - "DigiCert SHA2 Assured ID Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "DirectIo.sys", + "MD5": "590875a0b2eeb171403fc7d0f5110cb2", + "SHA1": "4f94789cffb23c301f93d6913b594748684abf6a", + "SHA256": "31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192", "Authentihash": { - "MD5": "0011ec462e11bd6288e1dc38def9be06", - "SHA1": "c6f2e631f12737a5fa96db2e18c8ebf950d64eb6", - "SHA256": "3ba724dd78864cd527a99673fde1bf7f9f85f2415c91708e7380fbe5e2c085dd" + "MD5": "92d24cb91b1cdc8139614ac03a00af5c", + "SHA1": "562695a1b80864b303b234fa801f064d7546b4f8", + "SHA256": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "fwpkclnt.sys", - "NDIS.SYS", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExpInterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmAllocatePagesForMdl", - "MmFreePagesFromMdl", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "IoAllocateMdl", + "ZwOpenSection", + "ZwClose", + "ZwUnmapViewOfSection", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoReleaseCancelSpinLock", "ObReferenceObjectByHandle", - "ExpInterlockedPopEntrySList", - "ZwClose", "ZwOpenKey", - "ZwQueryValueKey", - "PsGetCurrentProcessId", - "ZwSetInformationThread", - "RtlLengthSid", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ZwSetSecurityObject", - "__C_specific_handler", - "SeExports", - "RtlGetVersion", - "_stricmp", - "ExAllocatePool", - "ZwQuerySystemInformation", - "RtlValidSid", - "KeGetCurrentIrql", + "RtlWriteRegistryValue", "KeWaitForSingleObject", - "ExFreePoolWithTag", - "ExQueryDepthSList", - "KeSetEvent", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", "KeInitializeEvent", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAppendUnicodeToString", - "MmGetSystemRoutineAddress", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "ZwMapViewOfSection", + "DbgPrint", + "RtlAssert", "RtlInitUnicodeString", - "swprintf_s", - "ExUuidCreate", "ExAllocatePoolWithTag", - "RtlCopyUnicodeString", - "KeReleaseInStackQueuedSpinLock", - "KeAcquireInStackQueuedSpinLock", - "ObfDereferenceObject", - "RtlCompareMemory", - "FwpsFreeNetBufferList0", - "NdisInitializeEvent", - "NdisAdvanceNetBufferDataStart", - "NdisGetDataBuffer", - "NdisAllocateGenericObject", - "NdisFreeNetBufferListPool", - "NdisAllocateNetBufferListPool", - "NdisWaitEvent", - "NdisFreeGenericObject", - "NdisRetreatNetBufferDataStart", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "ZwQueryValueKey", + "RtlQueryRegistryValues", + "ExFreePool", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA", + "ValidFrom": "2003-08-06 00:00:00", + "ValidTo": "2013-08-05 23:59:59", + "Signature": "76b29cee139f1bf62d349294457334dc8e6b2e5cfc4c7d89ebc368f1d7990f2e1d17c8b5168bbecd8a0506f219493a035b05c9208e6d52e17681a0c3658a2267e41c53533746bfbcd72feb7b9ed014456c402108e25d757666301ef4df828a2fbdf3a20cbf1ddb9f14a29a72374db07748e84a3f09ce55192cefe60724e1afec", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=?????????, L=?????????, O=??????????????????????????????????????????, CN=??????????????????????????????????????????", - "ValidFrom": "2020-04-07 00:00:00", - "ValidTo": "2023-04-12 12:00:00", - "Signature": "a4c49209083ca0c02d22e42e0f174eb979220983298f1fb3ce5f14777b955ebb967d6ab384bc924776ec4d86bab81b19775efbafb8a330efd441e89b696862ab135515ae53e585fe95f42a6029af2a7dc8b2467e7ada564c0de809404746327890d06f247b5ef420978893e616ffa622e3fbdcd37c3147d04b84ce4be2af9d7408e342e39ebf2e77b111b22d824ce50b57c8c3f6adcd11cefa69f9f5d381084fa76f6531fd8c8462d9292f4ad4c0cadb0c293e350b96e847cd5af3c4a9c4d3e22c45c7dc10908af3e41a0e9fadd5fa45ffa88d413a50bd7db8f165d67df655de0e88fe8ab2d7638ebd1eef0c514a18a3e73cd0e2a5f6a56f7c7288b4f30a6673", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", - "ValidFrom": "2019-05-02 00:00:00", - "ValidTo": "2038-01-18 23:59:59", - "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=AU, ST=NSW, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2005-10-20 07:03:10", + "ValidTo": "2007-10-20 07:03:10", + "Signature": "3116ad5ee2031661e893bffa3e28036440e1342ac82cb00ffa19b541cc558bb494ac845d401892bc236a2d26f6826d580da1b6eb998a81ea3867ddb07fdf2a267452f6abc71242c3dc904e528953ec2eebdb5ca5dd9c1e607527822dff5fb577a2be4fbdb33332abd62448751055ec5a857ff146bf07ccb4856e84f32debaa67", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", - "ValidFrom": "2020-10-23 00:00:00", - "ValidTo": "2032-01-22 23:59:59", - "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0efd9bd4b4281c6522d96011df46c9c4", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" + "SerialNumber": "401630", + "Issuer": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA" } ] } ] - } - ], - "Tags": [ - "LgDCatcher.sys" - ] - }, - { - "Id": "13973a71-412f-4a18-a2a6-476d3853f8de", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create AMDRyzenMasterDriver.sys binPath=C:\\windows\\temp\\AMDRyzenMasterDriver.sys type=kernel && sc.exe start AMDRyzenMasterDriver.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "f16b44cca74d3c3645e4c0a6bb5c0cb9", - "SHA1": "eceb51233f013e04406da11482324d45e70281c7", - "SHA256": "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d", + "FileName": "DirectIo.sys", + "MD5": "392d7180653b0ca77a78bdf15953d865", + "SHA1": "3e917f0986802d47c0ffe4d6f5944998987c4160", + "SHA256": "673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92", "Authentihash": { - "MD5": "56d3a74361bd38be9c8ee476f0063f16", - "SHA1": "8facd7c1efbfb3b44cde04cc1b9a1f24d171c2b8", - "SHA256": "ab1c74ed1ea4fc7a613aa22fd87ee4251ede260862fdebde2d7d2f00c0f23371" + "MD5": "a905e5bba9e716972e78843a7de4d30e", + "SHA1": "08de981cec441bf0bc18a90a44e13941ba4e781d", + "SHA256": "15cf3ce2a0ee32488de26222492842a378d6b8af6924578b35dac89fb0c7cb5c" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.3.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.3.0.0", - "Copyright": "Copyright © 2018 AMD, Inc.", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "MmMapIoSpace", - "MmUnmapIoSpace", + "ZwOpenSection", + "ZwClose", + "ZwUnmapViewOfSection", + "ObfDereferenceObject", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ExAllocatePoolWithTag", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "ObReferenceObjectByHandle", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "IoCreateDevice", - "KeEnterCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", + "RtlQueryRegistryValues", "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeDelayExecutionThread", - "RtlGetVersion", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwMapViewOfSection", "DbgPrint", - "RtlCopyUnicodeString", "RtlInitUnicodeString", + "ExAllocatePool", + "ZwQueryValueKey", "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "RtlIntegerToUnicodeString", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -17973,130 +2588,106 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Bellevue, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.", - "ValidFrom": "2016-04-04 00:00:00", - "ValidTo": "2019-04-04 23:59:59", - "Signature": "954826dae788da2592d025efce7ccbdd68d9c19fe3713a5d3a8737a82d44b47ef6693f473c99f765cfb98e51f7b149b2368000cbae6bf94ae721feecaa23fe179a8032dff1c646816c3467c50cd84d46846af15bba67838d8f4ae9fe6b504cf83737550a75ccacf02a71c856e8dd9007e2681a0445406da6a885000d9a1106112f9a74e2ddc12144162aa7c29fbc5c144e1640c533688eab20d87ed08fed8d05f866dfb6f7163ab6967ccecbda61024481948c2eb2b239b69b69962bdb71c6eb80f51cc907c4e9d13be15aaa96c43fa030bc03c6389cd64ab0a4201ca2342eb94e6fd71489a8695fb7f18f9073b14f8b8e5b32f39a38dfbc0ea2d02ce9c8122d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5ca430e4777412a8230bf839f782d4f7", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "130c5aec46bdec8d534df7222d160fdb", - "SHA1": "fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b", - "SHA256": "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880", + "FileName": "DirectIo.sys", + "MD5": "e3fda6120dfa016a76d975fdab7954f6", + "SHA1": "e2e7a2b2550b889235aafd9ffd1966ccd20badfe", + "SHA256": "83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a", "Authentihash": { - "MD5": "baad4335bf64311b512e159d47cfb3c7", - "SHA1": "dbfd5f346b6117941139006b9c7d88a4d9a6b04f", - "SHA256": "679de7449908838c031db59234cb4f482fbf5d27d7e02d0c30d5ad9d2f36495f" + "MD5": "4235df36aa97725d3a17e653dd5e1524", + "SHA1": "9fa6e7d69545a0f7b82c01e9bec2c8f19d1ab65b", + "SHA256": "2b03a8bad9ecfcacc8e8a21ee310ce359e1382d7a5d5ce5284b32ecc2bcc4b8a" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.5.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.5.0.0", - "Copyright": "Copyright © 2020 AMD, Inc.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "MmMapIoSpace", - "MmUnmapIoSpace", + "ExFreePoolWithTag", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "RtlInitUnicodeString", + "RtlAssert", + "DbgPrint", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ZwClose", + "ZwUnmapViewOfSection", + "IoWriteErrorLogEntry", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "IoCreateDevice", - "KeEnterCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", + "RtlQueryRegistryValues", "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { @@ -18104,130 +2695,117 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", - "ValidFrom": "2019-02-13 00:00:00", - "ValidTo": "2022-02-13 23:59:59", - "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2006-10-19 00:00:00", + "ValidTo": "2007-10-19 23:59:59", + "Signature": "9bf8ac41d262fb76c85a3584db7eabfb020d1c1585e06c41a27ad555c19f6918bdf3c14582f8e9f47cf06f96d827c5da7ad99da6f51a346dccd9f141e501d2b383fe875f1701cdff354e2348870698178a99f3753dd465f5e2599d7da4c7e906767c865c017d66c63972407ba9886476f6466b607e1ae7299e1d8704b7ef534c5e91e36e94b91ff4a15ee5f8cffb09851c346003f2a5f28109a511cd58cc209dbbbe8b29ebabd0877136c823cc07ddf6ea4e84a1a611a114326a60a4781d3dd45681e43952be5954f26da67cdf51c2667f93ffe97180001d37fcf4c57747b81b6946fc323f45453a861f0dd45d11d033f95af78da4407ba75e00bdfa24d5e675", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "6365cef4a64e1054779b87cb364f5ba7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "013719e840e955c2e4cd9d18c94a2625", - "SHA1": "b74338c91c6effabc02ae0ced180428ab1024c7d", - "SHA256": "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194", + "FileName": "DirectIo.sys", + "MD5": "a17c403c4b74d4fa920c3887066daeb2", + "SHA1": "30c6e1da8745c3d53df696af407ef095a8398273", + "SHA256": "94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e", "Authentihash": { - "MD5": "008ebc7b97c6e3c036bc3d51e4166027", - "SHA1": "f0a89a5719eff19884d6674bd60c1249876e71b9", - "SHA256": "ddc5ff33a19baf1630a92723b5d0103fcc9ca58ee2a548526b9439eec3c97fe8" + "MD5": "9377db4b59048af79f44c26fc34298a5", + "SHA1": "d0559503988daa407fcc11e59079560cb456bb84", + "SHA256": "eb6f186c9bf73b0efd227d99e09659c321f0414bda568e99ee9a3863dc1a380d" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.1.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.1.0.0", - "Copyright": "Copyright © 2017 AMD, Inc.", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapIoSpace", + "ZwClose", + "ZwUnmapViewOfSection", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateSymbolicLink", + "memcpy", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "RtlQueryRegistryValues", + "ZwOpenSection", + "memset", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", "IoCreateDevice", - "ZwSetSecurityObject", - "ZwClose", - "KeLeaveCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "_snwprintf", - "RtlCreateSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlSetDaclSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "ZwOpenKey", - "ZwQueryValueKey", - "RtlFreeUnicodeString", - "ZwSetValueKey", - "ZwCreateKey", + "KeTickCount", "KeBugCheckEx", - "KeEnterCriticalRegion", - "KeDelayExecutionThread", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", "DbgPrint", - "RtlCopyUnicodeString", "RtlInitUnicodeString", + "ExAllocatePool", + "ZwQueryValueKey", + "ZwOpenKey", "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlGetOwnerSecurityDescriptor", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -18235,130 +2813,114 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", - "ValidFrom": "2016-06-16 00:00:00", - "ValidTo": "2019-07-16 23:59:59", - "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2007-10-16 00:00:00", + "ValidTo": "2009-10-19 23:59:59", + "Signature": "27590ffbf55ce7075377d7997de4f53c5377b36a064eb2342d722f7f5b5e804d5db0d6b466f2fa6673e9edf7d4352b136607ab22d384864154080bffb6606478d4b4ba3ffb40ad82364798d8532ff649ed8579e3f8dac0e00e575ec7c62a3503750608e10ee5f652ff874117ebd2bb6260572159e5fd024be4318a7a46a4e6a2829bbacb2f119e5ae61a4329830f26dabecb26412826b6098d8b8852514c52be67b32a27f889594db3721bdc3bbcf94d37b0dcb3d7a0a2d0c2e34401d24984a290a00337ba6b5d799bda733e61578d34058ec81050678a60cbf8318adc0f1fe800eeb01a5ca9a5f5e11683c96d3a58f35656003c5db4dad59e78a947830c03f7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6204d256fa7f1bbb6b94137201342edb", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "aa12c1cb47c443c6108bfe7fc1a34d98", - "SHA1": "88d00eff21221f95a0307da229bc9fe1afb6861b", - "SHA256": "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a", + "FileName": "DirectIo.sys", + "MD5": "7056549baa6da18910151b08121e2c94", + "SHA1": "84d44e166072bccf1f8e1e9eb51880ffa065a274", + "SHA256": "bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3", "Authentihash": { - "MD5": "daaff8865677433e85f79ac4ceb6be54", - "SHA1": "588d359fa0e976507d2bad89a24de2d3dab34b64", - "SHA256": "0ad2d2fe1b16e42f43788dae1f0f45031b5025ef6bcc52360e18812820682f04" + "MD5": "92d24cb91b1cdc8139614ac03a00af5c", + "SHA1": "562695a1b80864b303b234fa801f064d7546b4f8", + "SHA256": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.0.0", - "Copyright": "Copyright © 2017 AMD, Inc.", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapIoSpace", + "ZwOpenSection", + "ZwClose", + "ZwUnmapViewOfSection", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ObOpenObjectByPointer", - "IoDeviceObjectType", - "IoCreateDevice", - "ZwSetSecurityObject", - "ZwClose", - "KeLeaveCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "_snwprintf", - "RtlCreateSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlSetDaclSecurityDescriptor", - "_wcsnicmp", - "wcschr", + "ObReferenceObjectByHandle", "ZwOpenKey", - "ZwQueryValueKey", - "RtlFreeUnicodeString", - "ZwSetValueKey", - "ZwCreateKey", - "KeBugCheckEx", - "KeEnterCriticalRegion", - "KeDelayExecutionThread", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "ZwMapViewOfSection", "DbgPrint", - "RtlCopyUnicodeString", + "RtlAssert", "RtlInitUnicodeString", - "ExFreePoolWithTag", "ExAllocatePoolWithTag", - "RtlGetOwnerSecurityDescriptor", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "ZwQueryValueKey", + "RtlQueryRegistryValues", + "ExFreePool", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -18366,134 +2928,202 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", - "ValidFrom": "2016-06-16 00:00:00", - "ValidTo": "2019-07-16 23:59:59", - "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2006-10-19 00:00:00", + "ValidTo": "2007-10-19 23:59:59", + "Signature": "9bf8ac41d262fb76c85a3584db7eabfb020d1c1585e06c41a27ad555c19f6918bdf3c14582f8e9f47cf06f96d827c5da7ad99da6f51a346dccd9f141e501d2b383fe875f1701cdff354e2348870698178a99f3753dd465f5e2599d7da4c7e906767c865c017d66c63972407ba9886476f6466b607e1ae7299e1d8704b7ef534c5e91e36e94b91ff4a15ee5f8cffb09851c346003f2a5f28109a511cd58cc209dbbbe8b29ebabd0877136c823cc07ddf6ea4e84a1a611a114326a60a4781d3dd45681e43952be5954f26da67cdf51c2667f93ffe97180001d37fcf4c57747b81b6946fc323f45453a861f0dd45d11d033f95af78da4407ba75e00bdfa24d5e675", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6365cef4a64e1054779b87cb364f5ba7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "DirectIo.sys" + ], + "yara": false + }, + { + "Id": "7437388f-821e-421f-a3c1-62ce2c725a6a", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create windows8-10-32.sys binPath=C:\\windows\\temp\\windows8-10-32.sys type=kernel type=kernel && sc.exe start windows8-10-32.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "windows8-10-32.sys", + "SHA256": "5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "windows8-10-32.sys" + ], + "yara": false + }, + { + "Id": "48bc2815-85ec-4436-a51a-69810c8cb171", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create driver7-x64.sys binPath=C:\\windows\\temp\\driver7-x64.sys type=kernel && sc.exe start driver7-x64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd.yara" }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "0490f5961e0980792f5cb5aedf081dd7", - "SHA1": "4786253daac6c60ffc0d2871fdd68023ec93dfb3", - "SHA256": "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "driver7-x64.sys", + "MD5": "715f8efab1d1c660e4188055c4b28eed", + "SHA1": "7ba19a701c8af76988006d616a5f77484c13cb0a", + "SHA256": "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "ASUStek", + "Description": "The driver for the ECtool driver-based tools", + "Product": "EC tool", + "ProductVersion": "2.5", + "FileVersion": "2.5.0.2", + "MachineType": "AMD64", + "OriginalFilename": "Driver7", "Authentihash": { - "MD5": "74e9ae3f89ff8fcf94f0407f7b94f680", - "SHA1": "4fce761086a78302bf6409d4be2c057e3389210d", - "SHA256": "192a27335de23a008c05efe24ea1fa0f633dd8ddc68d904466e4e2741a0bb645" + "MD5": "7f66b6e24dc4f3af2f19ad9a95b1e9fa", + "SHA1": "5ad545cf58d644be2fc3382881cc07f0f7edfeba", + "SHA256": "d8f7ddf5de213c6dc0356dc83b6307ec596e66c33c3cdd826a612c12004ba9dc" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.2.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.2.0.0", - "Copyright": "Copyright © 2017 AMD, Inc.", - "MachineType": "AMD64", + "InternalName": "Driver7.sys", + "Copyright": "Copyright ", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapIoSpace", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", + "ExFreePoolWithTag", + "IoWMIQueryAllData", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "IoWMIOpenBlock", + "MmGetPhysicalAddress", + "ZwUnmapViewOfSection", "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "ExAllocatePoolWithTag", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "RtlAssert", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IoCreateSymbolicLink", "IoCreateDevice", - "ObOpenObjectByPointer", - "KeLeaveCriticalRegion", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", "KeBugCheckEx", - "KeEnterCriticalRegion", - "KeDelayExecutionThread", + "IofCompleteRequest", "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlGetDaclSecurityDescriptor", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -18511,17 +3141,24 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", - "ValidFrom": "2016-06-16 00:00:00", - "ValidTo": "2019-07-16 23:59:59", - "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -18534,97 +3171,110 @@ ], "Signer": [ { - "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "driver7-x64.sys" + ], + "yara": true + }, + { + "Id": "eb07ef7e-0402-48eb-8e06-8fb76eda5b84", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create LHA.sys binPath=C:\\windows\\temp\\LHA.sys type=kernel && sc.exe start LHA.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade.yara" }, { - "FileName": "AMDRyzenMasterDriver.sys", - "MD5": "0be5c6476dd58072c93af4fca62ee4b3", - "SHA1": "5f8ae70b25b664433c6942d5963acadf2042cfe8", - "SHA256": "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "LHA.sys", + "MD5": "1d768959aaa194d60e4524ce47708377", + "SHA1": "3fd55927d5997d33f5449e9a355eb5c0452e0de3", + "SHA256": "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade", "Authentihash": { - "MD5": "85f5af5f7200c76440823c16a70b2093", - "SHA1": "2f550bc5f89e2291f669b8a2d1910086bbea7532", - "SHA256": "207b6cea0c9f7e94a912b388d5e9f7ace3b6405114f64bcc425042a09170fcac" + "MD5": "e8daeb4eae6a46b46de0e42fcfeece79", + "SHA1": "87c155d933ca3513e29d235562d96b88d3913cde", + "SHA256": "dcd5404c83f74f0b7a8d0735174af78782aaa99d2b5b5b24f44c48b295a2ba31" }, - "Description": "AMD Ryzen Master Service Driver", - "Company": "Advanced Micro Devices", - "InternalName": "AMDRyzenMasterDriver.sys", - "OriginalFilename": "AMDRyzenMasterDriver.sys", - "FileVersion": "1.4.0.0", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.4.0.0", - "Copyright": "Copyright © 2019 AMD, Inc.", + "Description": "LHA", + "Company": "LG Electronics Inc.", + "InternalName": "LHA.sys", + "OriginalFilename": "LHA.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Microsoft® Windows® Operating System", + "ProductVersion": "6.1.7600.16385", + "Copyright": "ultrabios@hotmail.com", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "ExFreePoolWithTag", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeReleaseSpinLock", + "MmUnmapIoSpace", + "MmFreeNonCachedMemory", + "MmGetPhysicalAddress", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "IoCreateSymbolicLink", + "MmAllocateNonCachedMemory", "IoCreateDevice", - "KeEnterCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeDelayExecutionThread", - "RtlGetVersion", + "KeAcquireSpinLockRaiseToDpc", "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "ExFreePoolWithTag", + "IoWMIQueryAllData", + "MmGetSystemRoutineAddress", + "KeBugCheckEx", + "IofCompleteRequest", "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -18642,18 +3292,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", - "ValidFrom": "2019-02-13 00:00:00", - "ValidTo": "2022-02-13 23:59:59", - "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=KR, ST=????????? ?????????, L=????????? ?????????, O=LG Electronics Inc., CN=LG Electronics Inc.", + "ValidFrom": "2014-07-30 00:00:00", + "ValidTo": "2017-09-27 23:59:59", + "Signature": "e5240868f932855b412fcfb55a2d2e6a117e180f2c1ace813e5d234bce408b042a504dbade9c7586a4d54149845acde53075e86e0d739e4a3d1c891834beb37785f0c08c043488dc70c3290e652f0a24836354692556ad87b4eceb24d91348a7becbb7854185e8fc135c01577c182b600d76865a11382f89ccc2ca73d56c4a15a6d43f57c2dcd007639aaab4902b1b0c06242ad6e138c7499a3fb6aa3483454aac67a5ba6cadb29cbeb453921b3f1f9d54dd7660305846e376c5811e0b9d129a0fe079a00cd0e20c90934042bf320b952a75a9e3080c1b35b2213a406e3f2255f45cf0d9933e16b78a222f7e62b554d1f210a520f1ca97680a5d8530573d2780", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -18661,12 +3304,19 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "4bad88265909f29eb7827157954a75a5", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -18674,18 +3324,19 @@ } ], "Tags": [ - "AMDRyzenMasterDriver.sys" - ] + "LHA.sys" + ], + "yara": true }, { - "Id": "920e3326-e5dc-446a-9993-6ec05266e0e0", + "Id": "c0645f0f-9b97-4fe9-811e-2e45c250c9ef", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create ASIO32.sys binPath=C:\\windows\\temp\\ASIO32.sys type=kernel && sc.exe start ASIO32.sys", + "Command": "sc.exe create cpupress.sys binPath=C:\\windows\\temp\\cpupress.sys type=kernel && sc.exe start cpupress.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -18702,8 +3353,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "ASIO32.sys", - "SHA1": "d569d4bab86e70efbcdfdac9d822139d6f477b7c", + "Filename": "cpupress.sys", + "SHA256": "fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1", "Signature": [], "Date": "", "Publisher": "", @@ -18714,91 +3365,391 @@ "FileVersion": "", "MachineType": "", "OriginalFilename": "" + } + ], + "Tags": [ + "cpupress.sys" + ], + "yara": false + }, + { + "Id": "205721b7-b83b-414a-b4b5-8bacb4a37777", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create elrawdsk.sys binPath=C:\\windows\\temp\\elrawdsk.sys type=kernel && sc.exe start elrawdsk.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://securelist.com/shamoon-the-wiper-further-details-part-ii/57784/", + "https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Shamoon.yar", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6.yara" }, { - "Filename": "ASIO32.sys", - "SHA1": "80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a.yara" }, { - "Filename": "ASIO32.sys", - "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "Filename": "ASIO32.sys", - "SHA1": "1acc7a486b52c5ee6619dbdc3b4210b5f48b936f", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" }, { - "Filename": "ASIO32.sys", - "SHA1": "55ab7e27412eca433d76513edc7e6e03bcdd7eda", - "Signature": [], + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "elrawdsk.sys", + "MD5": "1493d342e7a36553c56b2adea150949e", + "SHA1": "ce549714a11bd43b52be709581c6e144957136ec", + "SHA256": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6", + "Signature": [ + "EldoS Corporation", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Company": "EldoS Corporation", + "Description": "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later.", + "Product": "RawDisk", + "ProductVersion": "2, 1, 27, 0", + "FileVersion": "2, 1, 27, 106", + "MachineType": "I386", + "OriginalFilename": "elrawdsk.sys", + "Authentihash": { + "MD5": "20f14b58e9548b6ea99b35006f631197", + "SHA1": "174bd2e0965b996cff4a26ac511e551788fbc894", + "SHA256": "98a55dc61046f4509d2465cbc373a9391c07125e5f4a242d2f475f14f32e5430" + }, + "InternalName": "elrawdsk.sys", + "Copyright": "Copyright (C) 2007-2011, EldoS Corporation ", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnlockPages", + "KeSetEvent", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "RtlPrefixUnicodeString", + "FsRtlIsNtstatusExpected", + "MmProbeAndLockPages", + "ExRaiseStatus", + "IoAllocateMdl", + "MmMapLockedPagesSpecifyCache", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "ExAllocatePoolWithTag", + "memcpy", + "ZwClose", + "ObfDereferenceObject", + "ObQueryNameString", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ZwOpenFile", + "RtlAppendUnicodeStringToString", + "KeUnstackDetachProcess", + "MmSystemRangeStart", + "KeStackAttachProcess", + "ZwQueryInformationProcess", + "ObOpenObjectByPointer", + "PsLookupProcessByProcessId", + "IoBuildAsynchronousFsdRequest", + "IoBuildSynchronousFsdRequest", + "IoFreeMdl", + "PsGetCurrentProcessId", + "KeQuerySystemTime", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ObfReferenceObject", + "IoGetAttachedDevice", + "memset", + "KeLeaveCriticalRegion", + "ExReleaseFastMutexUnsafe", + "IoGetRelatedDeviceObject", + "ExAcquireFastMutexUnsafe", + "KeEnterCriticalRegion", + "KeGetCurrentThread", + "ZwCreateFile", + "IoAllocateIrp", + "IoReuseIrp", + "KeResetEvent", + "CcPurgeCacheSection", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "CcFlushCache", + "_allrem", + "RtlCompareMemory", + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeTickCount", + "ExFreePoolWithTag", + "IoFreeIrp", + "RtlCompareUnicodeString", + "IofCompleteRequest", + "RtlUnwind", + "KeBugCheckEx", + "KeGetCurrentIrql" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=VG, O=EldoS Corporation, CN=EldoS Corporation, emailAddress=info@eldos.com", + "ValidFrom": "2010-01-11 14:19:26", + "ValidTo": "2013-01-11 14:19:23", + "Signature": "02e496d4ad814ccf3a1e36f654112f8d27e3f3d9f1a76d22a2d90a15831a2721855c856b0d4b0da22f4e7a457089388ae61fbf0c016ded274f670b0f8a87ebc99dc124971ed3238238af3eaa8b408829e24fb20741c463d2bcff0695b323a7fb8653e02a3617823b33edbed0bae42aa0a3b986c97ef215d05658743164fd3b9758d3d6c52d06f644b15f9429be0d070fcc8390cc800d2a25fc0847389839edf162d11715a2d9d75e48553f76a06256a43e29635f8ef9a9051afb7b4fbf7b3ce6bb6318b37ce0339a84aec6d190ae791a1c91337cf31562728b9ca303e2d36e3cc6a0d1b9e4ae5f01b9b87ca4b6e739e8c47240513767ca0ffd538f7f657166b6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 13:00:00", + "ValidTo": "2017-01-27 12:00:00", + "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 10:00:00", + "ValidTo": "2017-01-27 10:00:00", + "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "010000000001261dec28f7", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] }, { - "Filename": "ASIO32.sys", - "SHA1": "1e7c241b9a9ea79061b50fb19b3d141dee175c27", - "Signature": [], + "Filename": "elrawdsk.sys", + "MD5": "76c643ab29d497317085e5db8c799960", + "SHA1": "1292c7dd60214d96a71e7705e519006b9de7968f", + "SHA256": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", + "Signature": [ + "EldoS Corporation", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Company": "EldoS Corporation", + "Description": "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later.", + "Product": "RawDisk", + "ProductVersion": "2, 1, 27, 0", + "FileVersion": "2, 1, 27, 106", + "MachineType": "AMD64", + "OriginalFilename": "elrawdsk.sys", + "Authentihash": { + "MD5": "c1afcba807a13aa25a0b363a22c760d6", + "SHA1": "8422fb53e48b27a42cc7595ca7c7ae0597168db6", + "SHA256": "29a2ae6439381ea2aa3116df7025cbb5c6c7c07cc8d19508e6021e4d6177a565" + }, + "InternalName": "elrawdsk.sys", + "Copyright": "Copyright (C) 2007-2011, EldoS Corporation ", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmSystemRangeStart", + "ExAllocatePoolWithTag", + "ExRaiseStatus", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "PsLookupProcessByProcessId", + "IoBuildSynchronousFsdRequest", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "RtlUnicodeStringToAnsiString", + "IoFreeMdl", + "KeUnstackDetachProcess", + "MmMapLockedPagesSpecifyCache", + "IoBuildAsynchronousFsdRequest", + "RtlPrefixUnicodeString", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "IoFreeIrp", + "RtlFreeAnsiString", + "MmProbeAndLockPages", + "PsGetVersion", + "RtlCompareUnicodeString", + "MmUnlockPages", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "ZwOpenFile", + "FsRtlIsNtstatusExpected", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "IoAllocateMdl", + "IofCallDriver", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "IoGetAttachedDevice", + "IoGetRelatedDeviceObject", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "ObfReferenceObject", + "ExAcquireResourceExclusiveLite", + "IoReuseIrp", + "KeResetEvent", + "CcPurgeCacheSection", + "CcFlushCache", + "ZwCreateFile", + "ExReleaseResourceLite", + "IoAllocateIrp", + "RtlCompareMemory", + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeBugCheckEx", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=VG, O=EldoS Corporation, CN=EldoS Corporation, emailAddress=info@eldos.com", + "ValidFrom": "2010-01-11 14:19:26", + "ValidTo": "2013-01-11 14:19:23", + "Signature": "02e496d4ad814ccf3a1e36f654112f8d27e3f3d9f1a76d22a2d90a15831a2721855c856b0d4b0da22f4e7a457089388ae61fbf0c016ded274f670b0f8a87ebc99dc124971ed3238238af3eaa8b408829e24fb20741c463d2bcff0695b323a7fb8653e02a3617823b33edbed0bae42aa0a3b986c97ef215d05658743164fd3b9758d3d6c52d06f644b15f9429be0d070fcc8390cc800d2a25fc0847389839edf162d11715a2d9d75e48553f76a06256a43e29635f8ef9a9051afb7b4fbf7b3ce6bb6318b37ce0339a84aec6d190ae791a1c91337cf31562728b9ca303e2d36e3cc6a0d1b9e4ae5f01b9b87ca4b6e739e8c47240513767ca0ffd538f7f657166b6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 13:00:00", + "ValidTo": "2017-01-27 12:00:00", + "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 10:00:00", + "ValidTo": "2017-01-27 10:00:00", + "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "010000000001261dec28f7", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] } ], "Tags": [ - "ASIO32.sys" - ] + "elrawdsk.sys" + ], + "yara": true }, { - "Id": "8d14d798-338f-471e-bacb-6d9371c0f529", + "Id": "f1dcb0e4-aa53-4e62-ab09-fb7b4a356916", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create dbutil.sys binPath=C:\\windows\\temp\\dbutil.sys type=kernel && sc.exe start dbutil.sys", + "Command": "sc.exe create netfilterdrv.sys binPath=C:\\windows\\temp \\n \\n \\n etfilterdrv.sys type=kernel type=kernel && sc.exe start netfilterdrv.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -18815,36 +3766,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "dbutil.sys", - "SHA1": "485c0b9710a196c7177b99ee95e5ddb35b26ddd1", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "dbutil.sys", - "SHA1": "50e2bc41f0186fdce970b80e2a2cb296353af586", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "dbutil.sys", - "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", + "Filename": "netfilterdrv.sys", + "SHA1": "e74b6dda8bc53bc687fc21218bd34062a78d8467", "Signature": [], "Date": "", "Publisher": "", @@ -18857,8 +3780,8 @@ "OriginalFilename": "" }, { - "Filename": "dbutil.sys", - "SHA1": "e09b5e80805b8fe853ea27d8773e31bff262e3f7", + "Filename": "netfilterdrv.sys", + "SHA1": "2c27abbbbcf10dfb75ad79557e30ace5ed314df8", "Signature": [], "Date": "", "Publisher": "", @@ -18872,18 +3795,19 @@ } ], "Tags": [ - "dbutil.sys" - ] + "netfilterdrv.sys" + ], + "yara": false }, { - "Id": "578d4909-c2ba-4363-b6e3-98fb62d5e55c", + "Id": "5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create bw.sys binPath=C:\\windows\\temp\\bw.sys type=kernel && sc.exe start bw.sys", + "Command": "sc.exe create PanIO.sys binPath=C:\\windows\\temp\\PanIO.sys type=kernel && sc.exe start PanIO.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -18897,285 +3821,922 @@ "Person": "", "Handle": "" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "Filename": "bw.sys", - "SHA256": "0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" } ], - "Tags": [ - "bw.sys" - ] - }, - { - "Id": "4f93e19c-4600-4e2e-943f-a986875fd7d2", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create ni.sys binPath=C:\\windows\\temp \\n \\n \\n i.sys type=kernel && sc.exe start ni.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "ni.sys", - "SHA256": "ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2", - "Signature": [], + "Filename": "PanIO.sys", + "MD5": "9a9dbf5107848c254381be67a4c1b1dd", + "SHA1": "291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb", + "SHA256": "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960", + "Signature": [ + "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "Description": "Temperature and system information driver", + "Product": "PanIO Library", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "I386", + "OriginalFilename": "PanIO.sys", + "Authentihash": { + "MD5": "5af91c612918020b1dbc829a040d1c88", + "SHA1": "b65163db28ef590620b8966f14ec78fe7788ac6c", + "SHA256": "f246b9d22b3ffe15f2e97f306d049020f38ed162150c97d7a72e3ae0b22c79ad" + }, + "InternalName": "PanIO.sys", + "Copyright": "Copyright (c) 2012-2014 Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IofCompleteRequest", + "KeTickCount", + "MmMapIoSpace", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoCreateDevice", + "IoDeleteDevice", + "RtlUnwind", + "KeBugCheckEx", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "ValidFrom": "2014-04-15 15:12:40", + "ValidTo": "2015-04-15 10:41:35", + "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121506480253469e07e54ee8612041fbb92", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] } ], "Tags": [ - "ni.sys" - ] + "PanIO.sys" + ], + "yara": true }, { - "Id": "268e87ba-ad44-4f3c-986f-26712cac68da", + "Id": "22aa985b-5fdb-4e38-9382-a496220c27ec", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create Phymemx64.sys binPath=C:\\windows\\temp\\Phymemx64.sys type=kernel && sc.exe start Phymemx64.sys", + "Command": "sc.exe create TmComm.sys binPath=C:\\windows\\temp\\TmComm.sys type=kernel && sc.exe start TmComm.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "Phymemx64.sys", - "MD5": "715572dfe6fb10b16f980bfa242f3fa5", - "SHA1": "f42f28d164205d9f6dab9317c9fecad54c38d5d2", - "SHA256": "19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0", + "Filename": "TmComm.sys", + "MD5": "2e1f8a2a80221deb93496a861693c565", + "SHA1": "a00e444120449e35641d58e62ed64bb9c9f518d2", + "SHA256": "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64", "Signature": [ - "Huawei Technologies Co.,Ltd.", + "Trend Micro, Inc.", "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Company": "Trend Micro Inc.", + "Description": "TrendMicro Common Module", + "Product": "Trend Micro Eyes", + "ProductVersion": "7.30", + "FileVersion": "7.30.0.1099", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "TmComm.sys", "Authentihash": { - "MD5": "4325af5c85aa7bb0339389cf54d78817", - "SHA1": "3c9f40ac72b0202cb40627fdeb7298079187193a", - "SHA256": "a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66" + "MD5": "2d7f04ca689981b18fb8a4488e029843", + "SHA1": "6c0af836a89234e9a69363495719b686fbad8d7d", + "SHA256": "d580349730ace5170e7c33850bdcb37cbf16b70d0d1adc2568fdd223c2a55a77" }, - "InternalName": "", - "Copyright": "", + "InternalName": "TmComm.sys", + "Copyright": "Copyright (C) 2018 Trend Micro Incorporated. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3@YAXPEAX_K@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "??_V@YAXPEAX_K@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "AllocFullFileName", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetBackupCommPortAPIs", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], - "ExportedFunctions": "", "ImportedFunctions": [ + "RtlInitUnicodeString", + "KeInitializeEvent", + "KeClearEvent", + "KeSetEvent", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", + "ExFreePoolWithTag", + "ExAcquireFastMutexUnsafe", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObfReferenceObject", "ObfDereferenceObject", "ZwClose", + "ZwCreateSection", "ZwOpenSection", - "ObReferenceObjectByHandle", - "ZwUnmapViewOfSection", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "RtlCopyUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", "ZwMapViewOfSection", - "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Huawei Technologies Co.,Ltd., OU=Handset Engineer Testing Department (Dongguan), CN=Huawei Technologies Co.,Ltd.", - "ValidFrom": "2014-08-26 00:00:00", - "ValidTo": "2017-10-24 23:59:59", - "Signature": "26ae5c92dcdd43ce7bb0268607a9ae0b1a0285edaf34485ad22397a5c488a1bb50d7bdd0920096ad9607b6f14e99e5678022730b02e37d19fa3ae2570290b232b26b816cba6ed7e040a8cb194c0ae2c904c4fa2374b568435655d3491e0df8c5ab2291d0b95135b425f05d79a46f6848d57c7b500f5cd136c1c505ad2513b235f3cc70fbe8e2322515d88c7e0b00d2be887ddc85a709baccf6999097ca01aa284136d0459b6c4af18ec967796e58411af5408ef5ce0e6570cffb3b5937af9c20d58b21416ac11dc09bcb4af20ab90ae95c04fc0a47129641eb7501954aa957c03181342ceb5371257a83307b5de647054be114f91076e8effdbc8dff85ed7a4d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4c1a3d7c5bdaef3e1166416afe8138e9", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "Phymemx64.sys" - ] - }, - { - "Id": "a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create segwindrvx64.sys binPath=C:\\windows\\temp\\segwindrvx64.sys type=kernel && sc.exe start segwindrvx64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "segwindrvx64.sys", - "MD5": "4ae55080ec8aed49343e40d08370195c", - "SHA1": "d702d88b12233be9413446c445f22fda4a92a1d9", - "SHA256": "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd", - "Signature": [ - "Insyde Software Corp.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Insyde Software Corp.", - "Description": "SEG Windows Driver x64", - "Product": "SEG Windows Driver x64", - "ProductVersion": "100.00.07.02", - "FileVersion": "100.00.07.02", - "MachineType": "AMD64", - "OriginalFilename": "segwindrvx64.sys", - "Authentihash": { - "MD5": "bfc8d6405949be17179975d604e62c90", - "SHA1": "c7d32983805f04c7aac4e9713d203399aaca7acc", - "SHA256": "f1f345591efe74fd12e706132939f51963eb39dd0a1db556123c3e850c60fada" - }, - "InternalName": "segwindrvx64.sys", - "Copyright": "Copyright (c) 2012 - 2015, Insyde Software Corp. All Rights Reserved.", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", - "MmUnmapIoSpace", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemorySpecifyCache", + "ZwUnmapViewOfSection", + "ZwOpenEvent", + "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "ZwSetEvent", + "__C_specific_handler", + "PsProcessType", + "wcslen", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "_stricmp", + "ExAllocatePoolWithTag", + "MmIsAddressValid", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "PsThreadType", + "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "KeDelayExecutionThread", + "ExGetPreviousMode", + "DbgPrint", + "swprintf", + "RtlCopyUnicodeString", "IofCompleteRequest", - "MmGetPhysicalAddress", - "_vsnprintf", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "RtlInitAnsiString", - "RtlFreeAnsiString", - "ExAllocatePool", - "RtlCopyString", - "RtlEqualString", - "RtlCompareMemory", - "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "ExInitializeResourceLite", + "ExDeleteResourceLite", "ZwCreateFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", "ZwWriteFile", - "ZwClose", + "towupper", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "PsGetCurrentThreadId", + "ObQueryNameString", + "PsGetVersion", + "_snprintf", + "_vsnprintf", + "RtlInitAnsiString", + "wcscat", + "RtlFreeUnicodeString", + "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", + "ExSystemTimeToLocalTime", + "ZwCreateKey", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ZwOpenFile", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "IoCreateFile", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlUpcaseUnicodeChar", + "_snwprintf", + "strlen", + "_strnicmp", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "ObOpenObjectByName", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "RtlLengthSecurityDescriptor", + "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwDuplicateObject", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "NtCreateFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "IoFileObjectType", + "ObInsertObject", + "wcschr", + "wcsncmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IoFreeIrp", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", + "NtClose", + "ZwSetInformationObject", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "strcpy", + "wcsstr", + "RtlCompareUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ExAllocatePool", + "ExpInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "RtlAnsiStringToUnicodeString", + "_purecall", "KeBugCheckEx" ], "Signatures": [ @@ -19198,10 +4759,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Insyde Software Corp., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Insyde Software Corp.", - "ValidFrom": "2012-12-28 00:00:00", - "ValidTo": "2016-01-27 23:59:59", - "Signature": "19cf4cfe8a901a2d50614d496664fcdaaa80098ec50cec3e3f56a3d08a399d96d13046789c8281a1a9bf1054c79351f73e091664da593dcd39ec4ad7077513b01270666042cb743d4cd2387b61067384d5ed20ee0773e7e61fc1a8a750c3882c6e64ad0f8819b91c19c50708510467ee34ac845fb0a68259e90c7dbef65dcc4b75c72fde8d954ef37d53bba6f00a40e1c85deeb81531772b07232f8e8fe791eac42ab152b5e970c008f14bdec7a7e1ac114bae73ae1ba4f3a525a169f37de670a9447f65653426abb77c6a8b7f91c2d5428a63059129ba94818d3f6cceac0e0790ddb23d56f598e0a9083fc8b92a3b100c0dc1729290ba44fb1538ac4cedf926", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -19221,7 +4782,7 @@ ], "Signer": [ { - "SerialNumber": "0355af7ef9418e476d877eecd9f9e9e2", + "SerialNumber": "497c4fad471540e6e453d0cafb155740", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -19230,369 +4791,19 @@ } ], "Tags": [ - "segwindrvx64.sys" - ] - }, - { - "Id": "d1624a73-55e0-43f6-8d2d-f4f791ef1bff", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Mhyprot2.sys binPath=C:\\windows\\temp\\Mhyprot2.sys type=kernel && sc.exe start Mhyprot2.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Mhyprot2.sys", - "MD5": "4b817d0e7714b9d43db43ae4a22a161e", - "SHA1": "0466e90bf0e83b776ca8716e01d35a8a2e5f96d3", - "SHA256": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6", - "Signature": [ - "miHoYo Co.,Ltd.", - "DigiCert Assured ID Code Signing CA-1", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "ff295de93e6b6dcc3938d50901a7240d", - "SHA1": "484c72dd4fd91083b249f3ccc733a3c8335e583f", - "SHA256": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "NtQuerySystemInformation", - "RtlInitUnicodeString", - "ExAllocatePool", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "_wcsicmp", - "RtlInitString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ZwClose", - "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ObReferenceObjectByName", - "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "ZwQueryVirtualMemory", - "MmProbeAndLockPages", - "PsLookupProcessByProcessId", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoGetCurrentProcess", - "MmCopyVirtualMemory", - "KeClearEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", - "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "IoThreadToProcess", - "strcmp", - "PsProcessType", - "PsThreadType", - "RtlGetVersion", - "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", - "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "DbgPrint", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmBuildMdlForNonPagedPool", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - } - ], - "Tags": [ - "Mhyprot2.sys" - ] - }, - { - "Id": "3bc629e8-7bf8-40c2-965b-87eb155e0065", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create mtcBSv64.sys binPath=C:\\windows\\temp\\mtcBSv64.sys type=kernel && sc.exe start mtcBSv64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "mtcBSv64.sys", - "MD5": "9dfd73dadb2f1c7e9c9d2542981aaa63", - "SHA1": "29a190727140f40cea9514a6420f5a195e36386b", - "SHA256": "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8", - "Signature": [ - "Mitac Technology Corporation", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "MiTAC Technology Corporation", - "Description": "MiTAC System Service Provider", - "Product": "MiTAC System Service Provider", - "ProductVersion": "21, 1, 4, 0", - "FileVersion": "21, 1, 4, 0", - "MachineType": "AMD64", - "OriginalFilename": "mtcBSv64.sys", - "Authentihash": { - "MD5": "c467ed521f199f0d5c1c3705dabf2896", - "SHA1": "8533994513c4f65feb48806b36f42ec9fe21a4c3", - "SHA256": "da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a" - }, - "InternalName": "mtcBSv64.sys", - "Copyright": "Copyright (C) 2007 MiTAC Technology Corporation", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "KeClearEvent", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "KeInitializeMutex", - "IoRegisterDeviceInterface", - "IoSetDeviceInterfaceState", - "IoBuildSynchronousFsdRequest", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeSetEvent", - "KeInitializeEvent", - "KeReleaseSpinLock", - "IoDetachDevice", - "KeReleaseMutex", - "RtlFreeUnicodeString", - "ExInterlockedInsertTailList", - "PoStartNextPowerIrp", - "IofCompleteRequest", - "KeWaitForSingleObject", - "IoGetAttachedDeviceReference", - "IoAttachDeviceToDeviceStack", - "PoCallDriver", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "IoCreateDevice", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", - "IoBuildDeviceIoControlRequest", - "MmUnmapIoSpace", - "MmMapIoSpace", - "ExAllocatePool", - "RtlTimeToTimeFields", - "KeBugCheckEx", - "RtlUnicodeToMultiByteN" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Mitac Technology Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Mitac Technology Corporation", - "ValidFrom": "2008-10-08 00:00:00", - "ValidTo": "2009-10-23 23:59:59", - "Signature": "9c744d221ef49ac5485f8833994046192117e43bba976d71dfb3c8c75596b460638f786855f09fa612ee759ca9dde70bf7bcc5d5fbd6b106b17a8220371d0ebfac391f197f97d4c1d3220612c1ecc219fcad6d1e91e58fc1233253b14dd792a0c382cdea0e1d863e27bed56d5a3b39530db0973a425e0c4febb349965a6312d12bf12d6c67bbc6a3020c9a0de56eb295df368e3ee6f27ccb48d98216a6648432b9731981838fdb72417a163f7883556926398afdd4b16226da80cd8ae58d16ba1d06449f59db81545741b3a8657dbfc1645b3aa4e15dd758b7556c57bd82580a22c1a63c48003d948da81cdda831c8ffe2da7779bf7c22bd596ada4a446b7191", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "6088078ee11491f60ccddef11374431a", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "mtcBSv64.sys" - ] + "TmComm.sys" + ], + "yara": true }, { - "Id": "86b520f6-cc90-4488-b343-168cad88010d", + "Id": "067589f2-4f29-4dc4-bd50-a2e2ee57b25f", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create gameink.sys binPath=C:\\windows\\temp\\gameink.sys type=kernel && sc.exe start gameink.sys", + "Command": "sc.exe create GameTerSafe.sys binPath=C:\\windows\\temp\\GameTerSafe.sys type=kernel type=kernel && sc.exe start GameTerSafe.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -19609,8 +4820,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "gameink.sys", - "SHA1": "3ae56ab63230d6d9552360845b4a37b5801cc5ea", + "Filename": "GameTerSafe.sys", + "SHA256": "3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c", "Signature": [], "Date": "", "Publisher": "", @@ -19624,8 +4835,9 @@ } ], "Tags": [ - "gameink.sys" - ] + "GameTerSafe.sys" + ], + "yara": false }, { "Id": "e42cd285-4dda-4086-a696-93ab1d6f17ca", @@ -19649,7 +4861,28 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { "Filename": "HOSTNT.sys", @@ -19750,83 +4983,177 @@ ], "Tags": [ "HOSTNT.sys" - ] + ], + "yara": true }, { - "Id": "7f9842a0-8118-462e-8860-227265ff4379", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "f93e88c2-d0e8-4347-869f-efa568955e9d", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create NTIOLib.sys binPath=C:\\windows\\temp\\NTIOLib.sys type=kernel && sc.exe start NTIOLib.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WYProxy64.sys binPath=C:\\windows\\temp\\WYProxy64.sys type=kernel && sc.exe start WYProxy64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "NTIOLib.sys", - "MD5": "4d99d02f49e027332a0a9c31c674e13b", - "SHA1": "39e57a0bb3b349c70ad5f11592f9282860bbcc0a", - "SHA256": "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805", + "Filename": "WYProxy64.sys", + "SHA256": "fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WYProxy64.sys" + ], + "yara": false + }, + { + "Id": "1d2cdef1-de44-4849-80e5-e2fa288df681", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create iqvw64e.sys binPath=C:\\windows\\temp\\iqvw64e.sys type=kernel && sc.exe start iqvw64e.sys", + "Description": "(1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/", + "https://expel.com/blog/well-that-escalated-quickly-how-a-red-team-went-from-domain-user-to-kernel-memory/", + "https://github.com/Exploitables/CVE-2015-2291", + "https://github.com/Tare05/Intel-CVE-2015-2291", + "https://github.com/TheCruZ/kdmapper", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "iqvw64e.sys", + "MD5": "1898ceda3247213c084f43637ef163b3", + "SHA1": "d04e5db5b6c848a29732bfd52029001f23c3da75", + "SHA256": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b", + "Signature": [ + "Intel Corporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Intel Corporation ", + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.7", + "FileVersion": "1.03.0.7 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "iQVW64.SYS", "Authentihash": { - "MD5": "eed041909fbbbe05f6cc68006d541b0d", - "SHA1": "d3809c4439f7828a4a76aef68627eb1e6e703d43", - "SHA256": "c84806a49da944c20a01e7dba7721e88859a5f65ec338ddb5da3a0d6895e7268" + "MD5": "1789a16d20ca2b55f491ad71848166a2", + "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", + "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" }, - "Description": "NTIOLib", - "Company": "MSI", - "InternalName": "NTIOLib.sys", - "OriginalFilename": "NTIOLib.sys", - "FileVersion": "1.0.0.0", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "MachineType": "I386", + "InternalName": "iQVW64.SYS", + "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_ULONG", - "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_UCHAR", + "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", + "MmMapIoSpace", "IoDeleteDevice", - "RtlUnwind", - "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -19836,13 +5163,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -19851,373 +5171,251 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "FileName": "NTIOLib.sys", - "MD5": "2e5f016ff9378be41fe98fa62f99b12d", - "SHA1": "4518758452af35d593e0cae80d9841a86af6d3de", - "SHA256": "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504", - "Authentihash": { - "MD5": "dbca419735abe58370b336d8d3da5ad8", - "SHA1": "2986d3251738a29bd73f2938545cd3ffc8e2aadc", - "SHA256": "c0fc1c1c1ff39ea9a695996482ab31cb65c74aaf9f20cba21e9ff34ef054a008" - }, - "Description": "NTIOLib", - "Company": "MSI", - "InternalName": "NTIOLib.sys", - "OriginalFilename": "NTIOLib.sys", - "FileVersion": "1.0.0.0", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_ULONG", - "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_UCHAR", - "IoCreateDevice", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", - "MmUnmapIoSpace", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "RtlUnwind", - "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "FileName": "NTIOLib.sys", - "MD5": "6d97ee5b3300d0f7fa359f2712834c40", - "SHA1": "8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89", - "SHA256": "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4", - "Authentihash": { - "MD5": "2f6cff8603866aad75277f79179ca16e", - "SHA1": "55df6777d508865628b433631b8faaaa38dc0908", - "SHA256": "2018ad5f3695295599f756caf556722291485cd67eb9c3f7ec701b206cca4e00" - }, - "Description": "NTIOLib", - "Company": "MSI", - "InternalName": "NTIOLib.sys", - "OriginalFilename": "NTIOLib.sys", - "FileVersion": "1.0.0.0", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "FileName": "NTIOLib.sys", - "MD5": "2f1ebc14bd8a29b89896737ca4076002", - "SHA1": "6bfeac43be3ebd8d95a5eba963e18d97d76d2b05", - "SHA256": "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8", - "Authentihash": { - "MD5": "00f93b0c0de351b93a4c71c3595e968e", - "SHA1": "02a53e837651d224f3c91aaf37a3067e81d2f6ac", - "SHA256": "ee15f36881b84a2da82fee37e8ad65e47f1224e64d1d6fe43f7a5ad2efe92f5d" - }, - "Description": "NTIOLib", - "Company": "MSI", - "InternalName": "NTIOLib.sys", - "OriginalFilename": "NTIOLib.sys", - "FileVersion": "1.0.0.0", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_ULONG", - "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_UCHAR", - "IoCreateDevice", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", - "MmUnmapIoSpace", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "RtlUnwind", - "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2012-05-17 00:00:00", + "ValidTo": "2015-05-30 23:59:59", + "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "iqvw64e.sys" + ], + "yara": true + }, + { + "Id": "a845a05c-5357-4b78-9783-16b4d34b2cb0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create aswVmm.sys binPath=C:\\windows\\temp\\aswVmm.sys type=kernel && sc.exe start aswVmm.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/tanduRE/AvastHV", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10.yara" }, { - "FileName": "NTIOLib.sys", - "MD5": "1c4acf27317a2b5eaedff3ce6094794d", - "SHA1": "4a7324ca485973d514fd087699f6d759ff32743b", - "SHA256": "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "aswVmm.sys", + "MD5": "a5f637d61719d37a5b4868c385e363c0", + "SHA1": "34c85afe6d84cd3deec02c0a72e5abfa7a2886c3", + "SHA256": "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10", + "Signature": [ + "AVAST Software", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "AVAST Software", + "Description": "avast! VM Monitor", + "Product": "avast! Antivirus", + "ProductVersion": "8.0.1497.376", + "FileVersion": "8.0.1497.376", + "MachineType": "I386", + "OriginalFilename": "aswVmm.sys", "Authentihash": { - "MD5": "fc7eef91aa6574643560ad954e800138", - "SHA1": "cc9c3d9b69f4a4be1f2c3dc33ab7441f41e47a55", - "SHA256": "1f5e9fc579028d5cae916743528891aa39a4eecb3f573ea522eeb8da97f95953" + "MD5": "14260121e1984480cf6e7ec1adead3a3", + "SHA1": "bce48d80831090b849b7f0d2f9dffd36ec44d894", + "SHA256": "a2b0b2e9e458016b22ebbf47411008f0a87efd9103b125870ce37246ab5bdff0" }, - "Description": "NTIOLib", - "Company": "MSI", - "InternalName": "NTIOLib.sys", - "OriginalFilename": "NTIOLib.sys", - "FileVersion": "1.0.0.0", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "MachineType": "I386", + "InternalName": "aswVmm.sys", + "Copyright": "Copyright (c) 2013 AVAST Software", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_ULONG", - "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_UCHAR", - "IoCreateDevice", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", - "MmUnmapIoSpace", - "RtlInitUnicodeString", + "memcpy", + "IoDeleteDevice", + "ZwClose", "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ExDeleteResourceLite", + "IoReleaseRemoveLockAndWaitEx", + "KeCancelTimer", + "ExFreePoolWithTag", + "IoUnregisterShutdownNotification", + "KeSetTimerEx", + "KeInitializeDpc", + "KeInitializeTimerEx", "IoCreateSymbolicLink", - "IoDeleteDevice", - "RtlUnwind", + "KeInitializeEvent", + "IoRegisterShutdownNotification", + "RtlAppendUnicodeToString", + "RtlCopyUnicodeString", + "ExAllocatePoolWithTag", + "ExInitializeResourceLite", + "IoAcquireRemoveLockEx", + "IoInitializeRemoveLockEx", + "IoIsWdmVersionAvailable", + "KeQueryActiveProcessors", + "InitSafeBootMode", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "_allrem", + "_alldiv", + "MmUnmapIoSpace", + "MmMapIoSpace", + "MmFreePagesFromMdl", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "IoReleaseRemoveLockEx", + "IofCompleteRequest", + "KeLeaveCriticalRegion", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "KeEnterCriticalRegion", + "ExAcquireResourceSharedLite", + "IoFreeMdl", + "MmUnlockPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "RtlLookupElementGenericTableAvl", + "RtlDeleteElementGenericTableAvl", + "RtlInsertElementGenericTableAvl", + "_aullshr", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "RtlInitializeGenericTableAvl", + "RtlEnumerateGenericTableAvl", + "RtlIsGenericTableEmptyAvl", + "ZwOpenFile", + "_allshr", + "_allmul", + "MmIsAddressValid", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "PsGetProcessWin32Process", + "IoGetCurrentProcess", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "MmAllocateContiguousMemorySpecifyCache", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "PsRemoveLoadImageNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsSetCreateProcessNotifyRoutine", + "KeResetEvent", + "KeSetEvent", + "MmGetPhysicalMemoryRanges", + "MmAllocatePagesForMdl", + "RtlCheckRegistryKey", + "RtlCompareUnicodeString", + "ZwCreateKey", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "KeWaitForSingleObject", + "KeSetSystemAffinityThread", + "KeSetPriorityThread", + "ObReferenceObjectByHandle", + "PsThreadType", + "PsCreateSystemThread", + "KeWaitForMultipleObjects", + "DbgPrint", + "MmFreeMappingAddress", + "MmAllocateMappingAddress", + "ProbeForRead", + "ExGetPreviousMode", + "KeTickCount", "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" + "_allshl", + "memset", + "ObfDereferenceObject", + "ZwSetSecurityObject", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlUnwind", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwCreateSection", + "KfLowerIrql", + "KeGetCurrentIrql", + "KeRaiseIrqlToDpcLevel" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -20227,13 +5425,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -20242,24 +5433,38 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CZ, ST=Praha, L=Praha 4, O=AVAST Software, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=AVAST Software", + "ValidFrom": "2011-01-31 00:00:00", + "ValidTo": "2014-01-30 23:59:59", + "Signature": "55d3e7e20555513f967fd483dbac39db82fadd950749cd336948b207edaf3a80b6aa50d6b4ffa06d68ceee6dc9897ab0db21d4f20614bf368254d736ece3929496cfa89b9a62b01fd2e289ff89d98ef138790741db87736de22fd69f8025e2da7c1e2981ac77061c2b3d9ff6cdb7461078d6dc4d2e4788fb64b5ad381654f126cae280a8a273bb35816c15c1af0b7d25336949b24e899643a9bddbe40d4823100c076ca91c6c2da844d73a142e2722aaf71e4fa040b6d99ad564c93b216200d58f079f83f90000d05e62ff90fc4994dd0ac1d8d01220698839d38c99adbd219f1fe1d5b18bba8e60a0cac5753dce332728041f6626e1ab13da1a7e2bd961b7ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0dd6d671fe0364d43b632131417e7b3f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -20267,132 +5472,265 @@ } ], "Tags": [ - "NTIOLib.sys" - ] + "aswVmm.sys" + ], + "yara": true }, { - "Id": "33a9c9ae-5ca3-442d-9f0f-2615637c1c57", + "Id": "47a351ee-8abe-40d8-bc2b-557390fa0945", "Author": "Michael Haag", - "Created": "2023-02-28", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", + "Category": "vulnerable driver", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create ntbios_2.sys binPath=C:\\windows\\temp \\n \\n \\n tbios_2.sys type=kernel && sc.exe start ntbios_2.sys", - "Description": "Driver used in the Daxin malware campaign.", + "Command": "sc.exe create Lv561av.sys binPath=C:\\windows\\temp\\Lv561av.sys type=kernel && sc.exe start Lv561av.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "ntbios_2.sys", - "MD5": "50b39072d0ee9af5ef4824eca34be6e3", - "SHA1": "064de88dbbea67c149e779aac05228e5405985c7", - "SHA256": "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c", - "Signature": "Unsigned", - "Date": "3:04 AM 5/18/2009", - "Publisher": "n/a", - "Company": "Microsoft Corporation", - "Description": "ntbios driver", - "Product": " Microsoft(R) Windows (R) NT Operating System", - "ProductVersion": "5, 0, 2, 1", - "FileVersion": "5, 0, 2, 1", - "MachineType": "I386", - "OriginalFilename": "ntbios.sys", + "Filename": "Lv561av.sys", + "MD5": "b47dee29b5e6e1939567a926c7a3e6a4", + "SHA1": "351cbd352b3ec0d5f4f58c84af732a0bf41b4463", + "SHA256": "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4", + "Signature": [ + "Logitech Inc", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Logitech Inc.", + "Description": "Logitech Video Driver", + "Product": "Logitech Webcam Software", + "ProductVersion": "12.00.1278.0", + "FileVersion": "12.00.1278.0", + "MachineType": "AMD64", + "OriginalFilename": "Lv561av.sys", "Authentihash": { - "MD5": "a8e3b56b72814a842b557bfb6638b484", - "SHA1": "50231e21b8d8b2916d0fd53f3f58c6314473de1f", - "SHA256": "59177fb7a0b11837368af1cc115f0d011ea19551070bd153795204ae1bd12e52" + "MD5": "92a9fa0ebbb45b600397611e247710b1", + "SHA1": "ed3e97c7290768216c5b3abbd4a29dde856eb3c7", + "SHA256": "c54ffa9a32cd99972ca905dcf99e20f8429e3cfd45bc1ddf4f9af8b3ed688c88" }, - "InternalName": "ntbio.sys", - "Copyright": "版权所有 (C) 2003", + "InternalName": "Lv561av.sys", + "Copyright": "(c) 1996-2009 Logitech. All rights reserved.", "Imports": [ - "NTOSKRNL.EXE", - "HAL.DLL", + "NTOSKRNL.exe", "ntoskrnl.exe", - "NDIS.SYS" + "HAL.DLL", + "USBD.SYS", + "ks.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnlockPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "IoGetCurrentProcess", - "_stricmp", - "IoFreeWorkItem", - "RtlFreeUnicodeString", - "ZwClose", + "KeWaitForSingleObject", + "IoBuildSynchronousFsdRequest", "ZwWriteFile", + "ExFreePool", + "RtlQueryRegistryValues", + "RtlInitAnsiString", + "RtlCompareMemory", + "ExAllocatePoolWithTag", + "KeReleaseMutex", + "ZwClose", + "KeDelayExecutionThread", + "DbgPrint", + "RtlFreeUnicodeString", + "ObfDereferenceObject", "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "_strnicmp", - "RtlUnwind", - "RtlCopyUnicodeString", - "wcsncmp", - "swprintf", - "IoCreateDevice", - "IoCreateSymbolicLink", - "KeInitializeSpinLock", - "ExfInterlockedInsertTailList", + "KeSetPriorityThread", + "ObReferenceObjectByHandle", "RtlInitUnicodeString", - "MmMapLockedPagesSpecifyCache", - "IoFreeMdl", - "InterlockedDecrement", - "InterlockedIncrement", - "InterlockedExchange", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "ExfInterlockedRemoveHeadList", + "PsCreateSystemThread", + "KeSetEvent", + "KeResetEvent", + "RtlWriteRegistryValue", + "KeInitializeMutex", + "swprintf", + "RtlAnsiStringToUnicodeString", + "KeInitializeEvent", + "sprintf", + "PsTerminateSystemThread", + "IoIsWdmVersionAvailable", + "RtlUnicodeStringToInteger", + "IoOpenDeviceRegistryKey", + "ZwQueryValueKey", + "ExDeleteNPagedLookasideList", + "KeAcquireSpinLockRaiseToDpc", + "vsprintf", + "ExInitializeNPagedLookasideList", + "ExpInterlockedPushEntrySList", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "ExDeletePagedLookasideList", + "DbgBreakPoint", + "ExQueryDepthSList", + "ExInitializePagedLookasideList", + "ZwOpenKey", + "ZwCreateKey", + "ZwSetValueKey", + "KeBugCheckEx", + "ExAllocatePool", + "IoAllocateWorkItem", + "IoQueueWorkItem", + "IoFreeWorkItem", + "IoAllocateDriverObjectExtension", + "IoGetDriverObjectExtension", + "ExInterlockedInsertTailList", + "ExInterlockedRemoveHeadList", + "IoAllocateIrp", + "IoReleaseRemoveLockEx", + "IoInitializeRemoveLockEx", + "KeInitializeTimerEx", + "KeInitializeDpc", + "KeCancelTimer", + "IoAcquireRemoveLockEx", + "IoReleaseRemoveLockAndWaitEx", + "KeSetTimerEx", + "IoFreeIrp", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "IoGetAttachedDeviceReference", + "KeInitializeSemaphore", + "IoCancelIrp", + "KeReleaseSemaphore", + "KeSetTimer", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "IofCompleteRequest", - "ExAllocatePoolWithTag", - "strncmp", - "ExFreePool", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeInitializeApc", - "KeInsertQueueApc", - "KeAttachProcess", - "KeDetachProcess", - "NtQuerySystemInformation", - "NdisAllocatePacket", - "NdisCopyFromPacketToPacket", - "NdisAllocateMemory", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisSetEvent", - "NdisResetEvent", - "NdisFreeBufferPool", - "NdisFreePacketPool", - "NdisFreeMemory", - "NdisWaitEvent", - "NdisQueryAdapterInstanceName", - "NdisOpenAdapter", - "NdisInitializeEvent", - "NdisAllocatePacketPool", - "NdisRegisterProtocol", - "NdisAllocateBufferPool", - "NdisCloseAdapter", - "NdisDeregisterProtocol" + "IoInitializeIrp", + "IofCallDriver", + "ExInterlockedInsertHeadList", + "_snwprintf", + "IoCreateSynchronizationEvent", + "ObReferenceObjectByPointer", + "ExEventObjectType", + "KeClearEvent", + "RtlGUIDFromString", + "IoBuildDeviceIoControlRequest", + "IoGetDeviceInterfaces", + "wcsrchr", + "RtlCompareUnicodeString", + "IoGetDeviceObjectPointer", + "PoRequestPowerIrp", + "KeWaitForMultipleObjects", + "__C_specific_handler", + "PsGetCurrentProcessId", + "KeQueryPerformanceCounter", + "USBD_ParseConfigurationDescriptorEx", + "USBD_CreateConfigurationRequestEx", + "KsGenerateEvents", + "KsGetNextSibling", + "KsGetFirstChild", + "KsInitializeDriver", + "KsGetDeviceForDeviceObject", + "KsGetPinFromIrp", + "KsGetObjectFromFileObject", + "KsCreateFilterFactory", + "KsRemoveItemFromObjectBag", + "_KsEdit", + "KsGetFilterFromIrp", + "KsAddItemToObjectBag", + "KsGetDevice", + "KsStreamPointerSetStatusCode", + "KsPinGetReferenceClockInterface", + "KsPinAttemptProcessing", + "KsPinGetLeadingEdgeStreamPointer", + "KsStreamPointerGetIrp", + "KsStreamPointerClone", + "KsStreamPointerUnlock", + "KsStreamPointerDelete", + "KsStreamPointerAdvance", + "KsDefaultAddEventHandler" ], - "Signatures": {} + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Fremont, O=Logitech Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Corp Signing Cert, CN=Logitech Inc", + "ValidFrom": "2008-10-16 00:00:00", + "ValidTo": "2009-10-18 23:59:59", + "Signature": "7396fd0ff8c118ba1edfe61826659c9a4d1caba239a7bb9164af558e6fc65912775dd0bac6f416c6c96c9564305e96c1b145aa763efe80899d84da79088af91a2c4bcff47a7189b3cd60046333c40f990889440f834b085078dcb3c58ced4ef1bef5c2f7bbbfc8c77e6a96a28783a7fb009b0d7c20675834596910c97c14e27a0ff0b9af89cd6f2f8d7b450dbe59db6b5738bed3f2b6740cb0a8ee8afa3fadd4bf11f3553ea047d8d7d3188d63418ed6f0da617e7c4a4044e385e57fcf716eee853aa0a003356c64c93293ef5eb1f7133e8cd72146051f16e031f369e76a955316195d1c62540ec376bdfb60d68bf2718b33355d282c032bcd955b9f794141e5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0d843ade545afbd252e70cc6e845b7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] } ], "Tags": [ - "ntbios_2.sys" - ] + "Lv561av.sys" + ], + "yara": true }, { "Id": "722772ee-a461-48ec-933d-f3df1578963e", @@ -20589,91 +5927,159 @@ ], "Tags": [ "BlackBoneDrv10.sys" - ] + ], + "yara": false }, { - "Id": "d158321b-4d56-49c5-9a18-bcff9f4a2ebe", + "Id": "8ff4ab50-05b7-4bfa-b994-1920c4ed4978", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create BS_HWMIo64.sys binPath=C:\\windows\\temp\\BS_HWMIo64.sys type=kernel && sc.exe start BS_HWMIo64.sys", - "Description": "", + "Command": "sc.exe create ncpl.sys binPath=C:\\windows\\temp \\n \\n \\n cpl.sys type=kernel && sc.exe start ncpl.sys", + "Description": "ncpl.sys is a vulnerable driver. CVE-2013-3956.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "BS_HWMIo64.sys", - "MD5": "338a98e1c27bc76f09331fcd7ae413a5", - "SHA1": "9c24dd75e4074041dbe03bf21f050c77d748b8e9", - "SHA256": "60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813", + "Filename": "ncpl.sys", + "MD5": "a26e600652c33dd054731b4693bf5b01", + "SHA1": "bbc1e5fd826961d93b76abd161314cb3592c4436", + "SHA256": "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44", "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Novell, Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Company": "Novell, Inc.", + "Description": "Novell Client Portability Layer", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "FileVersion": "3.1.11.0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "NICM.SYS", "Authentihash": { - "MD5": "d6f9dc5cd435d1c210cd4053886b9f36", - "SHA1": "3281135748c9c7a9ddace55c648c720af810475f", - "SHA256": "3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75" + "MD5": "f3387f3cdaec9306dcc5205eebaf3faf", + "SHA1": "eecf71aa5767c90ead5f86f5438951f4c764b655", + "SHA256": "7b68763c39b45534854ec382434fd5a9640942c1f7393857af642ee327d4c570" }, "InternalName": "", - "Copyright": "", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeSemaphore", - "IoCreateSymbolicLink", - "IoCreateDevice", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ZwCreateKey", + "ExFreePoolWithTag", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlInitUnicodeString", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwEnumerateValueKey", + "ZwClose", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwOpenKey", + "DbgPrintEx", + "RtlUpcaseUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlUnicodeStringToAnsiString", + "RtlUnicodeStringToOemString", + "RtlFreeUnicodeString", + "RtlOemStringToUnicodeString", + "RtlFreeAnsiString", + "DbgPrint", + "KeReleaseSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "RtlInitString", + "RtlEqualUnicodeString", + "RtlCompareString", + "RtlCopyString", + "KeReleaseMutex", + "RtlEqualString", + "RtlUnicodeStringToInteger", + "ExAcquireResourceExclusiveLite", + "KeResetEvent", + "KeInitializeMutex", + "KeLeaveCriticalRegion", "KeSetEvent", - "MmUnmapIoSpace", - "KeDelayExecutionThread", + "ExIsResourceAcquiredSharedLite", + "ExIsResourceAcquiredExclusiveLite", + "KeEnterCriticalRegion", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "KeWaitForMultipleObjects", + "KeSetPriorityThread", + "IoDeleteDevice", + "IoCreateDevice", "PsCreateSystemThread", - "IoStartNextPacket", "PsTerminateSystemThread", - "ExEventObjectType", - "MmMapIoSpace", - "IoDeleteDevice", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "ObfDereferenceObject", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "IoStartPacket", - "IofCompleteRequest", - "KeRemoveEntryDeviceQueue", + "RtlCompareMemory", + "IoUninitializeWorkItem", + "IoFreeWorkItem", + "KeInitializeDpc", + "KeInitializeTimer", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "KeSetTimer", + "IoInitializeWorkItem", + "IoQueueWorkItem", + "KeCancelTimer", "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwClose", - "IoDeleteSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "RtlCompareUnicodeString", + "KeInitializeEvent", + "NicmCreateInstance" ], "Signatures": [ { @@ -20695,31 +6101,31 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2013-08-26 00:00:00", - "ValidTo": "2016-11-24 23:59:59", - "Signature": "08f8dc4cc28122b327a65f1a10cc4ecb3bd6589e01f7c5677d9e8621c1134c6728007b58718aae4b35f14dd52e537626115f06baee260ff9200684ecf5eb0d30a415d4c1c3ca33d7ac85fbb343ec52c7c0e6c0d8e6d8e35e7738fe6eba1555dfda7a698c4fecf77a7108060989ebcfbd2468615f5ba1c3b7c60ebcd14d03e64bd04f42a1cc0d0fe67ce7b725f3415f1cc465e07fbb46fa3b5e0783c184c25366c7b09e8272c83d8e467ecf2b835fae9ccbd89ad3e2625a5e494cd08abe6f43dda05e1abde42b918f76e29c801e94981e59fdb7750e146e9a062eb939fb1d1e18df1f323d88c871acf85b5369669a12d21eb4443322801abf420a9c9a56fd682b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2010-04-03 00:00:00", + "ValidTo": "2013-04-26 23:59:59", + "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "32ba71c02f695ce02de7e6be26c4e481", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -20727,421 +6133,188 @@ } ], "Tags": [ - "BS_HWMIo64.sys" - ] + "ncpl.sys" + ], + "yara": true }, { - "Id": "8750b245-af35-4bc6-9af3-dc858f9db64f", - "Author": "Michael Haag", - "Created": "2023-04-05", + "Id": "56cdac8e-d87d-49c8-b281-6e096c2390d1", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create blacklotus_driver.sys binPath=C:\\windows\\temp\\blacklotus_driver.sys type=kernel && sc.exe start blacklotus_driver.sys", - "Description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start. The bootkits goal is to deploy a kernel driver and a final user-mode component.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create gvcidrv64.sys binPath=C:\\windows\\temp\\gvcidrv64.sys type=kernel && sc.exe start gvcidrv64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/" + "Internal Research" ], "Acknowledgement": { - "Person": "Martin Smolár, ESET", + "Person": [], "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "0x3440_blacklotus_v2_driver.sys", - "MD5": "4ad8fd9e83d7200bd7f8d0d4a9abfb11", - "SHA1": "17fa047c1f979b180644906fe9265f21af5b0509", - "SHA256": "749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gvcidrv64.sys", + "MD5": "1a22a85489a94db6ff68cd624ef43bad", + "SHA1": "d302ae7f016299af323a3542d840004888ab91ff", + "SHA256": "a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48", "Authentihash": { - "MD5": "f5742f4fb216979627236a799f614c43", - "SHA1": "5aba7fa2330d68a679c18cfa2c652ac8b3b4770d", - "SHA256": "83ac9bf01c2d2ab0f66782fade462864f42b86e53dc455e1441c2a16d0ec2847" + "MD5": "ad8e307b0233a1b6548414390c31f9af", + "SHA1": "4a04ad93f7f4dccca551dc0fea7b9b22f557e39b", + "SHA256": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67" }, - "InternalName": "", - "Copyright": "", - "Imports": [], - "ExportedFunctions": [ - "restore" - ], - "ImportedFunctions": "", - "Signatures": {} - }, - { - "Filename": "0x3040_blacklotus_beta_driver.sys", - "MD5": "a42249a046182aaaf3a7a7db98bfa69d", - "SHA1": "1f3799fed3cf43254fe30dcdfdb8dc02d82e662b", - "SHA256": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "188d812252f224a8ea618f8e9f1fdadb", - "SHA1": "ede3868d6bb27bee5c0b9a71fef486e405d59816", - "SHA256": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d" - }, - "InternalName": "", - "Copyright": "", - "Imports": [], - "ExportedFunctions": [ - "restore" - ], - "ImportedFunctions": "", - "Signatures": {} - }, - { - "Filename": "0x3040_blacklotus_beta_driver.sys", - "MD5": "a42249a046182aaaf3a7a7db98bfa69d", - "SHA1": "1f3799fed3cf43254fe30dcdfdb8dc02d82e662b", - "SHA256": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae", - "Signature": [], - "Date": "", - "Publisher": "", "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "188d812252f224a8ea618f8e9f1fdadb", - "SHA1": "ede3868d6bb27bee5c0b9a71fef486e405d59816", - "SHA256": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d" - }, "InternalName": "", - "Copyright": "", - "Imports": [], - "ExportedFunctions": [ - "restore" - ], - "ImportedFunctions": "", - "Signatures": {} - }, - { - "Filename": "blacklotus_beta_driver.sys", - "SHA1": "4B882748FAF2C6C360884C6812DD5BCBCE75EBFF", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "blacklotus_beta_driver_2.sys", - "SHA1": "91F832F46E4C38ECC9335460D46F6F71352CFFED", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "blacklotus_beta_driver_3.sys", - "SHA1": "994DC79255AEB662A672A1814280DE73D405617A", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "blacklotus_beta_driver_4.sys", - "SHA1": "FFF4F28287677CAABC60C8AB36786C370226588D", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", + "OriginalFilename": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "blacklotus_driver.sys" - ] - }, - { - "Id": "5261cacf-380c-4573-85ff-a643cbdf009a", - "Author": "Guus Verbeek", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create KApcHelper_x64.sys binPath=C:\\windows\\temp\\KApcHelper_x64.sys type=kernel && sc.exe start KApcHelper_x64.sys", - "Description": "Vulnerable driving using the stolen Nvidia Certificate.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "KApcHelper_x64.sys", - "MD5": "0f16a43f7989034641fd2de3eb268bf1", - "SHA1": "cc65bf60600b64feece5575f21ab89e03a728332", - "SHA256": "d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "adb7de0467bd3f92fce34819ec656658", - "SHA1": "2c1bc3f623fd9bfdf2ecbe5403da1849c85b8433", - "SHA256": "2a30ad675142cf411e7e5f5c53c6423de570a398295b0956130a7a7d77383103" - }, - "InternalName": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "rand", - "srand", - "wcsstr", - "RtlInitUnicodeString", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExSystemTimeToLocalTime", - "MmGetSystemRoutineAddress", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoGetCurrentProcess", - "ObReferenceObjectByHandleWithTag", - "ObfDereferenceObject", - "ObfDereferenceObjectWithTag", - "MmIsAddressValid", - "PsGetProcessExitStatus", - "PsIsThreadTerminating", - "PsLookupProcessByProcessId", - "PsLookupThreadByThreadId", - "PsGetThreadProcess", - "PsIsSystemThread", - "ObOpenObjectByPointerWithTag", - "KeBugCheckEx" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "IoCreateSymbolicLink", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "IoCreateDevice", + "IofCompleteRequest", + "RtlCopyUnicodeString", + "DbgPrint", + "ZwClose", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", - "ValidFrom": "2011-09-02 00:00:00", - "ValidTo": "2014-09-01 23:59:59", - "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "43bb437d609866286dd839e1d00309f5", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - } - ], - "Tags": [ - "KApcHelper_x64.sys" - ] - }, - { - "Id": "fab98aaa-e4e7-4c4a-af65-c00d35cf66e9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create cpuz141.sys binPath=C:\\windows\\temp\\cpuz141.sys type=kernel && sc.exe start cpuz141.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "cpuz141.sys", - "MD5": "db72def618cbc3c5f9aa82f091b54250", - "SHA1": "f5696fb352a3fbd14fb1a89ad21a71776027f9ab", - "SHA256": "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d", - "Signature": [ - "CPUID", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "CPUID", - "Company": "CPUID", - "Description": "CPUID Driver", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "cpuz.sys", + "FileName": "GVCIDrv64.sys", + "MD5": "acd221ff7cf10b6117fd609929cde395", + "SHA1": "1586f121d38cc42e5d04fe2f56091e91c6cdd8fa", + "SHA256": "f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573", "Authentihash": { - "MD5": "17b67e675e778c70d3c348d5088ab514", - "SHA1": "b38b98608e410c1555a7d73056e86e1db850bb2e", - "SHA256": "33b88ac3151f2192eaf4c2be3c7ad00e49090c8b94ec51b754e19ac784b087aa" + "MD5": "ad8e307b0233a1b6548414390c31f9af", + "SHA1": "4a04ad93f7f4dccca551dc0fea7b9b22f557e39b", + "SHA256": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67" }, - "InternalName": "cpuz.sys", - "Copyright": "Copyright(C) 2016 CPUID", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", - "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", "IoCreateSymbolicLink", - "ObfDereferenceObject", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "IoCreateDevice", - "IofCallDriver", - "KeBugCheckEx", - "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "IofCompleteRequest", + "RtlCopyUnicodeString", + "DbgPrint", + "ZwClose", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } @@ -21149,61 +6322,19 @@ } ], "Tags": [ - "cpuz141.sys" - ] - }, - { - "Id": "7196366e-04f0-4aaf-9184-ed0a0d21a75f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create t7.sys binPath=C:\\windows\\temp\\t7.sys type=kernel && sc.exe start t7.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "t7.sys", - "SHA256": "be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } + "gvcidrv64.sys" ], - "Tags": [ - "t7.sys" - ] + "yara": false }, { - "Id": "64f3d4b0-6d2b-4275-b3d4-15d092af4092", + "Id": "7a7630d6-d007-4d84-a17d-81236d9693e1", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create fiddrv64.sys binPath=C:\\windows\\temp\\fiddrv64.sys type=kernel && sc.exe start fiddrv64.sys", + "Command": "sc.exe create d.sys binPath=C:\\windows\\temp\\d.sys type=kernel && sc.exe start d.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -21220,22 +6351,10 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "fiddrv64.sys", - "SHA1": "10e15ba8ff8ed926ddd3636cec66a0f08c9860a4", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "fiddrv64.sys", - "SHA1": "e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab", + "Filename": "d.sys", + "MD5": "a60c9173563b940203cf4ad38ccf2082", + "SHA1": "a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0", + "SHA256": "c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8", "Signature": [], "Date": "", "Publisher": "", @@ -21244,213 +6363,101 @@ "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "fiddrv64.sys" - ] - }, - { - "Id": "aa687f89-4f3b-4b59-b64e-fee5e2ae2310", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create wantd_2.sys binPath=C:\\windows\\temp\\wantd_2.sys type=kernel && sc.exe start wantd_2.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "wantd_2.sys", - "MD5": "8636fe3724f2bcba9399daffd6ef3c7e", - "SHA1": "3b6b35bca1b05fafbfc883a844df6d52af44ccdc", - "SHA256": "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f", - "Signature": "Signed", - "Date": "7:52 AM 4/30/2014", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", - "Company": "Microsoft Corporation", - "Description": "WAN Transport Driver", - "Product": "Microsoft Windows Operating System", - "ProductVersion": "6.1.7600.938", - "FileVersion": "6.1.7600.938", - "MachineType": "AMD64", - "OriginalFilename": "wantd.sys", + "MachineType": "I386", + "OriginalFilename": "", "Authentihash": { - "MD5": "4b7d15fe072cc44bb427206b295f861d", - "SHA1": "2edc9b891f72f204bee80618058f921a3f6fb5a1", - "SHA256": "25d16b2b53fc7b52a65616ab7fc04a503946c20fe96556681bfaddd589401f4a" + "MD5": "19dd018ebddfa9044b05fbb9ddffd7f9", + "SHA1": "80111a99c4f127cca12f1902ca241b3e65f339ff", + "SHA256": "a4ca4a0932afa09e8df3469768f5ac6feaff2b7ae27ac208a218288fc4fbf102" }, - "InternalName": "wantd.sys", - "Copyright": "Microsoft Corporation. All rights reserved.", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoAllocateMdl", + "KeInitializeEvent", + "ObReferenceObjectByHandle", + "ZwClose", + "ObfDereferenceObject", + "PsCreateSystemThread", + "IoGetCurrentProcess", "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "_wcsnicmp", + "strchr", + "ZwCreateFile", + "RtlInitUnicodeString", "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", - "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "ZwQuerySystemInformation", - "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", - "RtlImageDirectoryEntryToData", + "ZwQueryInformationFile", "KeDetachProcess", - "KeDelayExecutionThread", - "wcsncmp", - "ZwCreateFile", - "PsCreateSystemThread", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", + "ProbeForRead", "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "IoCreateDevice", - "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "DbgPrint", - "PsLookupThreadByThreadId", - "RtlLengthSid", - "RtlCreateSecurityDescriptor", + "KeAttachProcess", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ObOpenObjectByName", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", + "PsGetCurrentProcessId", + "ProbeForWrite", + "wcsstr", + "ObQueryNameString", + "IoFileObjectType", + "SeSinglePrivilegeCheck", + "KeGetPreviousMode", + "KeDelayExecutionThread", "ZwAllocateVirtualMemory", + "ZwQuerySection", + "ExfInterlockedInsertTailList", + "ExFreePoolWithTag", + "sprintf", + "RtlVolumeDeviceToDosName", + "IoGetDeviceObjectPointer", + "MmSectionObjectType", + "strstr", + "_strlwr", + "PsProcessType", + "PsSetCreateProcessNotifyRoutine", + "KeInitializeSpinLock", + "PsThreadType", + "PsTerminateSystemThread", + "vsprintf", + "KeQuerySystemTime", + "ExfInterlockedRemoveHeadList", + "NtBuildNumber", + "ExAllocatePoolWithTag", "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "ZwOpenFile", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", - "ZwDeviceIoControlFile", - "IofCompleteRequest", - "ZwClose", - "MmMapLockedPagesSpecifyCache", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "ZwWaitForSingleObject", - "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", - "NdisFreeMemory", - "NdisCopyFromNetBufferToNetBuffer", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "ZwEnumerateKey", + "ZwDeleteKey", + "_except_handler3", + "swprintf", + "_wcsnicmp", + "ZwQuerySystemInformation", + "PsLookupProcessByProcessId", + "wcstombs", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KfAcquireSpinLock", + "KfReleaseSpinLock" ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] + "Signatures": {} } ], "Tags": [ - "wantd_2.sys" - ] + "d.sys" + ], + "yara": false }, { - "Id": "193df066-c27c-4343-a4eb-ad2ac417a4cc", + "Id": "90e8600a-9b5c-4153-bb06-1d8fbe0ef232", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create nt5.sys binPath=C:\\windows\\temp \\n \\n \\n t5.sys type=kernel && sc.exe start nt5.sys", + "Command": "sc.exe create nstr.sys binPath=C:\\windows\\temp \\n \\n \\n str.sys type=kernel && sc.exe start nstr.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -21467,8 +6474,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "nt5.sys", - "SHA256": "fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533", + "Filename": "nstr.sys", + "SHA256": "455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b", "Signature": [], "Date": "", "Publisher": "", @@ -21482,26 +6489,27 @@ } ], "Tags": [ - "nt5.sys" - ] + "nstr.sys" + ], + "yara": false }, { - "Id": "4d365dd0-34c3-492e-a2bd-c16266796ae5", + "Id": "3c5c8c6e-b14e-40d5-b231-c0be0f9b3932", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create ALSysIO64.sys binPath=C:\\windows\\temp\\ALSysIO64.sys type=kernel && sc.exe start ALSysIO64.sys", + "Command": "sc.exe create AsUpIO64.sys binPath=C:\\windows\\temp\\AsUpIO64.sys type=kernel && sc.exe start AsUpIO64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", @@ -21510,220 +6518,842 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "ALSysIO64.sys", - "MD5": "13dda15ef67eb265869fc371c72d6ef0", - "SHA1": "2f991435a6f58e25c103a657d24ed892b99690b8", - "SHA256": "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d", + "Filename": "AsUpIO64.sys", + "MD5": "1392b92179b07b672720763d9b1028a5", + "SHA1": "8b6aa5b2bff44766ef7afbe095966a71bc4183fa", + "SHA256": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602", "Signature": [ - "Artur Liberman", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "Artur Liberman", - "Company": "Arthur Liberman", - "Description": "ALSysIO", - "Product": "ALSysIO", - "ProductVersion": "2.0.8.0", - "FileVersion": "2.0.8.0", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "ALSysIO.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "86be5dbedcfcd517b9b602436cd985eb", - "SHA1": "7a9981f1bca18e2f624fe806c753a14dfd970c4e", - "SHA256": "ca829178d01990c8d1d6a681dee074a53f0dd873fd8eef6f6161c682449ec8c5" + "MD5": "1e97ead4c5049f8fefe2b72edd5fa90e", + "SHA1": "2a95f882dd9bafcc57f144a2708a7ec67dd7844c", + "SHA256": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057" }, - "InternalName": "ALSysIO.sys", - "Copyright": "Copyright (C) 2003-2009 Arthur Liberman", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwClose", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + } + ], + "Tags": [ + "AsUpIO64.sys" + ], + "yara": false + }, + { + "Id": "a0fbd397-64d5-4af2-844b-b096e08a1866", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create libnicm.sys binPath=C:\\windows\\temp\\libnicm.sys type=kernel && sc.exe start libnicm.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "libnicm.sys", + "MD5": "7a6a6d6921cd1a4e1d61f9672a4560d6", + "SHA1": "cb5229acdf87493e45d54886e6371fc59fc09ee5", + "SHA256": "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a", + "Authentihash": { + "MD5": "8804d6be09e294ab07e2691ca91e67a5", + "SHA1": "ffe0a81f1e2aee5cb4c5720da8d3ab2cdec52dc1", + "SHA256": "6aa427e7230a2b077bfecade35ffff67b2f15c051cf92fd207a3412c747f83c3" + }, + "Description": "Novell XTCOM Services Driver", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "libnicm.sys", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" + ], + "ImportedFunctions": [ + "ExAcquireResourceExclusiveLite", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "strstr", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "MmUnmapLockedPages", + "ProbeForRead", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "KeInitializeMutex", + "KeLeaveCriticalRegion", "IoDeleteDevice", + "ProbeForWrite", + "IoFreeMdl", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", "ZwClose", "IofCompleteRequest", + "IoSetTopLevelIrp", + "KeWaitForSingleObject", + "MmProbeAndLockPages", + "MmUnlockPages", + "ExDeleteResourceLite", + "IoGetTopLevelIrp", "IoCreateSymbolicLink", "IoCreateDevice", - "IoBuildDeviceIoControlRequest", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", + "IoAllocateMdl", + "RtlCreateSecurityDescriptor", + "IoGetCurrentProcess", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "RtlInitUnicodeString", + "RtlAppendUnicodeToString", + "RtlUnicodeStringToAnsiString", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", + "MmIsAddressValid", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwLoadDriver", + "ZwOpenKey", + "KeBugCheckEx", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", + "ValidFrom": "2021-09-02 18:32:59", + "ValidTo": "2022-09-01 18:32:59", + "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", + "ValidFrom": "2011-07-08 20:59:09", + "ValidTo": "2026-07-08 21:09:09", + "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000002528b33aaf895f339db000000000252", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + } + ] + } + ] + }, + { + "FileName": "libnicm.sys", + "MD5": "cfad9185ffcf5850b5810c28b24d5fc8", + "SHA1": "87f313fc30ec8759b391e9d6c08f79b02f3ecebd", + "SHA256": "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b", + "Authentihash": { + "MD5": "e30ca4b88f80e5441aee1a7102dccf9a", + "SHA1": "5e68ae28b2e80d0045c01affba7c76f649241fb6", + "SHA256": "c5647d315fb5ca1dcf4b063ea3f54003e2545739871519b8f2c98dc5baf66bac" + }, + "Description": "Novell XTCOM Services Driver", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "libnicm.sys", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" + ], + "ImportedFunctions": [ + "ExFreePoolWithTag", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "ExAcquireResourceExclusiveLite", + "ExAllocatePoolWithTag", + "strstr", + "IoFreeMdl", + "RtlCreateSecurityDescriptor", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", + "ZwClose", + "IofCompleteRequest", + "IoSetTopLevelIrp", + "MmUnmapLockedPages", + "KeWaitForSingleObject", + "ProbeForRead", + "MmProbeAndLockPages", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "MmUnlockPages", + "KeInitializeMutex", + "ExDeleteResourceLite", + "KeLeaveCriticalRegion", + "IoGetTopLevelIrp", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoCreateDevice", + "ProbeForWrite", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", + "IoAllocateMdl", + "IoGetCurrentProcess", + "ZwLoadDriver", + "ZwReadFile", + "RtlInitUnicodeString", + "ZwOpenKey", + "RtlAppendUnicodeToString", + "RtlUnicodeStringToAnsiString", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", + "MmIsAddressValid", + "ZwCreateKey", + "ZwOpenFile", + "RtlAnsiStringToUnicodeString", + "ZwQueryInformationFile", + "KeBugCheckEx", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "libnicm.sys", + "MD5": "0809f48fd30845d983d569b847fa83cf", + "SHA1": "c02cb8256dfb37f690f2698473fe5428d17bc178", + "SHA256": "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e", + "Authentihash": { + "MD5": "1fd61feb0c5b905441426742e69ec997", + "SHA1": "faab67dd8387e4ccb17e28f3637ccce4096bd10b", + "SHA256": "fcdf0eaf9c8effa2786c82e774974f1ef4098dcd376461bad37fd4168dcab52b" + }, + "Description": "Novell XTCOM Services Driver", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "libnicm.sys", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" + ], + "ImportedFunctions": [ + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlEqualString", + "RtlInitAnsiString", + "strstr", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwClose", + "NtSetSecurityObject", + "ZwCreateFile", + "RtlCreateSecurityDescriptor", + "IoSetTopLevelIrp", + "IoGetTopLevelIrp", + "IofCompleteRequest", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeReleaseMutex", + "KeWaitForSingleObject", + "KeLeaveCriticalRegion", + "IoFreeMdl", + "MmUnlockPages", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "MmProbeAndLockPages", + "IoAllocateMdl", + "ProbeForWrite", + "ProbeForRead", + "KeEnterCriticalRegion", + "IoUnregisterShutdownNotification", + "IoCreateSymbolicLink", + "IoRegisterShutdownNotification", + "IoCreateDevice", + "KeInitializeMutex", + "DbgPrintEx", + "IoGetCurrentProcess", + "KeDelayExecutionThread", "RtlAnsiStringToUnicodeString", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "RtlInitAnsiString", "RtlFreeUnicodeString", + "ZwSetValueKey", "RtlInitUnicodeString", - "KeWaitForSingleObject", + "ZwCreateKey", + "RtlAppendUnicodeStringToString", + "memset", + "ZwQuerySystemInformation", + "RtlUnicodeStringToAnsiString", + "ZwQueryValueKey", + "ZwOpenKey", + "ZwOpenFile", + "RtlCopyString", "MmIsAddressValid", - "ObfDereferenceObject", - "DbgPrint", - "IofCallDriver", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "MmUnmapIoSpace", - "MmMapIoSpace", + "ZwWaitForSingleObject", + "ZwReadFile", + "ZwQueryInformationFile", + "RtlInitString", + "ZwQueryDirectoryFile", + "ZwLoadDriver", + "RtlAppendUnicodeToString", + "KeTickCount", "KeBugCheckEx", - "IoGetDeviceObjectPointer", - "IoDeleteSymbolicLink", - "RtlUnwindEx", - "HalGetBusDataByOffset" + "RtlUnwind" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IL, CN=Artur Liberman", - "ValidFrom": "2013-03-05 15:18:55", - "ValidTo": "2016-03-05 15:18:55", - "Signature": "affd93f5b3dc4e5d57868f2bdf7f88bc14dd94c0de331f2d4fb4712dd259d5636f7c0d06595fec79e3311d63ac012ed643277e63015bc7c87c904efb57e44eef681019638adb464e96dd90f71eee2122664c7e809b11624b1b5e472ed28d55196cfd6d1eeedaa6c1e93a9540675a8047caee8a153cecb97db6ad807061634c8989e44a66675d71ed68cf2261592b3c49e35d111f9c4f3eb290fde4830a92c4d88e65914f5b8c5133138f11ecc6d07c47499016a43ea5fca364f560db7b38337959455928e8ec7940e26dab3f33547b05c6bc73868eb5cb8473dba3f006f07638aa7c29f933d5479f33f611ab8af56350e50254b9de2bfa4be289d0d1abc2133d", + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112124a45abbf7c551deb213b28633c3dcad", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "ALSysIO64.sys", - "MD5": "ba5f0f6347780c2ed911bbf888e75bef", - "SHA1": "f02af84393e9627ba808d4159841854a6601cf80", - "SHA256": "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa", - "Signature": [ - "Artur Liberman", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "Artur Liberman", - "Company": "Arthur Liberman", - "Description": "ALSysIO", - "Product": "ALSysIO", - "ProductVersion": "2.0.9.0", - "FileVersion": "2.0.9.0", - "MachineType": "AMD64", - "OriginalFilename": "ALSysIO.sys", + "FileName": "libnicm.sys", + "MD5": "6ae9d25e02b54367a4e93c2492b8b02e", + "SHA1": "cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed", + "SHA256": "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d", "Authentihash": { - "MD5": "966e1c16e1aa07044b733c5589f40fd7", - "SHA1": "7027b399daf84a7c24dd010c2806bf6048a230bd", - "SHA256": "ac22a7cce3795e58c974056a86a06444e831d52185f9f37db88c65e14cd5bb75" + "MD5": "e960feebe973feb9fa4ceae648439f05", + "SHA1": "85dd2e3e9e97e981542336ab7051035d5e611380", + "SHA256": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f" }, - "InternalName": "ALSysIO.sys", - "Copyright": "Copyright (C) 2003-2009 Arthur Liberman", + "Description": "Novell XTCOM Services Driver", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "libnicm.sys", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" ], - "ExportedFunctions": "", "ImportedFunctions": [ + "ExAcquireResourceExclusiveLite", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "strstr", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "MmUnmapLockedPages", + "ProbeForRead", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "KeInitializeMutex", + "KeLeaveCriticalRegion", "IoDeleteDevice", + "ProbeForWrite", + "IoFreeMdl", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", "ZwClose", "IofCompleteRequest", + "IoSetTopLevelIrp", + "KeWaitForSingleObject", + "MmProbeAndLockPages", + "MmUnlockPages", + "ExDeleteResourceLite", + "IoGetTopLevelIrp", "IoCreateSymbolicLink", "IoCreateDevice", - "IoBuildDeviceIoControlRequest", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", + "IoAllocateMdl", + "RtlCreateSecurityDescriptor", + "IoGetCurrentProcess", + "ZwCreateKey", "RtlAnsiStringToUnicodeString", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "RtlInitAnsiString", - "RtlFreeUnicodeString", + "ZwReadFile", "RtlInitUnicodeString", - "KeWaitForSingleObject", + "RtlAppendUnicodeToString", + "RtlUnicodeStringToAnsiString", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", "MmIsAddressValid", - "ObfDereferenceObject", - "DbgPrint", - "IofCallDriver", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "MmUnmapIoSpace", - "MmMapIoSpace", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwLoadDriver", + "ZwOpenKey", "KeBugCheckEx", - "IoGetDeviceObjectPointer", - "IoDeleteSymbolicLink", - "RtlUnwindEx", - "HalGetBusDataByOffset" + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", + "ValidFrom": "2021-09-02 18:32:59", + "ValidTo": "2022-09-01 18:32:59", + "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", + "ValidFrom": "2011-07-08 20:59:09", + "ValidTo": "2026-07-08 21:09:09", + "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ { - "Subject": "C=IL, CN=Artur Liberman", - "ValidFrom": "2013-03-05 15:18:55", - "ValidTo": "2016-03-05 15:18:55", - "Signature": "affd93f5b3dc4e5d57868f2bdf7f88bc14dd94c0de331f2d4fb4712dd259d5636f7c0d06595fec79e3311d63ac012ed643277e63015bc7c87c904efb57e44eef681019638adb464e96dd90f71eee2122664c7e809b11624b1b5e472ed28d55196cfd6d1eeedaa6c1e93a9540675a8047caee8a153cecb97db6ad807061634c8989e44a66675d71ed68cf2261592b3c49e35d111f9c4f3eb290fde4830a92c4d88e65914f5b8c5133138f11ecc6d07c47499016a43ea5fca364f560db7b38337959455928e8ec7940e26dab3f33547b05c6bc73868eb5cb8473dba3f006f07638aa7c29f933d5479f33f611ab8af56350e50254b9de2bfa4be289d0d1abc2133d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "SerialNumber": "33000002528b33aaf895f339db000000000252", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + } + ] + } + ] + }, + { + "FileName": "libnicm.sys", + "MD5": "34a7fab63a4ed5a0b61eb204828e08e5", + "SHA1": "469c04cb7841eedd43227facaf60a6d55cf21fd7", + "SHA256": "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48", + "Authentihash": { + "MD5": "e960feebe973feb9fa4ceae648439f05", + "SHA1": "85dd2e3e9e97e981542336ab7051035d5e611380", + "SHA256": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f" + }, + "Description": "Novell XTCOM Services Driver", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "libnicm.sys", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" + ], + "ImportedFunctions": [ + "ExAcquireResourceExclusiveLite", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "strstr", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "MmUnmapLockedPages", + "ProbeForRead", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "KeInitializeMutex", + "KeLeaveCriticalRegion", + "IoDeleteDevice", + "ProbeForWrite", + "IoFreeMdl", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", + "ZwClose", + "IofCompleteRequest", + "IoSetTopLevelIrp", + "KeWaitForSingleObject", + "MmProbeAndLockPages", + "MmUnlockPages", + "ExDeleteResourceLite", + "IoGetTopLevelIrp", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", + "IoAllocateMdl", + "RtlCreateSecurityDescriptor", + "IoGetCurrentProcess", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "RtlInitUnicodeString", + "RtlAppendUnicodeToString", + "RtlUnicodeStringToAnsiString", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", + "MmIsAddressValid", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwLoadDriver", + "ZwOpenKey", + "KeBugCheckEx", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher", + "ValidFrom": "2022-01-27 19:31:19", + "ValidTo": "2023-01-26 19:31:19", + "Signature": "941777115fcaf24c60c4a8c891758c491887aa5e9f0902a704191e75dd6f99be3d14a24aa35b1f2a1c1c42dde08da3fa75a73edbf7b5ae0fe94b3716e43b838ff30149e19c51b8b87cc53377ae08bfc0f54c7fafa398db43e839de108493510bc34d0fe998a44fcd0a11b0dc0c7315421dac79ab09ca47f847f9fa88e15d57a564f7b074664409c0ce01c697b2dcfd31676fc908fbc6bb928f82170f0b5a54f52f4327797278b78188b87e37b192b493d00eaf661e30f12b9e67fbd1df9cc5843e6a1c68b45d4f62423450cdc990fab2367d7f57719cb8272f59d4f300284a36d88adfc976cb08c6b0da33d5e988be0e1a3cef2a9669b5227a5b8d027f804908", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", + "ValidFrom": "2011-10-19 18:41:42", + "ValidTo": "2026-10-19 18:51:42", + "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "112124a45abbf7c551deb213b28633c3dcad", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "330000036ce57eeb5d1cc2be1700000000036c", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" } ] } @@ -21731,104 +7361,81 @@ } ], "Tags": [ - "ALSysIO64.sys" - ] + "libnicm.sys" + ], + "yara": true }, { - "Id": "f4c22f4d-eff8-40c5-8b31-146abe5f17b7", + "Id": "57f63efb-dc43-4dba-9413-173e3e4be750", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create physmem.sys binPath=C:\\windows\\temp\\physmem.sys type=kernel && sc.exe start physmem.sys", + "Command": "sc.exe create AsrSmartConnectDrv.sys binPath=C:\\windows\\temp\\AsrSmartConnectDrv.sys type=kernel && sc.exe start AsrSmartConnectDrv.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "Filename": "physmem.sys", - "SHA1": "589a7d4df869395601ba7538a65afae8c4616385", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" } ], - "Tags": [ - "physmem.sys" - ] - }, - { - "Id": "a33de377-d2c2-4c71-98ca-cd0be8d284f9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BS_I2cIo.sys binPath=C:\\windows\\temp\\BS_I2cIo.sys type=kernel && sc.exe start BS_I2cIo.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Biostar.yar#L30", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "BS_I2cIo.sys", - "MD5": "83601bbe5563d92c1fdb4e960d84dc77", - "SHA1": "dc55217b6043d819eadebd423ff07704ee103231", - "SHA256": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a", + "Filename": "AsrSmartConnectDrv.sys", + "MD5": "56a515173b211832e20fbc64e5a0447c", + "SHA1": "1d0df45ee3fa758f0470e055915004e6eae54c95", + "SHA256": "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc", "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", - "Publisher": "", - "Company": "BIOSTAR Group", - "Description": "I/O Interface driver file", - "Product": "BIOSTAR I/O driver fle", - "ProductVersion": "1, 1, 0, 0", - "FileVersion": "1, 1, 0, 0", + "Publisher": "ASROCK Incorporation", + "Company": "RW-Everything", + "Description": "RW-Everything Read & Write Driver", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "BS_I2cIo.sys", + "OriginalFilename": "RwDrv.sys", "Authentihash": { - "MD5": "bcc1ae726001fdbabb8159e3b333f3fd", - "SHA1": "7885fb33d8800fa3c036252af70e0a8391ab367d", - "SHA256": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4" + "MD5": "fc88782a34ab832abb9c04c63c76830b", + "SHA1": "a7bcabd8e465e5e1a0bad564d887a47f378dfdaa", + "SHA256": "f43d977a5fb1bdc10837e7c4ff03526d2b8fa9757da9dd8bd6514cd31748a858" }, - "InternalName": "I/O driver", - "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", + "InternalName": "RwDrv.sys", + "Copyright": "Copyright (C) 2008 RW-Everything", "Imports": [ "ntoskrnl.exe", "HAL.dll" @@ -21836,21 +7443,27 @@ "ExportedFunctions": "", "ImportedFunctions": [ "IoDeleteSymbolicLink", - "IoStartNextPacket", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "MmUnmapIoSpace", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "KeRemoveEntryDeviceQueue", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", "IofCompleteRequest", - "IoStartPacket", - "IoCreateDevice", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -21872,10 +7485,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -21886,17 +7499,24 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2007-10-16 00:00:00", - "ValidTo": "2010-10-20 23:59:59", - "Signature": "bd6d9abbee60d79e542436d85a6a1ee7cf79e08e0947e5c74d227cdf7e710069e4a5ea9faf821e4e8a98fc8619b24ec41be8cd2d54b65778405c0b1a159184f671bacc976999c08a1df6013408976dbc9ba5dc5001e7da5ca2eef4109b4f57b700d897913a855e00ccf5a96de2b8fa9878e8353e0b7a7753d01cb7b9b47504a9f28629acc9643e4c35f2133362bbfb5adc633501cac7d6553cf553c52998f600043e4030fcc5740ad575b0820f4a0088e77c78e1b5e64b48c2553c362e3a771c2ebe604f28c42db392098e120af5fe67fe7d8b241213f418800a43ecd1759d1c68e54e20cd6ba2cc2ccbb4b189a9a9920b146e8855239a91dd3e01cd640dbadc", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4d3675c15944120a97b4ae294ec73245", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -21904,570 +7524,370 @@ } ], "Tags": [ - "BS_I2cIo.sys" - ] + "AsrSmartConnectDrv.sys" + ], + "yara": true }, { - "Id": "e5f12b82-8d07-474e-9587-8c7b3714d60c", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "0eb5f4ce-12a7-4b45-b021-42b995de07c5", + "Author": "Michael Haag", + "Created": "2023-03-03", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", - "Commands": "sc.exe create zam64.sys binPath=C:\\windows\\temp\\zam64.sys type=kernel && sc.exe start zam64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create Air_SYSTEM10.sys binPath=C:\\windows\\temp\\Air_SYSTEM10.sys type=kernel && sc.exe start Air_SYSTEM10.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "zam64.sys", - "MD5": "2a3ce41bb2a7894d939fbd1b20dae5a0", - "SHA1": "cd248648eafca6ef77c1b76237a6482f449f13be", - "SHA256": "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1", + "Filename": "Air_SYSTEM10.sys", + "MD5": "1f2888e57fdd6aee466962c25ba7d62d", + "SHA1": "c23eeb6f18f626ce1fd840227f351fa7543bb167", + "SHA256": "f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "689e0587c7821c19c711424fa619dbad", - "SHA1": "b9b230bb66c82e15f563ac0873a3a1db25995064", - "SHA256": "1997b7217dfddd8fbd4924e86b58fe585ef4bd91c3069d3deeb34ea70eb82d60" + "MD5": "6f562fc03c72abd6ff33c6df23df0219", + "SHA1": "7435b3f4c67217bfcdcfa9d940b12e5d5d6a22da", + "SHA256": "9c31a9fbf833b732b5f3f06c31e200994a65ce187260e66eff62278660dba4ef" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.18.371", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "FLTMGR.SYS" + "FLTMGR.SYS", + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", + "FltRegisterFilter", + "FltUnregisterFilter", + "FltStartFiltering", + "FltGetFileNameInformation", + "FltReleaseFileNameInformation", + "FltParseFileNameInformation", + "FltCreateCommunicationPort", + "FltCloseCommunicationPort", + "FltCloseClientPort", + "FltBuildDefaultSecurityDescriptor", + "FltFreeSecurityDescriptor", + "FltGetRequestorProcess", + "ExAllocatePoolWithTag", + "DbgPrintEx", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "strstr", + "wcsstr", + "RtlInitUnicodeString", + "MmGetSystemRoutineAddress", + "ExFreePoolWithTag", + "IoCreateDevice", + "IoGetCurrentProcess", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "MmIsAddressValid", "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", "PsGetProcessImageFileName", - "ZwQueryInformationProcess", "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", + "PsProcessType", + "ExInitializeRundownProtection", + "ExAcquireRundownProtection", + "ExReleaseRundownProtection", + "ExWaitForRundownProtectionRelease", "PsCreateSystemThread", "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "ZwCreateFile", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "PsGetProcessId", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", + "ZwClose", + "PsGetCurrentProcessId", "KeStackAttachProcess", "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwQueryVirtualMemory", + "ZwProtectVirtualMemory", + "PsGetProcessWow64Process", + "strcpy_s", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "RtlSetDaclSecurityDescriptor", "KeBugCheckEx", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", + "RtlCompareUnicodeString", "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "IoCreateFileSpecifyDeviceObjectHint", - "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "MmCopyVirtualMemory", + "PsGetProcessPeb", + "ZwQuerySystemInformation" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "Air_SYSTEM10.sys" + ], + "yara": false + }, + { + "Id": "66be9e0a-9246-4404-b5b5-7fbde351668f", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create BS_I2cIo.sys binPath=C:\\windows\\temp\\BS_I2cIo.sys type=kernel && sc.exe start BS_I2cIo.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb.yara" }, { - "FileName": "zam64.sys", - "MD5": "db46c56849bbce9a55a03283efc8c280", - "SHA1": "8f4b79b8026da7f966d38a8ba494c113c5e3894b", - "SHA256": "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "BS_I2cIo.sys", + "MD5": "3c4154866f3d483fdc9f4f64ef868888", + "SHA1": "f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6", + "SHA256": "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb", "Authentihash": { - "MD5": "a7d940958aa06308dfb68ed67e6ae18c", - "SHA1": "ddb4d31681eb2e8e95aa33b78d454b29542d2a98", - "SHA256": "ab1290211250af83be645072d346693890f3f29feda5a3a23ea97758247f7ba1" + "MD5": "2e6a361506f00fc7de30642776c8d3be", + "SHA1": "862fef3d6a6d7488ef4d6f7799ac296cd96256b7", + "SHA256": "21af8e034ca42ab24a5d1623f70de9c66eeea63d72aeb0f1846b1e04dbdf4f51" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.16.928", - "Copyright": "Zemana Ltd. All rights reserved.", + "Description": "I/O Interface driver file", + "Company": "BIOSTAR Group", + "InternalName": "I/O driver", + "OriginalFilename": "BS_I2cIo.sys", + "FileVersion": "1, 1, 0, 0", + "Product": "BIOSTAR I/O driver fle", + "ProductVersion": "1, 1, 0, 0", + "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwCreateFile", - "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "ZwQueryInformationProcess", - "__C_specific_handler", - "DbgPrint", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessImageFileName", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", "KeInitializeEvent", - "KeSetEvent", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ObfDereferenceObject", "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", + "ExInterlockedInsertTailList", + "RtlTimeToTimeFields", + "PsTerminateSystemThread", "ZwWriteFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "ObReferenceObjectByHandle", - "FsRtlGetFileSize", - "ZwDeleteFile", - "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "PsGetProcessId", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", - "KeBugCheckEx", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "RtlCopyUnicodeString", + "KeSetPriorityThread", + "ZwCreateFile", "RtlInitUnicodeString", - "wcsstr", - "IoGetDeviceAttachmentBaseRef", - "strstr" + "PsCreateSystemThread", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "IoStartNextPacket", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeRemoveEntryDeviceQueue", + "IoStartPacket", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "ZwClose", + "IoDeleteDevice", + "KeSetEvent", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2006-09-25 00:00:00", + "ValidTo": "2007-10-20 23:59:59", + "Signature": "0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "49a570277854e9481d38e34c081226ee", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - }, + } + ], + "Tags": [ + "BS_I2cIo.sys" + ], + "yara": true + }, + { + "Id": "b51c441a-12c7-407d-9517-559cc0030cf6", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create capcom.sys binPath=C:\\windows\\temp\\capcom.sys type=kernel && sc.exe start capcom.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "zamguard64.sys", - "MD5": "99c131567c10c25589e741e69a8f8aa3", - "SHA1": "3b8ddf860861cc4040dea2d2d09f80582547d105", - "SHA256": "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef", + "Filename": "capcom.sys", + "MD5": "73c98438ac64a68e88b7b0afd11ba140", + "SHA1": "c1d5cf8c43e7679b782630e93f5e6420ca1749a7", + "SHA256": "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24", + "Signature": [ + "CAPCOM Co.,Ltd.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "38757cf8a65976f362f287c3e94f8c1b", - "SHA1": "87cdb7698822d92a070b83b732fffa0ea99e34a2", - "SHA256": "950b672d3300bcacefe568156fbc8b16fa09da13df2f6ecda31254faaaf041f9" + "MD5": "37458813b5115cbf06552da28fefbbbb", + "SHA1": "1d1cafc73c97c6bcd2331f8777d90fdca57125a3", + "SHA256": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.20.865", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "FLTMGR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ObQueryNameString", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "PsLookupProcessByProcessId", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "RtlUpcaseUnicodeString", - "RtlUpperString", - "ZwClose", - "ZwCreateFile", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", "RtlInitUnicodeString", - "wcsstr", - "ZwQuerySystemInformation", - "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "IofCompleteRequest", + "MmGetSystemRoutineAddress", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoDeleteDevice" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -22485,1574 +7905,1532 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=JP, ST=Osaka, L=Chuo,ku, O=CAPCOM Co.,Ltd., OU=R&D Asset Management Section, CN=CAPCOM Co.,Ltd.", + "ValidFrom": "2016-05-02 00:00:00", + "ValidTo": "2017-05-02 23:59:59", + "Signature": "6b29c609e5a3bc4d2e3b59a22b42cfdcf409104be6cc7767624c4f96d585ef8243554de2513754867f64e7fdd39b00956903eee7ac6087641b82d8d49548202b8349085d9298c8e2498f2094190aa46cdda0510d937d4ab73ba469229672407822b47c4f1312475a14adcb291a101f0360acdcfa64a6aac9147b034fcea762c2a68a103885208922461990ef0bf3e602ba942257b36604ef4832c715d5320b99d5fd5ba7a76128ed6d0ba7cf90c4362ee2a96422fa4a69d5af070babf4ad786adfa43a21d1ae93fedfcef13b7e2f56b7c619f7d40bcaf8756e09797a9928daa90a582c8e7180cdb62f47c0873cc708f3e396820a7fdef929190fe86dea0b2566", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "7e59408d3c99c511a853fb2f73c03dc4", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] + } + ], + "Tags": [ + "capcom.sys" + ], + "yara": false + }, + { + "Id": "4d365dd0-34c3-492e-a2bd-c16266796ae5", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ALSysIO64.sys binPath=C:\\windows\\temp\\ALSysIO64.sys type=kernel && sc.exe start ALSysIO64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d.yara" }, { - "FileName": "zam64.sys", - "MD5": "e5f8fcdfb52155ed4dffd8a205b3d091", - "SHA1": "90abd7670c84c47e6ffc45c67d676db8c12b1939", - "SHA256": "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ALSysIO64.sys", + "MD5": "13dda15ef67eb265869fc371c72d6ef0", + "SHA1": "2f991435a6f58e25c103a657d24ed892b99690b8", + "SHA256": "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d", + "Signature": [ + "Artur Liberman", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "Artur Liberman", + "Company": "Arthur Liberman", + "Description": "ALSysIO", + "Product": "ALSysIO", + "ProductVersion": "2.0.8.0", + "FileVersion": "2.0.8.0", + "MachineType": "AMD64", + "OriginalFilename": "ALSysIO.sys", "Authentihash": { - "MD5": "ad2c4382390a8740dcea8b0aef5552c2", - "SHA1": "0740faffcb163f4c8cd204c367b9492f2e361207", - "SHA256": "b529550e8d2ec6133be50d7139179654301ff84ba09da0cd256c5dec924a185c" + "MD5": "86be5dbedcfcd517b9b602436cd985eb", + "SHA1": "7a9981f1bca18e2f624fe806c753a14dfd970c4e", + "SHA256": "ca829178d01990c8d1d6a681dee074a53f0dd873fd8eef6f6161c682449ec8c5" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.18.229", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "ALSysIO.sys", + "Copyright": "Copyright (C) 2003-2009 Arthur Liberman", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoDeleteDevice", "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwCreateFile", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateDevice", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "PsGetProcessId", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", - "KeBugCheckEx", + "IoCreateDevice", + "IoBuildDeviceIoControlRequest", + "RtlAnsiStringToUnicodeString", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "RtlInitAnsiString", + "RtlFreeUnicodeString", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "MmIsAddressValid", "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "ZwQuerySymbolicLinkObject", + "IofCallDriver", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeBugCheckEx", + "IoGetDeviceObjectPointer", + "IoDeleteSymbolicLink", + "RtlUnwindEx", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=IL, CN=Artur Liberman", + "ValidFrom": "2013-03-05 15:18:55", + "ValidTo": "2016-03-05 15:18:55", + "Signature": "affd93f5b3dc4e5d57868f2bdf7f88bc14dd94c0de331f2d4fb4712dd259d5636f7c0d06595fec79e3311d63ac012ed643277e63015bc7c87c904efb57e44eef681019638adb464e96dd90f71eee2122664c7e809b11624b1b5e472ed28d55196cfd6d1eeedaa6c1e93a9540675a8047caee8a153cecb97db6ad807061634c8989e44a66675d71ed68cf2261592b3c49e35d111f9c4f3eb290fde4830a92c4d88e65914f5b8c5133138f11ecc6d07c47499016a43ea5fca364f560db7b38337959455928e8ec7940e26dab3f33547b05c6bc73868eb5cb8473dba3f006f07638aa7c29f933d5479f33f611ab8af56350e50254b9de2bfa4be289d0d1abc2133d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "112124a45abbf7c551deb213b28633c3dcad", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "zam64.sys", - "MD5": "707ab1170389eba44ffd4cfad01b5969", - "SHA1": "b99a5396094b6b20cea72fbf0c0083030155f74e", - "SHA256": "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21", + "Filename": "ALSysIO64.sys", + "MD5": "ba5f0f6347780c2ed911bbf888e75bef", + "SHA1": "f02af84393e9627ba808d4159841854a6601cf80", + "SHA256": "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa", + "Signature": [ + "Artur Liberman", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "Artur Liberman", + "Company": "Arthur Liberman", + "Description": "ALSysIO", + "Product": "ALSysIO", + "ProductVersion": "2.0.9.0", + "FileVersion": "2.0.9.0", + "MachineType": "AMD64", + "OriginalFilename": "ALSysIO.sys", "Authentihash": { - "MD5": "fb3161dd2e402cfdd3495278974f4181", - "SHA1": "9c7deb9def09bca28c37211992c76880f575b9ef", - "SHA256": "a59ad5be59f73f2a138c70d8aa634bf5f3364a67e072b64ff2a6d4627514a9ad" + "MD5": "966e1c16e1aa07044b733c5589f40fd7", + "SHA1": "7027b399daf84a7c24dd010c2806bf6048a230bd", + "SHA256": "ac22a7cce3795e58c974056a86a06444e831d52185f9f37db88c65e14cd5bb75" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "3.0.0.000", - "Product": "ZAM", - "ProductVersion": "3.0.0.000", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "ALSysIO.sys", + "Copyright": "Copyright (C) 2003-2009 Arthur Liberman", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ObQueryNameString", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "PsLookupProcessByProcessId", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "RtlUpcaseUnicodeString", - "RtlUpperString", "ZwClose", - "ZwCreateFile", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoBuildDeviceIoControlRequest", + "RtlAnsiStringToUnicodeString", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "RtlInitAnsiString", + "RtlFreeUnicodeString", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "MmIsAddressValid", "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "ZwQuerySystemInformation", + "IofCallDriver", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeBugCheckEx", + "IoGetDeviceObjectPointer", + "IoDeleteSymbolicLink", + "RtlUnwindEx", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:07", - "ValidTo": "2023-06-01 18:08:07", - "Signature": "4c967b89d7f96aa22dbaa9eee6cdc8dad16669620cd9c5c84bf3ca1ec4eaa4a67df9fafb84ba75fcec635f0a3d484541d890d65542406e5792504ecb8fd428068837b11d8e9d4cdb503608d0842dea48428247b46364746dc86b79cdc3379acb229e67b749ed31d3c6bcc88624bff3e066355d59b7ef9e715d3c3270506d1e794959edd8df2572505c15876ac0f42ed0d05f70214f50fb109627ab192b217d6a2bf503fe35811f6ffcf0585ae508c37589dc8015eea615f36ea2f1105c0f677a6758cb4898b57458cab4fc2e1c60f8af32baf51cb41b775e79815713693db878a935b1fb8232232310bba545e57c74d63a406968c36818974ea1e425839b83e81c94897f1b896d2974e32ff5a47f8bcefdebfde84a4d01c5918bf98aececb8edb2ef9dc697054676a10c04313f3a131469c978f2e7839f11a28e436936cc07e227fd705becbb54ba67c2eeaaa025658811de22f37e4ce51109c10ed94a65583cc4e4024432cedf41b3b18b175360b1f4e12a0cc9d562e7fabd80bacb78a74e9262a9a46c3d0a7757f71e4202522cb70d9591c77e1a4b0ca24739a9cef78f7d2fb376c4cf56a35b58deb7dba458bee058254bc3883ba356c79f458815e3bbcac600b063594db47ffdbb215783bf5c38c74a1fc6271a093aab79b4cf253c14b1eeb89f9c607d7956203166fa4420482b52ab4f3bd3f0e6bda4a13a018f0ecdb0a0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IL, CN=Artur Liberman", + "ValidFrom": "2013-03-05 15:18:55", + "ValidTo": "2016-03-05 15:18:55", + "Signature": "affd93f5b3dc4e5d57868f2bdf7f88bc14dd94c0de331f2d4fb4712dd259d5636f7c0d06595fec79e3311d63ac012ed643277e63015bc7c87c904efb57e44eef681019638adb464e96dd90f71eee2122664c7e809b11624b1b5e472ed28d55196cfd6d1eeedaa6c1e93a9540675a8047caee8a153cecb97db6ad807061634c8989e44a66675d71ed68cf2261592b3c49e35d111f9c4f3eb290fde4830a92c4d88e65914f5b8c5133138f11ecc6d07c47499016a43ea5fca364f560db7b38337959455928e8ec7940e26dab3f33547b05c6bc73868eb5cb8473dba3f006f07638aa7c29f933d5479f33f611ab8af56350e50254b9de2bfa4be289d0d1abc2133d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000058e7c589c068dca727000000000058", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "112124a45abbf7c551deb213b28633c3dcad", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "zam64.sys", - "MD5": "9e0659d443a2b9d1afc75a160f500605", - "SHA1": "09f117d83f2f206ee37f1eb19eea576a0ac9bdcc", - "SHA256": "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a", + "Filename": "ALSysIO64.sys", + "MD5": "afc2448b4080f695e76e059a96958cab", + "SHA1": "256d285347acd715ed8920e41e5ec928ae9201a8", + "SHA256": "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Arthur Liberman", + "Description": "ALSysIO64", + "Product": "ALSysIO64", + "ProductVersion": "2.0.11.0", + "FileVersion": "2.0.11.0", + "MachineType": "AMD64", + "OriginalFilename": "ALSysIO64.sys", "Authentihash": { - "MD5": "536527a09edbc7e8c174f7f7423a79a1", - "SHA1": "60d4d82640d4550c3e2cfba69f00b5c7472e4926", - "SHA256": "dcf9bc1e511993fd8c87b8cab5c23366cc818cccc40617cabc8f242d4a8751d7" + "MD5": "7b9763c297936ce055a04790362cc75f", + "SHA1": "530dd2863a09dc57801d62551c48eb9e48476fe8", + "SHA256": "1c55b6620216c195ce24ef21e6ab7e181146fccf17c06606c4cd419fe3e45bd7" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.17.115", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "ALSysIO64.sys", + "Copyright": "Copyright (C) 2003-2019 Arthur Liberman", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwCreateFile", + "IoDeleteDevice", "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "ZwQueryInformationProcess", - "__C_specific_handler", - "DbgPrint", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessImageFileName", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoBuildDeviceIoControlRequest", + "RtlAnsiStringToUnicodeString", + "MmGetSystemRoutineAddress", "KeInitializeEvent", - "KeSetEvent", + "RtlInitAnsiString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", + "MmIsAddressValid", + "ObfDereferenceObject", + "RtlInitUnicodeString", "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "ObReferenceObjectByHandle", - "FsRtlGetFileSize", - "ZwDeleteFile", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeLeaveCriticalRegion", + "strstr", + "MmUnmapIoSpace", + "KeEnterCriticalRegion", + "MmMapIoSpace", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "PsGetProcessId", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", "KeBugCheckEx", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "IoGetDeviceAttachmentBaseRef", - "strstr" + "__C_specific_handler", + "DbgPrint", + "IoDeleteSymbolicLink", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "??=IL, ??=Business Entity, serialNumber=307609677, C=IL, L=Ramat Gan, O=ALCPU (Arthur Liberman), CN=ALCPU (Arthur Liberman)", + "ValidFrom": "2017-06-23 00:00:00", + "ValidTo": "2019-12-31 12:00:00", + "Signature": "56c962d4f516afe5fef5e2e0cc61d68e55253304491c860d686c4efb87705d2bffe8a76f5eac43cd653b71e33ea5ea4b271ba172274bc9dd56b2f4080b5ccdd5e9fabb0aafc281ff8eff90238fe3ac8c1ad0dade04b1fdba18c56f692db61d9c62111866bd91d9212548622002faf0858452e484e272798446ba1afe0667846a532734e12b891a69d27f1e46e241093893f3eb132af927f2c01dc2f420061e29485a84deec9aca85d2b7bd469343764ccd2e70b76bb3845017d600ab5724e2ddf6963ce1e4d94dc19f40aa8f1ee96c2ad17a7c315b9cf7c636436ae3b91524266d3aa917b590cd4ee8e8967e82cbafebb31b5c6f7905c5a21752ef1e6b453ed6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "0fd092438045aa3e667a4952fd8e429a", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] + } + ], + "Tags": [ + "ALSysIO64.sys" + ], + "yara": true + }, + { + "Id": "7f645b95-4374-47ae-be1a-e4415308b550", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create WCPU.sys binPath=C:\\windows\\temp\\WCPU.sys type=kernel && sc.exe start WCPU.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980.yara" }, { - "FileName": "zamguard64.sys", - "MD5": "51e7b58f6e9b776568ffbd4dd9972a60", - "SHA1": "2cf75df00c69d907cfe683cb25077015d05be65d", - "SHA256": "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "WCPU.sys", + "MD5": "c1d063c9422a19944cdaa6714623f2ec", + "SHA1": "f36a47edfacd85e0c6d4d22133dd386aee4eec15", + "SHA256": "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Windows (R) Codename Longhorn DDK provider", + "Description": "ASUS TDE CPU Driver", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "CPU Driver", "Authentihash": { - "MD5": "e03436e22127cd75a132169b627e5a3f", - "SHA1": "b8d8e15e952b3fd2a510699d2124253565ecd611", - "SHA256": "082adcdc2d246d2291bcf135a7519840a84f27cfa3143d1372a9e2aa5e514dbd" + "MD5": "1a77777592eb402fe56bcb43d618d02e", + "SHA1": "81e3e81048e0f323eee8d04aa9b291d77caa21e0", + "SHA256": "54bc506b2f0cf66d12d4a2415ab743c2b2a1f3079089e3e0c0c1f3f49dd7335e" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.16.287", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "CPU Driver", + "Copyright": "Copyright by ASUSTek COMPUTER INC. 2006", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strstr", - "wcsstr", - "RtlInitUnicodeString", - "RtlCopyUnicodeString", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ProbeForRead", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwCreateFile", + "ZwUnmapViewOfSection", "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "ZwQueryInformationProcess", - "__C_specific_handler", - "DbgPrint", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessImageFileName", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwDeleteFile", - "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateDevice", + "ObReferenceObjectByHandle", "IoCreateSymbolicLink", "IoDeleteDevice", + "ZwOpenSection", "IoDeleteSymbolicLink", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "PsGetProcessId", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", - "KeBugCheckEx" + "ZwMapViewOfSection", + "KeBugCheckEx", + "IoCreateDevice", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2007-07-03 00:00:00", + "ValidTo": "2008-07-26 23:59:59", + "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "WCPU.sys" + ], + "yara": true + }, + { + "Id": "2cc3dd4f-8a1e-4f1f-9871-0a14815949b4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create 80.sys binPath=C:\\windows\\temp\\80.sys type=kernel && sc.exe start 80.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "80.sys", + "SHA1": "bc2f3850c7b858340d7ed27b90e63b036881fd6c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "80.sys" + ], + "yara": false + }, + { + "Id": "2da3a276-9e38-4ee6-903d-d15f7c355e7c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create vboxdrv.sys binPath=C:\\windows\\temp\\vboxdrv.sys type=kernel && sc.exe start vboxdrv.sys", + "Description": "Used by unknown actor in Acid Rain malware. vboxdrv.sys is a vulnerable driver.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", + "https://www.coresecurity.com/core-labs/advisories/virtualbox-privilege-escalation-vulnerability", + "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f.yara" }, { - "FileName": "zamguard32.sys", - "MD5": "06897b431c07886454e0681723dd53e6", - "SHA1": "40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b", - "SHA256": "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "vboxdrv.sys", + "MD5": "bce7f34912ff59a3926216b206deb09f", + "SHA1": "696d68bdbe1d684029aaad2861c49af56694473a", + "SHA256": "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f", + "Signature": [ + "Sun Microsystems, Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Sun Microsystems, Inc.", + "Description": "VirtualBox Support Driver", + "Product": "Sun VirtualBox", + "ProductVersion": "2.2.0.r45846", + "FileVersion": "2.2.0.r45846", + "MachineType": "AMD64", + "OriginalFilename": "VBoxDrv.sys", "Authentihash": { - "MD5": "4e0b0bd19c0f3c4a2a75e786474d9d06", - "SHA1": "c5388c61135c7fe5617607206d663ac3eaef649c", - "SHA256": "de99cea1cb680816afa10d2629a8067af1dc289d2d162a21b9dba71eb0e47745" + "MD5": "368a4f14c62575191a0f1f3464513964", + "SHA1": "3ce88266cfc41e8980d4c185235fd55999f5a67a", + "SHA256": "a5a2fe8ab935cf47f21e0c5e0de11a98271054109827dc930293b947d3b05079" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.21.63", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "I386", + "InternalName": "VBoxDrv.sys", + "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "FLTMGR.SYS" + "ntoskrnl.exe" ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "_allmul", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "KeQuerySystemTime", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "KeGetCurrentThread", - "RtlIntegerToUnicodeString", - "RtlCompareMemory", - "KeInitializeEvent", - "KeSetEvent", - "KefAcquireSpinLockAtDpcLevel", - "KefReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwQuerySystemInformation", - "IoFileObjectType", - "ZwQueryInformationProcess", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ExportedFunctions": [ + "AssertMsg1", + "AssertMsg2", + "RTAssertShouldPanic", + "RTErrConvertFromNtStatus", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCopyGroupsAndFlags", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDestroy", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetDefaultInstance", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDup", + "RTMemDupEx", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0Init", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapKernelEx", + "RTR0MemObjMapUser", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptRestore", + "RTThreadSleep", + "RTThreadYield", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNow", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetPagingMode", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAlloc", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0UnlockMem", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2" + ], + "ImportedFunctions": [ "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExfInterlockedInsertHeadList", - "ExfInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "KeServiceDescriptorTable", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "RtlUnwind", - "PsGetProcessImageFileName", - "FsRtlIsNameInExpression", - "ObQueryNameString", - "PsLookupProcessByProcessId", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "RtlUpcaseUnicodeString", - "RtlUpperString", - "ZwClose", - "ZwCreateFile", + "RtlInitUnicodeString", "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", + "ExUnregisterCallback", + "IofCompleteRequest", + "DbgPrint", + "IoIs32bitProcess", + "ExRegisterCallback", + "ExCreateCallback", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoGetStackLimits", + "memchr", + "strncmp", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeWaitForSingleObject", + "KeResetEvent", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeDelayExecutionThread", + "ZwYieldExecution", "ExFreePoolWithTag", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "strstr", - "_aullshr", - "memcpy", - "KeReadStateEvent", - "memset", - "KfRaiseIrql", - "KfLowerIrql", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeGetCurrentIrql", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "KeQueryActiveProcessors", + "strchr", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "KeSetTimerEx", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "MmUnmapIoSpace", + "MmUnlockPages", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocatePagesForMdl", + "__C_specific_handler", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", + "ValidFrom": "2008-06-11 00:00:00", + "ValidTo": "2011-06-11 23:59:59", + "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "zam64.sys", - "MD5": "d4a10447fdaff7a001715191c1f914b6", - "SHA1": "628e63caf72c29042e162f5f7570105d2108e3c2", - "SHA256": "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0", + "Filename": "vboxdrv.sys", + "MD5": "eaea9ccb40c82af8f3867cd0f4dd5e9d", + "SHA1": "7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c", + "SHA256": "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986", + "Signature": [ + "innotek GmbH", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "8ff959801623fcaf37f6fde89a4aeec1", - "SHA1": "b24f8e34221cb7eaa5bed2f177f6701380a0e71f", - "SHA256": "1a166e70dcaf3ef12836db1927953ee528e532cdae8165e67d776971e4cbc48c" + "MD5": "d146876f270e848875465ed081396d3b", + "SHA1": "c54fe31ff5c3cfe1937b7b0906882a1786f453b6", + "SHA256": "597e7d5feb149d9087888926d1454dc06f1078ab18c948b44f090910da8645f8" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "2.11.1.510", - "Product": "ZAM", - "ProductVersion": "2.11.1.510", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": "", + "ExportedFunctions": [ + "AssertMsg1", + "RTAssertDoBreakpoint", + "RTErrConvertFromNtStatus", + "RTLogDefaultInstance", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpDoesCpuExist", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTProcSelf", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapUser", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTThreadNativeSelf", + "RTThreadSleep", + "RTThreadYield", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAlloc", + "SUPR0PageFree", + "SUPR0UnlockMem" + ], "ImportedFunctions": [ - "strstr", - "wcsstr", + "IofCompleteRequest", + "DbgPrint", + "IoIs32bitProcess", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmGetSystemRoutineAddress", "RtlInitUnicodeString", - "RtlCopyUnicodeString", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ProbeForRead", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwCreateFile", - "ZwClose", - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "ZwQueryInformationProcess", + "KeCancelTimer", + "KeInsertQueueDpc", "__C_specific_handler", - "DbgPrint", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "KeSetTimerEx", + "ExSetTimerResolution", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", + "KeInitializeTimerEx", + "MmGetPhysicalAddress", + "KeQueryActiveProcessors", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoCreateSymbolicLink", + "IoCreateDevice", + "memchr", + "strncmp", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "ZwYieldExecution", "KeAcquireSpinLockRaiseToDpc", "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessImageFileName", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", "KeInitializeEvent", "KeSetEvent", + "KeResetEvent", "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "MmUnmapIoSpace", + "MmUnlockPages", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmProtectMdlSystemAddress", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwDeleteFile", - "ZwQuerySystemInformation", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "PsGetProcessId", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", - "KeBugCheckEx" + "MmMapIoSpace" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=DE, O=innotek GmbH, CN=innotek GmbH, emailAddress=info@innotek.de", + "ValidFrom": "2007-12-27 14:37:17", + "ValidTo": "2010-12-27 14:37:17", + "Signature": "2a6d31919705290526ee3286d2825883af75a52ec1257276e9ab0eeff47a83adeab4bc2068eb7f76f84a356d466012e17b91d4f5c2913d28c73ee15018243e2ba7487f70d21f954eeeefb9854fc980d1ee61bf9a779e6e9a661938d7d9d6d101ddb49a9917264622f0ce4d63ac106b50769c38e9361a34f6cf5c5cae3ef50eb2a49d0f02c001af28d1f1fe250f2c99e5436b485a107eab17295180e5750eb31faee1ea0937a827bc140906a014b85409d8c48afbfcee20bf53f4e74661c1f555823c4bee18fde06e1e3e44fb8930e3ea84385e5006fd994fe8e69205a84ed7ed0f25c7b9f8fcb6f7d5b30188c27bf99050175afb1fc60f89ed2462ce999ca5dc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "010000000001171c092665", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] - }, + } + ], + "Tags": [ + "vboxdrv.sys" + ], + "yara": true + }, + { + "Id": "c1265ee4-aed4-4e65-ac54-c64deb5e3b28", + "Author": "Guus Verbeek", + "Created": "2023-05-07", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create fur.sys binPath=C:\\windows\\temp\\fur.sys type=kernel && sc.exe start fur.sys", + "Description": "SophosLabs has discovered that threat actors are using a new driver loader called BURNTCIGAR to install a malicious driver signed with Microsoft.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware, https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "zam64.sys", - "MD5": "75e50ae2e0f783e0caf912f45e15248a", - "SHA1": "a3d612a5ea3439ba72157bd96e390070bdddbbf3", - "SHA256": "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c", + "Filename": "", + "MD5": "6a066d2be83cf83f343d0550b0b8f206", + "SHA1": "8e126f4f35e228fdd3aa78d533225db7122d8945", + "SHA256": "0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "cf4707d1cc2b1d1344058ac750e4e61e", - "SHA1": "3bd3de766013c31d87545bd7affd8e52c4e24f72", - "SHA256": "e5316670c0bddc0519ef96b2db89285a8620a260429a97f9d2cf5b58b0287d91" + "MD5": "5c23bab622d6bbabd23d29b4adaa4ae0", + "SHA1": "9fbb6f9a22d1c676ff1b97a33d4c5e94f18aca5f", + "SHA256": "aab97fb324c883f1de71112e1d9fb716cef40636e39a3b9f4a5b8678cf7bde3f" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.20.104", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "FLTMGR.SYS", + "NETIO.SYS", + "WDFLDR.SYS", + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", "ObQueryNameString", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", + "FltUnregisterFilter", + "WskRegister", + "WdfVersionBind", + "ExAllocatePool", "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "PsLookupProcessByProcessId", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "RtlUpcaseUnicodeString", - "RtlUpperString", - "ZwClose", - "ZwCreateFile", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "strstr", - "ZwQuerySystemInformation", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", "DbgPrint", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "KeQueryPerformanceCounter" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "fur.sys" + ], + "yara": false + }, + { + "Id": "2b949a0d-939f-456a-a34f-4589d7712227", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create libnicm.sys binPath=C:\\windows\\temp\\libnicm.sys type=kernel && sc.exe start libnicm.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3.yara" }, { - "FileName": "zam64.sys", - "MD5": "5054083cf29649a76c94658ba7ff5bce", - "SHA1": "dd4cd182192b43d4105786ba87f55a036ec45ef2", - "SHA256": "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "libnicm.sys", + "MD5": "c1fce7aac4e9dd7a730997e2979fa1e2", + "SHA1": "25d812a5ece19ea375178ef9d60415841087726e", + "SHA256": "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "Micro Focus", + "Description": "XTier COM Services Driver", + "Product": "Micro Focus XTier", + "ProductVersion": "3.1.12", + "FileVersion": "3.1.12.0", + "MachineType": "AMD64", + "OriginalFilename": "libnicm.sys", "Authentihash": { - "MD5": "8d4a371e8da97e8dfd254e7b860bf147", - "SHA1": "d2a888f664ffa91e876dbd797ca1fc95c511c5bc", - "SHA256": "27f5c5eb9a5fc9e02d3ac3cd83fc26b07f3d0143b03db69d6dcf7554d0c50fb6" + "MD5": "f4c87edbb9a270058e01fdc58f29692a", + "SHA1": "e82346880e59a3d7652896128eb91512f5ee3d53", + "SHA256": "bd1d579a15ec3c1120cc6e0c8ff6b265623980de3570a5dd2f57d0c5981334d8" }, - "Description": "ZAM", - "Company": "Zemana Ltd.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "ZAM", - "ProductVersion": "2.17.984", - "Copyright": "Zemana Ltd. All rights reserved.", - "MachineType": "AMD64", + "Copyright": "(C) Copyright 2000-2017, Micro Focus. All Rights Reserved.", "Imports": [ - "ntoskrnl.exe", - "FLTMGR.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "RtlUpperString", - "RtlUpcaseUnicodeString", - "PsGetCurrentProcessId", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "FsRtlIsNameInExpression", - "ZwQueryInformationProcess", - "__C_specific_handler", - "DbgPrint", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessImageFileName", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ZwDeleteFile", - "ZwClose", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "PsGetProcessId", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "MmSystemRangeStart", - "KeBugCheckEx", - "ZwCreateFile", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", + "ExAcquireResourceExclusiveLite", "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "RtlCopyUnicodeString", + "ExFreePoolWithTag", + "strstr", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "MmUnmapLockedPages", + "ProbeForRead", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "KeInitializeMutex", + "KeLeaveCriticalRegion", + "IoDeleteDevice", + "ProbeForWrite", + "IoFreeMdl", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", + "ZwClose", + "IofCompleteRequest", + "IoSetTopLevelIrp", + "KeWaitForSingleObject", + "MmProbeAndLockPages", + "MmUnlockPages", + "ExDeleteResourceLite", + "IoGetTopLevelIrp", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", + "DbgPrint", + "IoAllocateMdl", + "RtlCreateSecurityDescriptor", + "IoGetCurrentProcess", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", "RtlInitUnicodeString", - "wcsstr", + "RtlAppendUnicodeToString", + "RtlUnicodeStringToAnsiString", + "ZwSetValueKey", "ZwQuerySystemInformation", - "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", + "MmIsAddressValid", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwLoadDriver", + "ZwOpenKey", + "KeBugCheckEx", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2021-09-09 19:15:59", + "ValidTo": "2022-09-01 19:15:59", + "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "330000004de597a775e3157f7b00000000004d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } @@ -24060,28 +9438,27 @@ } ], "Tags": [ - "zam64.sys" - ] + "libnicm.sys" + ], + "yara": true }, { - "Id": "50cfaec9-55f8-49df-aa3e-b9ec3f4f4ff3", + "Id": "7a5fe570-3b35-4fad-b7d6-7518bd5436a0", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-03-02", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create mhyprot.sys binPath=C:\\windows\\temp\\mhyprot.sys type=kernel && sc.exe start mhyprot.sys", - "Description": "", + "Command": "sc.exe create NodeDriver.sys binPath=C:\\windows\\temp\\NodeDriver.sys type=kernel && sc.exe start NodeDriver.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Mhyprot.yar", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" ], "Acknowledgement": { "Person": "", @@ -24090,14 +9467,14 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "mhyprot.sys", - "MD5": "4b817d0e7714b9d43db43ae4a22a161e", - "SHA1": "0466e90bf0e83b776ca8716e01d35a8a2e5f96d3", - "SHA256": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6", + "Filename": "NodeDriver.sys", + "MD5": "ee6b1a79cb6641aa44c762ee90786fe0", + "SHA1": "3ef30c95e40a854cc4ded94fc503d0c3dc3e620e", + "SHA256": "05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4", "Signature": [ - "miHoYo Co.,Ltd.", - "DigiCert Assured ID Code Signing CA-1", - "DigiCert" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", @@ -24109,111 +9486,35 @@ "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "ff295de93e6b6dcc3938d50901a7240d", - "SHA1": "484c72dd4fd91083b249f3ccc733a3c8335e583f", - "SHA256": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c" + "MD5": "cb01e86f3c5a26629d53856c5e4990ec", + "SHA1": "fbbb429de5458a274b4a4ab44ed6785139f4a7e4", + "SHA256": "43374fd68dc06c8491b16d177156444ee44f497bbceafd0165f40ba48bf6802f" }, "InternalName": "", "Copyright": "", "Imports": [ + "NETIO.SYS", "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "NtQuerySystemInformation", - "RtlInitUnicodeString", - "ExAllocatePool", + "WskCaptureProviderNPI", "ExAllocatePoolWithTag", + "ExAllocatePool", + "NtQuerySystemInformation", "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "_wcsicmp", - "RtlInitString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ZwClose", - "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ObReferenceObjectByName", - "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "ZwQueryVirtualMemory", + "IoAllocateMdl", "MmProbeAndLockPages", - "PsLookupProcessByProcessId", "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoGetCurrentProcess", - "MmCopyVirtualMemory", - "KeClearEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", - "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "IoThreadToProcess", - "strcmp", - "PsProcessType", - "PsThreadType", - "RtlGetVersion", - "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", - "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", "DbgPrint", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmBuildMdlForNonPagedPool", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -24221,45 +9522,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } @@ -24267,27 +9547,27 @@ } ], "Tags": [ - "mhyprot.sys" - ] + "NodeDriver.sys" + ], + "yara": false }, { - "Id": "72637cb1-5ca2-4ad0-a5df-20da17b231b5", + "Id": "8d14d798-338f-471e-bacb-6d9371c0f529", "Author": "Michael Haag", - "Created": "2023-02-28", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", + "Category": "vulnerable driver", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create wantd_4.sys binPath=C:\\windows\\temp\\wantd_4.sys type=kernel && sc.exe start wantd_4.sys", - "Description": "Driver used in the Daxin malware campaign.", + "Command": "sc.exe create dbutil.sys binPath=C:\\windows\\temp\\dbutil.sys type=kernel && sc.exe start dbutil.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -24296,289 +9576,275 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "wantd_4.sys", - "MD5": "79df0eabbf2895e4e2dae15a4772868c", - "SHA1": "d02403f85be6f243054395a873b41ef8a17ea279", - "SHA256": "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce", - "Signature": "The digital signature of the object did not verify.", - "Date": "8:23 PM 2/28/2022", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", - "Company": "Microsoft Corporation", - "Description": "WAN Transport Driver", - "Product": "Microsoft Windows Operating System", - "ProductVersion": "6.1.7600.1172", - "FileVersion": "6.1.7600.1172", - "MachineType": "AMD64", - "OriginalFilename": "wantd.sys", + "Filename": "dbutil.sys", + "SHA1": "485c0b9710a196c7177b99ee95e5ddb35b26ddd1", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "dbutil.sys", + "SHA1": "50e2bc41f0186fdce970b80e2a2cb296353af586", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "dbutil.sys", + "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "dbutil.sys", + "SHA1": "e09b5e80805b8fe853ea27d8773e31bff262e3f7", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "dbutil.sys" + ], + "yara": false + }, + { + "Id": "1ff757df-9a40-4f78-a28a-64830440abf7", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create winio64.sys binPath=C:\\windows\\temp\\winio64.sys type=kernel && sc.exe start winio64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "FileName": "winio64.sys", + "MD5": "8fc6cafd4e63a3271edf6a1897a892ae", + "SHA1": "f8d7369527cc6976283cc73cd761f93bd1cec49d", + "SHA256": "15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9", "Authentihash": { - "MD5": "00a677b8d21de4be1c7c16f2f105dbc6", - "SHA1": "a10f5c6c4d5ae78f0ca771328c74eb9fc51e593d", - "SHA256": "3f55375fb70cb355fe7de7f59904b12ef996447cbc7113fefa379995e040d678" + "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", + "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", + "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" }, - "InternalName": "wantd.sys", - "Copyright": "Microsoft Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "wcsncmp", - "IoAllocateMdl", - "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "_strnicmp", - "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "_wcsnicmp", - "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", - "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "atoi", - "_snprintf", - "ZwQuerySystemInformation", - "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", - "RtlImageDirectoryEntryToData", - "KeDetachProcess", - "ZwOpenFile", - "ZwCreateFile", - "PsCreateSystemThread", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", "ObfDereferenceObject", - "IoCreateDevice", - "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "PsLookupThreadByThreadId", - "RtlLengthSid", - "RtlCreateSecurityDescriptor", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", - "ZwDeviceIoControlFile", - "IofCompleteRequest", "ZwClose", - "MmMapLockedPagesSpecifyCache", - "KeDelayExecutionThread", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "ZwWaitForSingleObject", - "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", - "NdisFreeMemory", - "NdisMIndicateStatus", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "ZwOpenSection", + "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "RtlCopyUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", + "ValidFrom": "2011-04-15 20:13:19", + "ValidTo": "2021-04-15 20:23:19", + "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", + "ValidFrom": "2007-10-24 22:03:55", + "ValidTo": "2017-10-24 22:03:55", + "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", + "ValidFrom": "2014-07-24 18:00:20", + "ValidTo": "2017-07-24 09:00:56", + "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0f69", + "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" } ] } ] - } - ], - "Tags": [ - "wantd_4.sys" - ] - }, - { - "Id": "bc5e020a-ecff-43c8-b57b-ee17b5f65b21", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create sandra.sys binPath=C:\\windows\\temp\\sandra.sys type=kernel && sc.exe start sandra.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "sandra.sys", - "MD5": "9a237fa07ce3ed06ea924a9bed4a6b99", - "SHA1": "82ba5513c33e056c3f54152c8555abf555f3e745", - "SHA256": "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b", - "Signature": [ - "SiSoftware Ltd", - "GeoTrust TrustCenter CodeSigning CA I", - "GeoTrust" - ], - "Date": "", - "Publisher": "", - "Company": "SiSoftware", - "Description": "Sandra Device Driver (Win64 x64)(Unicode)", - "Product": "SiSoftware Sandra", - "ProductVersion": "10.11.1.1", - "FileVersion": "10.11.1.1 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "SANDRA", + "FileName": "WinIo64.sys", + "MD5": "7c0b186d1912686cfcb8cd9cdebabe58", + "SHA1": "6bb68e1894bfbc1ac86bcdc048f7fe7743de2f92", + "SHA256": "dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef", "Authentihash": { - "MD5": "6f72f204305c65af27c9f97fe4296b54", - "SHA1": "b785192962dd159acd960c8f8f9f211747c83610", - "SHA256": "b9661dd0dcf81d2ee8e5eb3b728c907b4eb861806971051ad772f7fe4d09eb6a" + "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", + "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", + "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" }, - "InternalName": "SANDRA", - "Copyright": "Copyright © SiSoftware Ltd 1995-2008. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwSetValueKey", - "NtQueryInformationProcess", + "ObfDereferenceObject", "ZwClose", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoQueryDeviceDescription", - "ZwSetInformationThread", - "RtlUnicodeStringToAnsiString", - "IoAllocateMdl", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwCreateKey", - "MmResetDriverPaging", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "IofCompleteRequest", - "MmPageEntireDriver", - "IoUnregisterShutdownNotification", + "ZwOpenSection", + "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", + "KeBugCheckEx", "IoDeleteSymbolicLink", "IoDeleteDevice", - "RtlQueryRegistryValues", - "IoCreateDevice", + "RtlCopyUnicodeString", "IoCreateSymbolicLink", - "IoRegisterShutdownNotification", - "KeBugCheckEx", - "RtlAppendUnicodeToString", - "IoReportResourceUsage", + "IoCreateDevice", + "IofCompleteRequest", + "ZwMapViewOfSection", "RtlInitUnicodeString", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", "HalTranslateBusAddress", - "KeStallExecutionProcessor" + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", - "ValidFrom": "2006-02-01 21:44:28", - "ValidTo": "2016-01-30 21:44:28", - "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", - "ValidFrom": "2006-08-25 14:34:37", - "ValidTo": "2009-08-25 14:34:37", - "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", - "ValidFrom": "2006-02-13 15:40:22", - "ValidTo": "2016-02-11 15:40:22", - "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", + "ValidFrom": "2011-04-15 20:13:19", + "ValidTo": "2021-04-15 20:23:19", + "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", - "ValidFrom": "2006-05-23 17:01:15", - "ValidTo": "2016-05-23 17:11:15", - "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", + "ValidFrom": "2007-10-24 22:03:55", + "ValidTo": "2017-10-24 22:03:55", + "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", + "ValidFrom": "2014-07-24 18:00:20", + "ValidTo": "2017-07-24 09:00:56", + "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "008da900010020ba965fe3dc471ba8", - "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" + "SerialNumber": "0f69", + "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" } ] } @@ -24586,204 +9852,229 @@ } ], "Tags": [ - "sandra.sys" - ] + "winio64.sys" + ], + "yara": false }, { - "Id": "9a4fb66e-9084-4b21-9d76-a7afbe330606", - "Author": "Michael Haag", - "Created": "2023-01-09", + "Id": "5938df1d-9513-449f-8252-c442ddca0c2a", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AMDPowerProfiler.sys binPath=C:\\windows\\temp\\AMDPowerProfiler.sys type=kernel && sc.exe start AMDPowerProfiler.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create VBoxUSB.sys binPath=C:\\windows\\temp\\VBoxUSB.Sys type=kernel && sc.exe start VBoxUSB.Sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "AMDPowerProfiler.sys", - "MD5": "e4266262a77fffdea2584283f6c4f51d", - "SHA1": "b480c54391a2a2f917a44f91a5e9e4590648b332", - "SHA256": "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05", - "Signature": [ - "Advanced Micro Devices Inc.", - "Sectigo RSA Code Signing CA", - "USERTrust RSA Certification Authority", - "Sectigo (AAA)" - ], - "Date": "", - "Publisher": "", - "Company": "Advanced Micro Devices, Inc.", - "Description": "AMD Power Profiling Driver", - "Product": "AMD uProf", - "ProductVersion": "3.4.493.0", - "FileVersion": "6.1.0.0", - "MachineType": "AMD64", - "OriginalFilename": "AMDPowerProfiler.sys", + "FileName": "VBoxUSB.Sys", + "MD5": "65b979bcab915c3922578fe77953d789", + "SHA1": "6a2912c8e2aa4373852585bc1134b83c637bc9fd", + "SHA256": "6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8", "Authentihash": { - "MD5": "7ed9c787e267b2606441010b65767771", - "SHA1": "07a5aac8abb0a85822bf792607b9e90914b454dc", - "SHA256": "e1d3963c55c7ffa96d16e47ec4bbb4e171f828650ce853eb0b83c90ae9c6265a" + "MD5": "5e120bab075f0c78a1023bec63fb5ec6", + "SHA1": "36b030a7f80da09b8b80cdab325489d5a6d9698a", + "SHA256": "dd09931d050a354b34731621191795483930bb5f00aa6fba5bb849ea2c89224c" }, - "InternalName": "AMDPowerProfiler.sys", - "Copyright": "© 2021 AMD Inc. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "AMDPCore.SYS", - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "AssertMsg1", + "RTAssertDoBreakpoint", + "RTErrConvertFromNtStatus", + "RTLogDefaultInstance", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpDoesCpuExist", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTProcSelf", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapUser", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTThreadNativeSelf", + "RTThreadSleep", + "RTThreadYield", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAlloc", + "SUPR0PageFree", + "SUPR0UnlockMem" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "PcoreRemoveAllConfigurations", - "PcoreIsLoaded", - "PcoreAddConfiguration", - "PcoreUnregister", - "PcoreVersion", - "PcoreRegister", - "PcoreGetResourceCount", - "KeGetProcessorNumberFromIndex", - "KeInitializeDpc", - "KeSetTargetProcessorDpcEx", - "MmMapIoSpace", - "MmUnmapIoSpace", - "KeQueryActiveGroupCount", - "KeSetEvent", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "KeInitializeEvent", - "KeWaitForSingleObject", - "KeQueryActiveProcessorCountEx", - "ExSystemTimeToLocalTime", - "KeGetCurrentProcessorNumberEx", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlGetVersion", "IofCompleteRequest", - "IoCreateSymbolicLink", - "MmUnlockPages", - "PsRemoveLoadImageNotifyRoutine", - "ZwOpenSection", - "ZwUnmapViewOfSection", - "MmProbeAndLockPages", - "PsSetLoadImageNotifyRoutine", - "ObfDereferenceObject", - "IoAllocateMdl", - "PsRemoveCreateThreadNotifyRoutine", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "IoFreeMdl", - "MmIsAddressValid", - "PsSetCreateThreadNotifyRoutine", - "PsSetCreateProcessNotifyRoutine", - "ZwClose", - "IoSizeofWorkItem", - "ZwQueryVolumeInformationFile", - "IoQueryFileDosDeviceName", - "IoInitializeWorkItem", - "IoQueueWorkItemEx", - "ObfReferenceObject", - "IoUninitializeWorkItem", - "ZwOpenFile", + "DbgPrint", "IoIs32bitProcess", + "MmFreeContiguousMemory", + "IoFreeMdl", "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "IoCreateDevice", - "ObOpenObjectByPointer", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeBugCheckEx", + "RtlInitUnicodeString", + "KeCancelTimer", "KeInsertQueueDpc", - "KeSetImportanceDpc", - "DbgPrint", - "MmMapLockedPagesSpecifyCache", - "RtlIsNtDdiVersionAvailable", - "ZwCreateFile", - "ZwWriteFile", "__C_specific_handler", - "strcmp", - "KeQueryPerformanceCounter", - "HalAllocateHardwareCounters", - "HalFreeHardwareCounters" + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "KeSetTimerEx", + "ExSetTimerResolution", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", + "KeInitializeTimerEx", + "MmGetPhysicalAddress", + "KeQueryActiveProcessors", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoCreateSymbolicLink", + "IoCreateDevice", + "memchr", + "strncmp", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "ZwYieldExecution", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeInitializeEvent", + "KeSetEvent", + "KeResetEvent", + "KeWaitForSingleObject", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "MmUnmapIoSpace", + "MmUnlockPages", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmProtectMdlSystemAddress", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows", + "ValidFrom": "2021-09-02 18:23:41", + "ValidTo": "2022-09-01 18:23:41", + "Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.", - "ValidFrom": "2021-05-11 00:00:00", - "ValidTo": "2024-05-10 23:59:59", - "Signature": "8444e268ff381c9148985f408e5cc1453a560c9dd94d2a6cfa01dd7f2adc8af633053d2c79027db4f185f477b0d5db8b362b37dbd0d258823831ace7058baf3feb80a9eb2de9dd886bcf390fae9b586fc833e63db5c6a07019f35a9fce6899502852737b32d25ea7832c3786df0642d21622e56c0b0171e96f9520d07f73950376ff555bcf9c8a55bf4f86c088b58e2cb625a0ef4680ed7281f09a40c7be9f69cba77a6967030e39b2cfa46692698ced9e5347dd7056b476545c3442f934cb2c30cb986afabd29a9a9e2eb28c5bd6ee47dabf5ef587f850ea49b124eb868aac68de949616d08f875192b93388549c7327a3ef085e287d5a743810c151b250c64", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", + "ValidFrom": "2011-10-19 18:41:42", + "ValidTo": "2026-10-19 18:51:42", + "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority", - "ValidFrom": "2019-03-12 00:00:00", - "ValidTo": "2028-12-31 23:59:59", - "Signature": "188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA", - "ValidFrom": "2018-11-02 00:00:00", - "ValidTo": "2030-12-31 23:59:59", - "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "535091e6cab13af393b51ead0825f627", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" + "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" } ] } @@ -24791,626 +10082,538 @@ } ], "Tags": [ - "AMDPowerProfiler.sys" - ] + "VBoxUSB.Sys" + ], + "yara": false }, { - "Id": "6fe10a55-7fb8-4a9d-9ebc-1b27b6e5b833", - "Author": "Guus Verbeek", - "Created": "2023-05-07", + "Id": "613b8509-18c0-4720-b489-736776b6713e", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create prokiller64.sys binPath=C:\\windows\\temp\\prokiller64.sys type=kernel && sc.exe start prokiller64.sys", - "Description": "Signed POORTRY Samples", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create gdrv.sys binPath=C:\\windows\\temp\\gdrv.sys type=kernel && sc.exe start gdrv.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "prokiller64.sys", - "MD5": "10f3679384a03cb487bda9621ceb5f90", - "SHA1": "31cc8718894d6e6ce8c132f68b8caaba39b5ba7a", - "SHA256": "0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "b0954711c133d284a171dd560c8f492a", + "SHA1": "4f0d9122f57f4f8df41f3c3950359eb1284b9ab5", + "SHA256": "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0", "Authentihash": { - "MD5": "4252d83e18ad41f0cea7ac168218d95b", - "SHA1": "cf9cb05c9b725efca68c4b7d6f53c8e233217ac4", - "SHA256": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f" + "MD5": "f4a434113ef1b0bfed60b8a5bcd4fa9c", + "SHA1": "bffa9edada9f48685c5178f247c416029b423834", + "SHA256": "1bd6a40e294f4f74f9baf172f5a3e21dad3b7e31b5757d91bda309bd54a72fbe" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.0.1.1", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "rand", - "srand", - "RtlInitUnicodeString", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExSystemTimeToLocalTime", - "MmGetSystemRoutineAddress", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoGetCurrentProcess", - "ObReferenceObjectByHandleWithTag", - "ObfDereferenceObject", - "ObfDereferenceObjectWithTag", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "MmGetPhysicalAddress", "MmIsAddressValid", - "PsGetProcessExitStatus", - "PsIsThreadTerminating", - "PsLookupProcessByProcessId", - "PsLookupThreadByThreadId", - "PsGetThreadProcess", - "PsIsSystemThread", - "ObOpenObjectByPointerWithTag", - "KeBugCheckEx" + "KeBugCheckEx", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "ExAllocatePool", + "DbgPrint", + "memset", + "RtlCopyUnicodeString", + "IoFreeMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "ExFreePoolWithTag", + "WRITE_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=guangdong, L=zhuhai, O=Zhuhai liancheng Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Zhuhai liancheng Technology Co., Ltd.", - "ValidFrom": "2013-02-04 00:00:00", - "ValidTo": "2014-02-04 23:59:59", - "Signature": "6eb0af9de955b9bd1bda967942685c5b630bf60dd0be149178bce893c7c32039076006dd75f9655b497470e44e7954cd89fe4ee04a580992f0ee9268e8129afcf0b58519158d6864e56caa6e78d66b0278a86083b751cf8a030ba0139969509259e5d1ea91dc593e1d093fb5e4ebabe1a38359d920acb85f9c02f6939096522b010158d086bc5ff52bbe2be1ab364ca496ed5a3ac72531274daf4e808d483686118d6132d2b98018074a0e989eed4f43fe28298363e05e9c3cace4a954525ac021e0b10445e09a3528eff35b525e7cca44332744aa81b41dd4244ec54da168b2f1026a23ca9b9929199f037689956b69c21ca77e6605483439670dcf9baf2991", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", "ValidFrom": "2011-02-22 19:25:17", "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "627dfdf73a1455de5143a270799e6b7b", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "prokiller64.sys" - ] - }, - { - "Id": "f4990bdd-8821-4a3c-a11a-4651e645810c", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create IOMap64.sys binPath=C:\\windows\\temp\\IOMap64.sys type=kernel && sc.exe start IOMap64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "IOMap64.sys", - "MD5": "a01c412699b6f21645b2885c2bae4454", - "SHA1": "2fc6845047abcf2a918fce89ab99e4955d08e72c", - "SHA256": "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "ASUSTeK Computer Inc.", - "Description": "ASUS Kernel Mode Driver for NT ", - "Product": "ASUS Kernel Mode Driver for NT ", - "ProductVersion": "1.00", - "FileVersion": "1.00", - "MachineType": "AMD64", - "OriginalFilename": "IOMap.sys", + "FileName": "gdrv.sys", + "MD5": "043d5a1fc66662a3f91b8a9c027f9be9", + "SHA1": "3d8cc9123be74b31c597b0014c2a72090f0c44ef", + "SHA256": "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c", "Authentihash": { - "MD5": "3d840e2458fef30b0871bf1c13b060ff", - "SHA1": "63b773c3c8308ddfa783b318d0ea67724fa1dc2f", - "SHA256": "34b3acdeac5002880071f73b70aa3abd3a6facb9e281b5c93cc82a7a8a6d5cc1" + "MD5": "5029d92e78dd56446eae97c8acd56926", + "SHA1": "00e5f35b31d5bfd2745bb04909f1faf26abfcec0", + "SHA256": "12ae98c0f1d7209cffe3bc8be5b76aa1f4faba40af99a6dd299462cdd3820c94" }, - "InternalName": "IOMap.sys", - "Copyright": "Copyright 2010 ASUSTeK Computer Inc.", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.0.1.1", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeMutex", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmUnmapIoSpace", + "DbgPrint", + "ExAllocatePool", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", "MmMapIoSpace", - "PoStartNextPowerIrp", - "IofCompleteRequest", - "ExFreePoolWithTag", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", - "KeReleaseMutex", - "KeWaitForSingleObject", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmIsAddressValid", "KeBugCheckEx", - "IoDeleteSymbolicLink", - "PoCallDriver", - "ExAllocatePoolWithTag", - "HalTranslateBusAddress", - "KeStallExecutionProcessor" + "RtlCopyUnicodeString", + "IoFreeMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "ExFreePoolWithTag", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "IOMap64.sys" - ] - }, - { - "Id": "2740a074-1e06-4f75-9c6a-dc57a3f85189", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create POORTRY1.sys binPath=C:\\windows\\temp\\POORTRY1.sys type=kernel && sc.exe start POORTRY1.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "POORTRY1.sys", - "MD5": "acac842a46f3501fe407b1db1b247a0b", - "SHA1": "31fac347aa26e92db4d8c9e1ba37a7c7a2234f08", - "SHA256": "575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "3c55092900343d3d28564e2d34e7be2c", + "SHA1": "1a56614ea7d335c844b7fc6edd5feb59b8df7b55", + "SHA256": "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743", "Authentihash": { - "MD5": "887c566bdc8ed5231f45a37845d5ee89", - "SHA1": "e6ab2bbad89502d8985381b33d7351eb97cb2b78", - "SHA256": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb" + "MD5": "b661326f2405e4947bf879cc97f13438", + "SHA1": "c7e06ef18efee6d133c5014ef45d6657e1e36b90", + "SHA256": "c92d943a465e20f50bae8d46ea38b635d2da85ae4e34f0170fd6f451890c76d7" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.0.1.3", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", + "DbgPrint", + "ExAllocatePool", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", "RtlInitUnicodeString", - "IoDeleteDevice", - "IoCreateFile", - "RtlInitString", - "RtlFreeUnicodeString", - "ZwQueryDirectoryFile", "ZwClose", - "IofCompleteRequest", - "IoIsWdmVersionAvailable", - "IoCreateSymbolicLink", - "IoCreateDevice", - "DbgPrint", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "MmIsAddressValid", "KeBugCheckEx", - "__chkstk" + "RtlCopyUnicodeString", + "IoFreeMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "ObReferenceObjectByHandle", + "ExFreePoolWithTag", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "POORTRY1.sys" - ] - }, - { - "Id": "f28231db-a876-422e-aa6a-70ee852a9555", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rtkiow8x64.sys binPath=C:\\windows\\temp\\rtkiow8x64.sys type=kernel && sc.exe start rtkiow8x64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "rtkiow8x64.sys", - "MD5": "b8b6686324f7aa77f570bc019ec214e6", - "SHA1": "6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403", - "SHA256": "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d", - "Signature": [ - "Realtek Semiconductor Corp.", - "DigiCert EV Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "Realtek ", - "Description": "Realtek IO Driver", - "Product": "Realtek IO Driver ", - "ProductVersion": "1.008.0823.2017", - "FileVersion": "1.008.0823.2017", - "MachineType": "AMD64", - "OriginalFilename": "rtkiow8x64.sys ", + "FileName": "gdrv.sys", + "MD5": "7907e14f9bcf3a4689c9a74a1a873cb6", + "SHA1": "b9b72a5be3871ddc0446bae35548ea176c4ea613", + "SHA256": "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229", "Authentihash": { - "MD5": "d2914b13c253d24728fade34df3d91df", - "SHA1": "fa7fbb04748088557085ef3060b5fdb65a7b6b10", - "SHA256": "ed68f30f8246730c2b57495ed1db1480350d879b01d070999d35f38630865f5c" + "MD5": "b4709bbd5e329d55130e0db781afc89c", + "SHA1": "b483cdd20bb24ed9a20f4168628b7053b04ebb93", + "SHA256": "bb0063e65c44da66d705d25121af09b641070219c174f5d83e288ba8fe59e46f" }, - "InternalName": "rtkiow8x64.sys ", - "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "Description": "GIGABYTE Tools", + "Company": "Windows (R) Server 2003 DDK provider", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "5.2.3790.1830 built by: WinDDK", + "Product": "Windows (R) Server 2003 DDK driver", + "ProductVersion": "5.2.3790.1830", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KfRaiseIrql", - "MmMapIoSpace", - "MmUnmapIoSpace", - "RtlInitUnicodeString", - "MmGetSystemRoutineAddress", - "RtlCompareMemory", - "KeSetSystemAffinityThreadEx", - "KeQueryActiveProcessors", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExCreateCallback", - "ExRegisterCallback", - "ExUnregisterCallback", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "KeLowerIrql", - "IoAllocateMdl", - "IofCompleteRequest", "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", + "RtlInitUnicodeString", + "DbgPrint", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoRegisterShutdownNotification", - "IoUnregisterShutdownNotification", - "IoWMIRegistrationControl", - "ObfDereferenceObject", + "MmUnmapIoSpace", + "MmMapIoSpace", "ZwClose", - "ZwOpenKey", - "ZwQueryValueKey", - "__C_specific_handler", - "MmUnmapLockedPages", - "_vsnprintf", - "KeStallExecutionProcessor" + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "IoCreateSymbolicLink", + "KeReleaseInStackQueuedSpinLock", + "KeAcquireInStackQueuedSpinLock", + "MmFreeContiguousMemory", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmGetPhysicalAddress", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "ZwOpenSection", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2016-06-13 00:00:00", - "ValidTo": "2019-01-24 12:00:00", - "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", + "ValidFrom": "2007-10-02 00:00:00", + "ValidTo": "2010-10-18 23:59:59", + "Signature": "5c404cbb1176300b3b0f2b98924c5be7571d28c8e8086cea2fe21a4d3687b441facd3aec26e2722d2d4dabac900ab1158ad7b53edc2a3678743ae411eeb48e00560ce2e49a4954a5d3223cbb3fbcb6f19185ea33ac10f5c96fc80593236a3512ad98599c931486810fd0ca98df4c75fcdd6d69aceb0d6f755c74d4779ed39cc17946fc61e7a17bee5e5bc46220509aea779cc200315bfb778edc11429dc9763a4a3c7a04346ed759ef357c4744088ac9f4f949e783b42eec05b777c3629b718e0766c5ac956b0f67834009d3e0d171da24ee6b151d7bb40cf9f8e6f1e1a08fe2ec1fb101b766ec261c0ce6f98de3fb452a81a57bb0b72a44c06a01f199a8143d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0320be3eb866526927f999b97b04346e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "720ef3aaa1a44f7d0717a805c290c378", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "rtkiow8x64.sys" - ] - }, - { - "Id": "974de971-1f78-47b9-8049-6c34f294acd5", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create bwrsh.sys binPath=C:\\windows\\temp\\bwrsh.sys type=kernel && sc.exe start bwrsh.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "bwrsh.sys", - "SHA256": "37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "bwrsh.sys" - ] - }, - { - "Id": "2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create sfdrvx32.sys binPath=C:\\windows\\temp\\sfdrvx32.sys type=kernel && sc.exe start sfdrvx32.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "sfdrvx32.sys", - "MD5": "9f70cd5edcc4efc48ae21e04fb03be9d", - "SHA1": "42bb38b0b93d83b62fe2604b154ada9314c98df7", - "SHA256": "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b", + "FileName": "gdrv.sys", + "MD5": "a72e10ecea2fdeb8b9d4f45d0294086b", + "SHA1": "4692730f6b56eeb0399460c72ade8a15ddd43a62", + "SHA256": "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097", "Authentihash": { - "MD5": "b67247d2d35a3ff9c8ba26d4eeb0d40f", - "SHA1": "e838b0bb0ebbe76e5f53ba6e508b71c7f077f3af", - "SHA256": "f9fead3227d5cf7daf8c5312db672bc7a684e2216b2f48ff2fcd14493bc9c254" + "MD5": "8e9f3d61eaa5d5df8ac92c3c89eb7347", + "SHA1": "c1b7be5e37f29ee8114b701f88d68748f196c530", + "SHA256": "b213524b22aadcc273142c4b8afc2a6219d6b8b7cab4b41adf9944efb8f46005" }, - "Description": "Speed Fan x32 Driver", - "Company": "Almico Software", - "InternalName": "sfdrvx32.sys", - "OriginalFilename": "sfdrvx32.sys", - "FileVersion": "X4.43.04", - "Product": "Speed Fan", - "ProductVersion": "X4.43.04", - "Copyright": "Copyright © Almico Software 2001-2010", - "MachineType": "I386", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.0.0.5", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", "DbgPrint", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "ExFreePoolWithTag", - "ObfDereferenceObject", - "PsGetVersion", - "MmGetSystemRoutineAddress", + "ExAllocatePool", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", "RtlInitUnicodeString", - "RtlQueryRegistryValues", - "ExAllocatePoolWithTag", - "ObfReferenceObject", - "IoGetDeviceObjectPointer", - "IoCancelIrp", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "KeBugCheckEx", + "RtlCopyUnicodeString", + "IoFreeMdl", "MmUnmapIoSpace", - "MmMapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "RtlUnwind", - "KeBugCheckEx" + "MmUnmapLockedPages", + "ObReferenceObjectByHandle", + "ExFreePoolWithTag", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { @@ -25418,143 +10621,135 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.", - "ValidFrom": "2010-02-06 00:00:00", - "ValidTo": "2011-02-11 23:59:59", - "Signature": "4af5c78740fff4400227bf9855994728dc50952f5fbfca91e51daf991c11699fc4471de9aba215c56b166966a7a7faa933de560a7dc2f747b5050d8d21c2f49c7c44e40378b8b0cfe243eb0ca6a44afdda2d830de6e4a4402aafd96af9e0370dde4aa7076d2eec26e7f63a89ee80a6fa37b733dd9cfc107289ea7a37b0247922ca9f2da216ac3763e36358035284a87f9ca3207c0a1d56e972466efbefcca77179787c990266e4773c686ebe44c3e865280b1c9410d711bf4af210c4af8d606602a2616bc4ef864a4873d0b315a3e8a4b8d621295a37b6e51d79511656dbcadb92c59816dc1be44536352d1a6eec740ed3be6d988d8eed2419498fcb5ffe2a44", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Private Organization, serialNumber=22044755, C=TW, ST=Taiwan, L=New Taipei, O=GIGA,BYTE TECHNOLOGY CO., LTD., OU=Quality Validation Department II, CN=GIGA,BYTE TECHNOLOGY CO., LTD.", + "ValidFrom": "2015-11-25 00:00:00", + "ValidTo": "2018-11-24 23:59:59", + "Signature": "4b80390dbbac3854acdd732ced7a533a35cb04b57da3e63120d90c4111b9e11f0255d4264a960873efa865d8dd122d77d082d72b197f3fd2b1df36bc03dac88c0e193e023129b8e144e4e75f75ff24ad2843094442e85611c4c8a1a622fcd7cdc61984d07df686844320b6af005280432251809de912567b74cf92e07daa504060bf26ed15cfaa23b09096c79fab8607e6bfb848c62a0e9f8734e20837fa5b420374642dc972cb188a71714087a47114dbf41e2f339707c404189e288d6f26fb2c5c24ee3d9dc8c03201c03155ce1eabe56e125913c361fc425dda869335fbb8f8d19afb58d1a19dd65e4a85ffd75021946cfcb5b0170624616009ce5b2b0d2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "202ed4a0a58d3214998c9a2bed089580", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "47547865fbe14ca43b8231902649d74d", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "sfdrvx32.sys" - ] - }, - { - "Id": "cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create magdrvamd64.sys binPath=C:\\windows\\temp\\magdrvamd64.sys type=kernel && sc.exe start magdrvamd64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "magdrvamd64.sys", - "MD5": "49938383844ceec33dba794fb751c9a5", - "SHA1": "e22495d92ac3dcae5eeb1980549a9ead8155f98a", - "SHA256": "be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57", - "Signature": [ - "Samsung Electronics Co., Ltd.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "31f34de4374a6ed0e70a022a0efa2570", + "SHA1": "c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860", + "SHA256": "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38", "Authentihash": { - "MD5": "4bc9c678b740fdbb6da3da4af3444c09", - "SHA1": "592989e3e6942baf38127b50e39dd732b323a92d", - "SHA256": "911e01544557544de4ad59b374f1234513821c50a00c7afa62a8fcca07385b2f" + "MD5": "b18b1bff521337695d2d6a0768340252", + "SHA1": "0f5034fcf5b34be22a72d2ecc29e348e93b6f00f", + "SHA256": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGABYTE Tools", + "Company": "Windows (R) Server 2003 DDK provider", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "5.2.3790.1830 built by: WinDDK", + "Product": "Windows (R) Server 2003 DDK driver", + "ProductVersion": "5.2.3790.1830", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "NTOSKRNL.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "IoCreateSymbolicLink", "IoCreateDevice", "RtlInitUnicodeString", - "IofCompleteRequest", + "DbgPrint", "IoDeleteSymbolicLink", + "ExFreePoolWithTag", "MmUnmapIoSpace", - "MmMapIoSpace" + "IoFreeMdl", + "MmUnmapLockedPages", + "MmMapIoSpace", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoCreateSymbolicLink", + "KeAcquireInStackQueuedSpinLock", + "MmFreeContiguousMemory", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmGetPhysicalAddress", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ZwUnmapViewOfSection", + "KeReleaseInStackQueuedSpinLock", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", + "ValidFrom": "2016-03-16 00:00:00", + "ValidTo": "2024-03-16 00:00:00", + "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2010-05-10 00:00:00", - "ValidTo": "2015-05-10 23:59:59", - "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=KR, ST=Gyeonggi,Do / Korea, L=Hwasung,City, O=Samsung Electronics Co., Ltd., CN=Samsung Electronics Co., Ltd.", - "ValidFrom": "2012-10-09 11:25:07", - "ValidTo": "2015-10-10 11:25:07", - "Signature": "5fe3fc15d97d52d4b48417db069212fa1633b7b9d3b12f086f330cdcd18fd0e14f2a1a4ef4671d0be6f2a8608f47615d05c2f84aeb9efb68fcef3494fd8fdb25103da6d421066123c28af746358c1c8ea787b109fba16d159f1f3c654d92ce1f973e808267c2af6ed5f0cef0b5e749576fcfb38b8899fc9bdc7ba713f489a654d3564d82dbe16f0f2938dbf7edeade05fa9869ab6c642d37d93a7823e886cc308fbad46e0a9e76f6850d6b3edcd28402371bb2f53d062fb675ae2480602309b360b6ed1069a8fed7491ef01bda5e99db1f44fd87bf20f1518393d6b8836e19e0593da3b88e6548bb65600df0f9edea73414ad49ec400ab03445a9645f8e1025c", + "Subject": "C=CN, ST=?????????, L=?????????, O=????????????????????????????????????, CN=????????????????????????????????????", + "ValidFrom": "2020-01-02 07:05:30", + "ValidTo": "2021-01-02 03:42:16", + "Signature": "42c4e375f4ebd7d918dfa735bb07fdb9af9b462be297aa35cf580fc20f8033e6cc7f9188539e9955409465acef09c83073cfc95205e3fac3f134e7b9d6294998c88f01a2931463d3e61fc754fffd99444abf886172aeeb6a87f12d925aed520cfa07fa6f5c43c4548bb2d7f60e6a0e6b742d32da2edbfc4effe616ec5a94582419ffd89e0b741b8fad70b5a6ac110f270182eba9cda4f99f24a04712bf09301f4642e2a4b0df9fd3efbb9dd2a2b735deb4604aa2356b48502c4ac1d2492ad1461fb1e8d496da60d9d17ad123db61173e01f99d284d6d8a5dce80e7bf062424154a66fd03d987e4b70c6fa576a136c186347e3d467a18e4d0eba18ee1a313a4b5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -25563,160 +10758,115 @@ "ValidTo": "2021-04-15 20:05:08", "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121d54c6060d0acf70c52ceac844116f169", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0f05d43d469ef74a803e0b3c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" } ] } ] - } - ], - "Tags": [ - "magdrvamd64.sys" - ] - }, - { - "Id": "7437388f-821e-421f-a3c1-62ce2c725a6a", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create windows8-10-32.sys binPath=C:\\windows\\temp\\windows8-10-32.sys type=kernel type=kernel && sc.exe start windows8-10-32.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "windows8-10-32.sys", - "SHA256": "5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "windows8-10-32.sys" - ] - }, - { - "Id": "b745b5da-9cd6-4b3a-badf-fbe487497705", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create WINIODrv.sys binPath=C:\\windows\\temp\\WINIODrv.sys type=kernel && sc.exe start WINIODrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "WINIODrv.sys", - "MD5": "a86150f2e29b35369afa2cafd7aa9764", - "SHA1": "460008b1ffd31792a6deadfa6280fb2a30c8a5d2", - "SHA256": "3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099", - "Signature": [ - "Partner Tech(Shanghai)Co.,Ltd", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "4e093256b034925ecd6b29473ff16858", + "SHA1": "eba5483bb47ec6ff51d91a9bdf1eee3b6344493d", + "SHA256": "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0", "Authentihash": { - "MD5": "83510d09c4d0f9f56c0d6caf40ee63cb", - "SHA1": "40cc2318ffffd458023c8cd1e285a5ad51adf538", - "SHA256": "b3cbb2b364a494f096e68dc48cca89799ed27e6b97b17633036e363a98fd4421" + "MD5": "ce38d9daee9b1de9c5fbaac0e6932ed3", + "SHA1": "025656c5696aa4834b4d32149a93176cf0322854", + "SHA256": "35b1fdfa5cc9bb4a0d6e148140d59351447fa35c5c899e95da5f62a6b054af56" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.1.0.1", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "IofCompleteRequest", + "DbgPrint", + "ExAllocatePool", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "RtlInitUnicodeString", "ZwClose", "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "ObfDereferenceObject", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "MmGetPhysicalAddress", + "MmIsAddressValid", + "IoFreeMdl", + "KeBugCheckEx", + "RtlCopyUnicodeString", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "ObReferenceObjectByHandle", + "ExFreePoolWithTag", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", - "ValidFrom": "2013-07-29 00:00:00", - "ValidTo": "2014-07-29 23:59:59", - "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -25724,73 +10874,66 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] }, { - "Filename": "WINIODrv.sys", - "MD5": "ad22a7b010de6f9c6f39c350a471a440", - "SHA1": "738b7918d85e5cb4395df9e3f6fc94ddad90e939", - "SHA256": "7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c", - "Signature": [ - "Partner Tech(Shanghai)Co.,Ltd", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "1549e6cbce408acaddeb4d24796f2eaf", + "SHA1": "18f09ec53f0b7d2b1ab64949157e0e84628d0f0a", + "SHA256": "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2", "Authentihash": { - "MD5": "792b743c370ad28281edd4801b22a31e", - "SHA1": "80ca9c9cce4b5e6afb92a56b5bfd954eca0ff690", - "SHA256": "9199979b9f3ea2108299d028373a6effcc41c81a46eecb430cc6653211d2913d" + "MD5": "9524a8cc0f1ce8a124e88f31c917c89d", + "SHA1": "8d6286e5d3e1558f6870bf1c4343da8a1d77aef3", + "SHA256": "3ede3c99d8a049232cd6baae9d44518a73c19d93230a1d320407a3fc2f506569" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGA-BYTE NonPnP Driver", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "1.0.0.1", + "Product": "GIGA-BYTE Software driver", + "ProductVersion": "1.0.0.1", + "Copyright": "Copyright (C) 2017", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "IofCompleteRequest", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ObfDereferenceObject", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "DbgPrint", + "ExAllocatePool", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "KeBugCheckEx", + "RtlCopyUnicodeString", + "IoFreeMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "ExFreePoolWithTag", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -25808,11 +10951,18 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", - "ValidFrom": "2013-07-29 00:00:00", - "ValidTo": "2014-07-29 23:59:59", - "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", + "ValidFrom": "2018-12-07 00:00:00", + "ValidTo": "2021-12-06 23:59:59", + "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -25820,73 +10970,77 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] }, { - "Filename": "WINIODrv.sys", - "MD5": "0761c357aed5f591142edaefdf0c89c8", - "SHA1": "43419df1f9a07430a18c5f3b3cc74de621be0f8e", - "SHA256": "c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e", - "Signature": [ - "Partner Tech(Shanghai)Co.,Ltd", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "gdrv.sys", + "MD5": "c832a4313ff082258240b61b88efa025", + "SHA1": "1f1ce28c10453acbc9d3844b4604c59c0ab0ad46", + "SHA256": "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b", "Authentihash": { - "MD5": "b2fc995c9a92965a53437c30b53d7096", - "SHA1": "c21043466942961203e751c9cebcd159e661fa1a", - "SHA256": "961012d06eeaabd9eff9b36173e566bf148a5c8f743f3329c70d8918eba26093" + "MD5": "1c0c9b05800e86e0e1d158e0b44d4b99", + "SHA1": "a2c4f33de0b2ebb8a505f97697d550ccb3f7b114", + "SHA256": "b5433ec27586bdd8d2ef606f9212d8ed75ae3ae2e201a1acaf325d9b12239df8" }, - "InternalName": "", - "Copyright": "", + "Description": "GIGABYTE Tools", + "Company": "Windows (R) 2000 DDK provider", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "5.00.2195.1620", + "Product": "Windows (R) 2000 DDK driver", + "ProductVersion": "5.00.2195.1620", + "Copyright": "Copyright (C) Microsoft Corp. 1981-1999", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "MmMapIoSpace", "IofCompleteRequest", + "ExFreePool", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmUnmapLockedPages", + "ZwUnmapViewOfSection", + "IoDeleteSymbolicLink", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPages", + "ExAllocatePoolWithTag", "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoCreateDevice", + "IoCreateSymbolicLink", + "DbgPrint", + "IoDeleteDevice", + "KfReleaseSpinLock", + "HalTranslateBusAddress", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "KfAcquireSpinLock" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -25904,80 +11058,54 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", - "ValidFrom": "2013-07-29 00:00:00", - "ValidTo": "2014-07-29 23:59:59", - "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", + "ValidFrom": "2010-08-23 00:00:00", + "ValidTo": "2013-10-17 23:59:59", + "Signature": "a91cbb579fbb2bc2ed2fe0fa0055cc881ce21e175262d28efea8bd12eff1095eb750b2fc7b842c4c739c2e4ef41d1065df039d1d62e0c5db62340fd1989efcc16e97b23caaa71e40dcabaf4aa34dd7d53a3ef5c0f2fec1b964798d2a1c8b11d68ea326495fbede162652faa523ce52ed60ca5227dddeab211b90965b866425adc84465117f3ec040cb005aa590ef69a70db0de17af66f3e52da6b8c93237fc1975e2891c89712971266c80956a21542c71e1962b16655373911c3ea09bd0b26c866eb1a9fe4f1d0f7be30888c529b148990b4f226897e2a4a651c80cc79196f2731949d190c67be01b82362956317bc3487f490b460924ad135d97c6f9526292", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "248472542c24ab8e429229acf121ca26", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "WINIODrv.sys" - ] - }, - { - "Id": "16d8962b-cf96-432f-8a43-d41f06828f56", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create cpuz.sys binPath=C:\\windows\\temp\\cpuz.sys type=kernel && sc.exe start cpuz.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "cpuz.sys", - "MD5": "a89ca92145fc330adced0dd005421183", - "SHA1": "e33eac9d3b9b5c0db3db096332f059bf315a2343", - "SHA256": "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f", + "FileName": "gdrv.sys", + "MD5": "d556cb79967e92b5cc69686d16c1d846", + "SHA1": "de2b56ef7a30a4697e9c4cdcae0fc215d45d061d", + "SHA256": "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b", "Authentihash": { - "MD5": "d9d45430dc3fb1c7154c109f9d85d70e", - "SHA1": "4f52e85725556496f9102bba0fdf9d13f721c675", - "SHA256": "90f5962e6b2342eae05dc8f4c34d5291742537248587ccf6ac298691806a4517" + "MD5": "906258ee90744ed1307ba969a1c8722e", + "SHA1": "2b94ace70d946caa1fed6c8f97f2fafdb45d6c54", + "SHA256": "1251eef40b877fd379c175c02bb83e230fa5acd30020e54acc0718ab326818b3" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", + "Description": "GIGABYTE Tools", + "Company": "Windows (R) 2000 DDK provider", + "InternalName": "gdrv.sys", + "OriginalFilename": "gdrv.sys", + "FileVersion": "5.00.2195.1620", + "Product": "Windows (R) 2000 DDK driver", + "ProductVersion": "5.00.2195.1620", + "Copyright": "Copyright (C) Microsoft Corp. 1981-1999", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -25985,41 +11113,30 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", - "MmUnmapIoSpace", - "MmMapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmUnmapIoSpace", "DbgPrint", - "RtlUnwind", - "KeTickCount", - "KeBugCheckEx", - "RtlInitUnicodeString", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "RtlInitUnicodeString", + "IoCreateDevice", + "IoCreateSymbolicLink", + "MmMapIoSpace", "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlInitAnsiString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", + "KfReleaseSpinLock", + "HalTranslateBusAddress", "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "WRITE_PORT_USHORT", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "KfAcquireSpinLock" ], "Signatures": [ { @@ -26027,10 +11144,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -26041,10 +11158,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -26055,106 +11172,229 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", + "ValidFrom": "2007-10-02 00:00:00", + "ValidTo": "2010-10-18 23:59:59", + "Signature": "5c404cbb1176300b3b0f2b98924c5be7571d28c8e8086cea2fe21a4d3687b441facd3aec26e2722d2d4dabac900ab1158ad7b53edc2a3678743ae411eeb48e00560ce2e49a4954a5d3223cbb3fbcb6f19185ea33ac10f5c96fc80593236a3512ad98599c931486810fd0ca98df4c75fcdd6d69aceb0d6f755c74d4779ed39cc17946fc61e7a17bee5e5bc46220509aea779cc200315bfb778edc11429dc9763a4a3c7a04346ed759ef357c4744088ac9f4f949e783b42eec05b777c3629b718e0766c5ac956b0f67834009d3e0d171da24ee6b151d7bb40cf9f8e6f1e1a08fe2ec1fb101b766ec261c0ce6f98de3fb452a81a57bb0b72a44c06a01f199a8143d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "720ef3aaa1a44f7d0717a805c290c378", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "gdrv.sys" + ], + "yara": true + }, + { + "Id": "39742f99-2180-46d7-8538-56667c935cc3", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create viragt.sys binPath=C:\\windows\\temp\\viragt.sys type=kernel && sc.exe start viragt.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53.yara" }, { - "FileName": "cpuz.sys", - "MD5": "26ce59f9fc8639fd7fed53ce3b785015", - "SHA1": "2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1", - "SHA256": "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "viragt.sys", + "MD5": "e79c91c27df3eaf82fb7bd1280172517", + "SHA1": "cb22723faa5ae2809476e5c5e9b9a597b26cab9b", + "SHA256": "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53", + "Signature": [ + "TG Soft S.a.s. Di Tonello Gianfranco e C.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "TG Soft S.a.s.", + "Description": "VirIT Agent System", + "Product": "VirIT Agent System", + "ProductVersion": "1, 72, 0, 0", + "FileVersion": "1, 72, 0, 0", + "MachineType": "I386", + "OriginalFilename": "viragt.sys", "Authentihash": { - "MD5": "0fef96c1d46145af32eb6993faa6e496", - "SHA1": "4d26356a4a48d492b00845a7ac1bb27a92f95871", - "SHA256": "0aa61910c3ceb765441c35925a50983b2571ac22da510f1495cf82f078b535b6" + "MD5": "333822355a23fbdfb2599a909b3bbc60", + "SHA1": "72886a692656ebe64592a43273d3f59432cfbf9a", + "SHA256": "9f86fc8a6eaa3b38f33be4a0d552c184e575afa50a60df7383c06a394e3926d8" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "I386", + "InternalName": "viragt.sys", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2013 - www.tgsoft.it", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", "MmIsAddressValid", - "IoGetDeviceObjectPointer", - "MmUnmapIoSpace", - "RtlInitAnsiString", - "MmMapIoSpace", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "strstr", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "memcpy", "IoCreateSymbolicLink", "IoCreateDevice", - "RtlUnwind", + "PsCreateSystemThread", + "KeInitializeMutex", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "RtlUnicodeStringToAnsiString", + "ZwQueryDirectoryObject", + "IoFileObjectType", + "swprintf", + "DbgPrint", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", "KeTickCount", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "READ_PORT_USHORT", + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", "READ_PORT_ULONG", "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -26172,10 +11412,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2012-12-31 00:00:00", + "ValidTo": "2016-02-29 23:59:59", + "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -26188,388 +11428,645 @@ ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", + "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "viragt.sys" + ], + "yara": true + }, + { + "Id": "d1624a73-55e0-43f6-8d2d-f4f791ef1bff", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Mhyprot2.sys binPath=C:\\windows\\temp\\Mhyprot2.sys type=kernel && sc.exe start Mhyprot2.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "cpuz.sys", - "MD5": "75dbd5db9892d7451d0429bec1aabe1a", - "SHA1": "c05df2e56e05b97e3ca8c6a61865cae722ed3066", - "SHA256": "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758", + "Filename": "Mhyprot2.sys", + "MD5": "4b817d0e7714b9d43db43ae4a22a161e", + "SHA1": "0466e90bf0e83b776ca8716e01d35a8a2e5f96d3", + "SHA256": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6", + "Signature": [ + "miHoYo Co.,Ltd.", + "DigiCert Assured ID Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "dfb8cce9246e17f356504802d14d019d", - "SHA1": "189bedcea5ec5bfc724ff44b4b44958dc450c7db", - "SHA256": "4b5aecfecf26145aadd23f96a1cdfae0bca4e53af215d4bd77bba5dcc5a4479b" + "MD5": "ff295de93e6b6dcc3938d50901a7240d", + "SHA1": "484c72dd4fd91083b249f3ccc733a3c8335e583f", + "SHA256": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", + "NtQuerySystemInformation", "RtlInitUnicodeString", + "ExAllocatePool", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", + "IoDeleteSymbolicLink", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", "RtlFreeUnicodeString", "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", - "IofCompleteRequest", + "ZwClose", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", + "__C_specific_handler", + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "ZwQueryVirtualMemory", + "MmProbeAndLockPages", + "PsLookupProcessByProcessId", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoGetCurrentProcess", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", + "DbgPrint", + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", + "KeInitializeEvent", + "RtlCopyUnicodeString", "ObfDereferenceObject", - "IoCreateDevice", - "IofCallDriver", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmBuildMdlForNonPagedPool", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "Mhyprot2.sys" + ], + "yara": false + }, + { + "Id": "17cf4fac-88f1-467d-9f62-481d33accc5b", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create otipcibus.sys binPath=C:\\windows\\temp\\otipcibus.sys type=kernel && sc.exe start otipcibus.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80.yara" }, { - "FileName": "cpuz.sys", - "MD5": "fe820a5f99b092c3660762c6fc6c64e0", - "SHA1": "fad8e308f6d2e6a9cfaf9e6189335126a3c69acb", - "SHA256": "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "otipcibus.sys", + "MD5": "d5a642329cce4df94b8dc1ba9660ae34", + "SHA1": "ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308", + "SHA256": "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80", + "Signature": [ + "Ours Technology Inc.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "OTi", + "Description": "Hardware Access Driver", + "Product": "Kernel Mode Driver To Access Physical Memory And Ports", + "ProductVersion": "1.1000.0.1", + "FileVersion": "1.1000.0.1", + "MachineType": "AMD64", + "OriginalFilename": "otipcibus64.sys", "Authentihash": { - "MD5": "97861c7d308c22f4db08d08ce912fced", - "SHA1": "368c63d2f393ef65f8107d175174e9eaa13d993e", - "SHA256": "3966d4b1e4f5442b8507f91b6dbde3523657b47fd2945d990249605727d231ec" + "MD5": "0fc8a346a333624a7b6645da7a1b6b8b", + "SHA1": "fd172c7f8bdc81988fcf1642881078a8ca8415f6", + "SHA256": "1cda1a6e33d14d5dd06344425102bf840f8149e817ecfb01c59a2190d3367024" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2012 CPUID", - "MachineType": "AMD64", + "InternalName": "otipcibus64.sys", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", + "ExAllocatePool", "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPages", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "RtlInitUnicodeString", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", "IoCreateDevice", - "IofCallDriver", - "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "RtlCopyUnicodeString", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeWaitForSingleObject", + "IoAllocateMdl", + "KeInitializeEvent", + "WdfVersionBindClass", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=TW, ST=Hsingchu Hsien, L=Hsinchu County, O=Ours Technology Inc., CN=Ours Technology Inc.", + "ValidFrom": "2018-07-09 00:00:00", + "ValidTo": "2019-09-05 23:59:59", + "Signature": "157696d20704ca4a7504961b5edd290d72580ee3cf1fb6fff495f95bcb872f1e9f94af12457ea351b1614568e3e459272eca93ba547ffc241728838133fd3331e9093d8a2a05ac50bc5009881466cc8d341a040ac6bdc6c1a88244824d76db728fef05ecb04501018462f10eb1d347355c8e2aa0a9103b4fc92070d675142e04c03bffe65c590ec5e5089346f20706291a97e28e5bd7f821e5797227e2f8f087fd95533db374c5f220129966060e10d8536fc0a91506a4062245d07906f6792ea9b100d6f1c1d9de50c6991076867f9267d74d040524e6b79be78d5c59e1225da69cba23f9b9ef79a94aac0f83985261b7422d7505dea910e7ad4b98403e6dbb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "3d5fc3a4d1a54cf40abf37864a5effe7", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] + } + ], + "Tags": [ + "otipcibus.sys" + ], + "yara": true + }, + { + "Id": "43d0af25-c066-471f-bb73-6ce25dc7e0eb", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Dh_Kernel.sys binPath=C:\\windows\\temp\\Dh_Kernel.sys type=kernel && sc.exe start Dh_Kernel.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955.yara" }, { - "FileName": "cpuz.sys", - "MD5": "262969a3fab32b9e17e63e2d17a57744", - "SHA1": "363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8", - "SHA256": "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Dh_Kernel.sys", + "MD5": "98763a3dee3cf03de334f00f95fc071a", + "SHA1": "745bad097052134548fe159f158c04be5616afc2", + "SHA256": "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955", + "Signature": [ + "YY Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "YY Inc.", + "Company": "YY Inc.", + "Description": "dianhu", + "Product": "dianhu", + "ProductVersion": "1.0.99", + "FileVersion": "1.0.99", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "7c8e917e5adba8b20bea898d4b966c6c", - "SHA1": "570496ebc3c4010b48c3703652fdfcb60352798b", - "SHA256": "98c86fcf018822289340d248f5e2896c41ad0f284febb741b945312ff40bdfa3" + "MD5": "2d03bf608f236ee1f4654e06857a3062", + "SHA1": "508c1a26486188aa1268d6c23c65e57b8efe71f6", + "SHA256": "f5215f83138901ca7ade60c2222446fa3dd7e8900a745bd339f8a596cb29356c" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "Copyright © 2007-2017 YY Inc. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", "ExFreePoolWithTag", + "ProbeForRead", + "MmProbeAndLockPages", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "MmCreateMdl", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", "IoCreateDevice", - "IofCallDriver", - "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", + "IoFreeMdl", "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "MmIsAddressValid", + "KeAttachProcess", + "KeDetachProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "PsGetProcessSectionBaseAddress", + "KeBugCheckEx", + "__C_specific_handler", + "RtlCopyUnicodeString", + "ExAllocatePool", + "DbgPrintEx", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "_stricmp", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=CN, ST=Guangdong, L=Guangzhou, O=YY Inc., OU=PM, CN=YY Inc.", + "ValidFrom": "2015-07-17 00:00:00", + "ValidTo": "2018-10-15 23:59:59", + "Signature": "d4ce401727e18291036ff6c80bbc6345f4a165c55b6068af11d818772ceb6767e1d9b1b825acfe295bea0c2c2394dd1c04df89e70de7f9deae21ea00853299fc7b22a8e2d20558247695d870fead281c48d6ad4b2075958924d3436d456c6d649b4fd4098c23154a83c40c39273ddcf400a547c68da9db339fe845205865f78d32933bb6a161539c4c07c972411907ece60770fdcc02a683d8f46980e5432c1af11cc684a9a681311ca440b068ce32a0cb2e446aade3829376fc6407d11c8d4f7ad253f45e95673a272aac9f1a1ad9156f9059f34dc444860e40e33847b0d629fe8097f9e82371973e7236de9a5b4bad1840b7961b81f9b7fcb6510e180a5a18", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "53603f0f228be591521b9822ca852ad4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "Dh_Kernel.sys" + ], + "yara": true + }, + { + "Id": "2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create sfdrvx32.sys binPath=C:\\windows\\temp\\sfdrvx32.sys type=kernel && sc.exe start sfdrvx32.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b.yara" }, { - "FileName": "cpuz.sys", - "MD5": "17719a7f571d4cd08223f0b30f71b8b8", - "SHA1": "f9c916d163b85057414300ca214ebdf751172ecf", - "SHA256": "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "sfdrvx32.sys", + "MD5": "9f70cd5edcc4efc48ae21e04fb03be9d", + "SHA1": "42bb38b0b93d83b62fe2604b154ada9314c98df7", + "SHA256": "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b", "Authentihash": { - "MD5": "93bf28533aa6e63dc8b80b998b0814af", - "SHA1": "413ed5609215f4a6cee3b7b357eb594902a817f5", - "SHA256": "1399e65aa55c898a6cd5fb32d4b19f5bbaf69c56c1383963c99b7a0804eb0203" + "MD5": "b67247d2d35a3ff9c8ba26d4eeb0d40f", + "SHA1": "e838b0bb0ebbe76e5f53ba6e508b71c7f077f3af", + "SHA256": "f9fead3227d5cf7daf8c5312db672bc7a684e2216b2f48ff2fcd14493bc9c254" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "Description": "Speed Fan x32 Driver", + "Company": "Almico Software", + "InternalName": "sfdrvx32.sys", + "OriginalFilename": "sfdrvx32.sys", + "FileVersion": "X4.43.04", + "Product": "Speed Fan", + "ProductVersion": "X4.43.04", + "Copyright": "Copyright © Almico Software 2001-2010", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "DbgPrint", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", + "ExFreePoolWithTag", "ObfDereferenceObject", - "IoCreateDevice", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "RtlQueryRegistryValues", + "ExAllocatePoolWithTag", + "ObfReferenceObject", + "IoGetDeviceObjectPointer", + "IoCancelIrp", + "KeWaitForSingleObject", "IofCallDriver", - "KeBugCheckEx", - "IoDeleteSymbolicLink", "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "MmUnmapIoSpace", "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "RtlUnwind", + "KeBugCheckEx" ], "Signatures": [ { @@ -26591,17 +12088,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.", + "ValidFrom": "2010-02-06 00:00:00", + "ValidTo": "2011-02-11 23:59:59", + "Signature": "4af5c78740fff4400227bf9855994728dc50952f5fbfca91e51daf991c11699fc4471de9aba215c56b166966a7a7faa933de560a7dc2f747b5050d8d21c2f49c7c44e40378b8b0cfe243eb0ca6a44afdda2d830de6e4a4402aafd96af9e0370dde4aa7076d2eec26e7f63a89ee80a6fa37b733dd9cfc107289ea7a37b0247922ca9f2da216ac3763e36358035284a87f9ca3207c0a1d56e972466efbefcca77179787c990266e4773c686ebe44c3e865280b1c9410d711bf4af210c4af8d606602a2616bc4ef864a4873d0b315a3e8a4b8d621295a37b6e51d79511656dbcadb92c59816dc1be44536352d1a6eec740ed3be6d988d8eed2419498fcb5ffe2a44", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -26614,69 +12111,99 @@ ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "202ed4a0a58d3214998c9a2bed089580", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - }, + } + ], + "Tags": [ + "sfdrvx32.sys" + ], + "yara": true + }, + { + "Id": "94eb0694-29ba-4f8e-b763-86c6371db6cc", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create winio64.sys binPath=C:\\windows\\temp\\winio64.sys type=kernel && sc.exe start winio64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "cpuz.sys", - "MD5": "21be10f66bb65c1d406407faa0b9ba95", - "SHA1": "86e59b17272a3e7d9976c980ded939bf8bf75069", - "SHA256": "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22", + "Filename": "winio64.sys", + "MD5": "97221e16e7a99a00592ca278c49ffbfc", + "SHA1": "943593e880b4d340f2548548e6e673ef6f61eed3", + "SHA256": "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf", + "Signature": [ + "Exacq Technologies, Inc.", + "StartCom Class 3 Primary Intermediate Object CA", + "StartCom Certification Authority" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "9328ac41d0afb80914780b9474c0bca0", - "SHA1": "e8f4f4e2a672d845d897f36646d8339597135050", - "SHA256": "c0ed71b491aec860932fe92e5527ef444d537b396186ac839d5ed0884cfcaf0c" + "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", + "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", + "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", - "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", "ObfDereferenceObject", - "IoCreateDevice", - "IofCallDriver", + "ZwClose", + "ZwOpenSection", + "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", "KeBugCheckEx", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "IoDeleteDevice", + "RtlCopyUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -26694,209 +12221,185 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", + "ValidFrom": "2011-04-15 20:13:19", + "ValidTo": "2021-04-15 20:23:19", + "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", + "ValidFrom": "2007-10-24 22:03:55", + "ValidTo": "2017-10-24 22:03:55", + "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", + "ValidFrom": "2014-07-24 18:00:20", + "ValidTo": "2017-07-24 09:00:56", + "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0f69", + "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "4885e1bf1971c8fa9e7686fd5199f500", - "SHA1": "388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5", - "SHA256": "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43", + "Filename": "winio64.sys", + "MD5": "11fb599312cb1cf43ca5e879ed6fb71e", + "SHA1": "b4d014b5edd6e19ce0e8395a64faedf49688ecb5", + "SHA256": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "92c5a8d936bb2ef7802aaa15c877e866", - "SHA1": "340024982f9ad5c2722bab8cddec9d32f0efdc7c", - "SHA256": "313a69d8eea6a933cffac0fa67d46ad9aef0815bb579fce7623d9be825888e30" + "MD5": "198111fd73515aa7fe4387612f027f0f", + "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", + "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2013 CPUID", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "ZwUnmapViewOfSection", + "ZwClose", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", "ObfDereferenceObject", "IoCreateDevice", - "IofCallDriver", + "RtlAssert", + "ZwOpenSection", + "DbgPrint", "KeBugCheckEx", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2017-10-05 17:44:16", + "ValidTo": "2018-10-05 17:44:16", + "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "330000001f9800c911029569be00000000001f", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - }, + } + ], + "Tags": [ + "winio64.sys" + ], + "yara": false + }, + { + "Id": "2c3884d3-9e4f-4519-b18b-0969612621bc", + "Author": "Nasreddine Bencherchali", + "Created": "2023-04-15", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create LgCoreTemp.sys binPath=C:\\windows\\temp\\LgCoreTemp.sys type=kernel && sc.exe start LgCoreTemp.sys", + "Description": "", + "Usecase": "Denial of Service", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/logitech_v.9.02.65_DoS" + ], + "Acknowledgement": { + "Person": "Paolo Stagno", + "Handle": "Void_Sec" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "cpuz.sys", - "MD5": "ab4ee84e09b09012ac86d3a875af9d43", - "SHA1": "3c81cdfd99d91c7c9de7921607be12233ed0dfd8", - "SHA256": "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486", + "Filename": "LgCoreTemp.sys", + "MD5": "2d7f1c02b94d6f0f3e10107e5ea8e141", + "SHA1": "471ca4b5bb5fe68543264dd52acb99fddd7b3c6d", + "SHA256": "93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131", + "Signature": "N/A", + "Date": "N/A", + "Publisher": "N/A", + "Company": "Logitech", + "Description": "CPU Core Temperature Monitor", + "Product": "LgCoreTemp", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", + "MachineType": "AMD64", + "OriginalFilename": "LgCoreTemp.sys", "Authentihash": { - "MD5": "654f9a768f518e632c99309bd4c1145b", - "SHA1": "a5f086835d7c2883ad8d985772d02a9a8815bcbb", - "SHA256": "d4e93f592a8342b0eb582d24a114348ce40ecb3c1e7b238d731b02e17d5aae7d" + "MD5": "a4c810e750095e71c0288c1ce6669115", + "SHA1": "e05304325b24fc9f76c106de27ffbef2d7eb3315", + "SHA256": "7f0eef1ed4c1278372348cb52e27dc3aa2f51a8b6a62db39d2af75031e55a8db" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2012 CPUID", - "MachineType": "AMD64", + "InternalName": "LgCoreTemp.sys", + "Copyright": "Copyright © Logitech, Inc", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", - "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", "IoCreateDevice", - "IofCallDriver", - "KeBugCheckEx", + "KeSetSystemAffinityThread", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", + "__C_specific_handler", + "KeRevertToUserAffinityThread", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -26914,412 +12417,584 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Newark, O=Logitech, CN=Logitech", + "ValidFrom": "2015-04-16 00:00:00", + "ValidTo": "2017-06-14 23:59:59", + "Signature": "8b12188765bda73964384c2644835bbd9b46b11b98230aca9ae6d31a2288244f75d3c6d06fae2ef7625676d2a3a0b4c2e978302d461ba5e165ec71a0a7a25c2c99972c0e8bb0194efab03034f581974934fcf3e2536a264de077493370531dd394429d692ca13a84d69d0aaf561d561f73c87b9f6fded706a759d2a1095789596a295795b686c90674ea1a3b582e32e5f5d0a08c685639ee5e9d8381ec102352a6bb4774fd8af770d88bc14abba20c5bcfe543ac7d71937873dbc033e68f81a1220571b348ac80c9b3ce8036252a6d5b4ebcfb381e540d0c4f7eaa4e1978056e261997a70a7b063ff7b3902985db8063e45664f59e7b5a583448883873b7de53", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6f20ba7d552fb9c436caf4cc7cbea4b3", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] + } + ], + "Tags": [ + "LgCoreTemp.sys" + ], + "yara": false + }, + { + "Id": "a7bba474-815f-49be-bddc-4d76a64c866c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create NTIOLib.sys binPath=C:\\windows\\temp\\NTIOLib.sys type=kernel && sc.exe start NTIOLib.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a9706e320179993dade519a83061477ace195daa1b788662825484813001f526.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1.yara" }, { - "FileName": "cpuz.sys", - "MD5": "743c403d20a89db5ed84c874768b7119", - "SHA1": "dc8fa4648c674e3a7148dd8e8c35f668a3701a52", - "SHA256": "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "NTIOLib.sys", + "MD5": "6126065af2fc2639473d12ee3c0c198e", + "SHA1": "d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4", + "SHA256": "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.2", + "FileVersion": "1.0.0.2", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib_X64.sys", "Authentihash": { - "MD5": "4c2f42ab19a70ee6a2cb936329b34aff", - "SHA1": "742a9fc918c7bb2b1707412c703d7b7674ed1094", - "SHA256": "fd8d61102719afb0b8a230d9e8c372af3396bec4a6d72aada42a1f1d36187751" + "MD5": "fb5bbdd2bc73cd1f1f4bf727e6ddb137", + "SHA1": "918768712f37fe0f3092b2ea452906d06f189bb3", + "SHA256": "5b08a501124d13262c86889617071743521aeefc2d77f678d541aa8dbad52992" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "I386", + "InternalName": "NTIOLib_X64.sys", + "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", - "IofCompleteRequest", + "MmUnmapIoSpace", "MmMapIoSpace", - "ProbeForWrite", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "KeTickCount", "KeBugCheckEx", - "MmUnmapIoSpace", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "RtlInitAnsiString", - "KeWaitForSingleObject", - "RtlUnwind", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "e0bfbdf3793ea2742c03f5a82cb305a5", - "SHA1": "a6a71fb4f91080aff2a3a42811b4bd86fb22168d", - "SHA256": "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e", + "Filename": "NTIOLib.sys", + "MD5": "c6f8983dd3d75640c072a8459b8fa55a", + "SHA1": "5e6ddd2b39a3de0016385cbd7aa50e49451e376d", + "SHA256": "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a85d9912baf9994b0fabf924f6a66e9b", - "SHA1": "04defcae6548e92ea76bd7069a672a7e1067b995", - "SHA256": "d1c71a98e10105faa0814fec3544474d86ae0e8f88efd77798a716adad3994a2" + "MD5": "b3f5d7d5ea5ddb56cae089ab780d2058", + "SHA1": "b648e51b784f071adbf9f53048e3765efb96ab8a", + "SHA256": "745273e1620bc657d2210ae1b5abb49f4f5928829f95c8ef01ce151bdbb4c32f" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoCreateDevice", - "IofCallDriver", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IoDeleteDevice", - "ProbeForWrite", + "MmUnmapIoSpace", "MmMapIoSpace", - "KeInitializeEvent", - "RtlInitAnsiString", "IofCompleteRequest", - "KeWaitForSingleObject", + "IoDeleteDevice", + "IoCreateDevice", "KeBugCheckEx", - "MmUnmapIoSpace", "RtlInitUnicodeString", - "PsGetVersion", - "RtlUnwindEx", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "22ca5fe8fb0e5e22e6fb0848108c03f4", - "SHA1": "bec66e0a4842048c25732f7ea2bbe989ea400abf", - "SHA256": "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3", + "Filename": "NTIOLib.sys", + "MD5": "f7cbbb5eb263ec9a35a1042f52e82ca4", + "SHA1": "976777d39d73034df6b113dfce1aa6e1d00ffcfd", + "SHA256": "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "b1113bc5a8f67468ae6e0183c60be10a", - "SHA1": "bbea7d9b8672ca30c6a8f49e913f110720d4753c", - "SHA256": "55e3b977402be076bfafe332a3fb29ddb6b02edf932d02e963df09adbe89eb91" + "MD5": "63cc49f8ae8897706dec2444951c0414", + "SHA1": "ae69d3501e7fe1e2109998beed9da13f74e032c2", + "SHA256": "7334c46a55acf8bb18435ab60ed9b89f2c1ab31587ef052730358efc32fddb62" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2017 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", - "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "3ab94fba7196e84a97e83b15f7bcb270", - "SHA1": "bea745b598dd957924d3465ebc04c5b830d5724f", - "SHA256": "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf", + "Filename": "NTIOLib.sys", + "MD5": "7ed6030f14e66e743241f2c1fa783e69", + "SHA1": "9c6749fc6c1127f8788bff70e0ce9062959637c9", + "SHA256": "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.3", + "FileVersion": "1.0.0.3", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "96c15399e89e9bca402ed660f90e1b98", - "SHA1": "1b4335f92c6137f56c8f98e5b79fc7af67af2a24", - "SHA256": "55a69f740a77fc07073c3d077d029dfb2dbe4b673171167e7310bd857eb55982" + "MD5": "07744c410b3e3a459576524f1b522a88", + "SHA1": "bfa958230e3816f9879e16ec391e94b607f292e6", + "SHA256": "7af3585ca7c2dd65032fa48759a0124db2c5bbca5fc8caf8bb8f61fa5085149d" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2013 CPUID", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", "MmUnmapIoSpace", - "RtlInitAnsiString", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -27329,6 +13004,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -27337,100 +13019,77 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "e323413de3caec7f7730b43c551f26a0", - "SHA1": "f3c20ce4282587c920e9ff5da2150fac7858172e", - "SHA256": "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26", - "Authentihash": { - "MD5": "972f2ce8097eda301f27a53fcf2b9865", - "SHA1": "aba5185a6ebdb040c5e4b8b8eaa44382eb705aec", - "SHA256": "157ae92541eda2f5035435c63e1654adfa45c06e37b05cbb60d76a63daa93f04" - }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", + "Filename": "NTIOLib.sys", + "MD5": "3651a6990fe38711ebb285143f867a43", + "SHA1": "53acd4d9e7ba0b1056cf52af0d191f226eddf312", + "SHA256": "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib_X64", + "Product": "NTIOLib_X64", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", "MachineType": "AMD64", + "OriginalFilename": "NTIOLib_X64.sys", + "Authentihash": { + "MD5": "575bfa9a34097f8d19982dcdd9118094", + "SHA1": "9369dbe6e082a2af351daebeef1c464af33cc270", + "SHA256": "6f96c129eb96bc4df9a7d247a98fecb9a3801dde63281ac1aba3d2ef869d32a5" + }, + "InternalName": "NTIOLib_X64.sys", + "Copyright": "Copyright (C) 2014 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", "MmMapIoSpace", - "ExFreePoolWithTag", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "DbgPrintEx", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -27440,6 +13099,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -27448,103 +13114,84 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "c9c25778efe890baa4087e32937016a0", - "SHA1": "f4728f490d741b04b611164a7d997e34458e3a5e", - "SHA256": "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668", + "Filename": "NTIOLib.sys", + "MD5": "736c4b85ce346ddf3b49b1e3abb4e72a", + "SHA1": "3abb9d0a9d600200ae19c706e570465ef0a15643", + "SHA256": "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib For MSISimple_OC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.2", + "FileVersion": "1.0.0.2", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "ccc4847b99e359c72448de9f9f0981f1", - "SHA1": "9e771be7100b166ba79aeeea58aa3dee44c09d6b", - "SHA256": "6b9090296a10225be115810e29e8ada4f70e4d4a8f88b385ccd9a8a6d2eb6778" + "MD5": "fb364fe88525eface63e291f7e86338e", + "SHA1": "0f661f61f0106faeda1d6cbe83b81aaf3ea4d28c", + "SHA256": "299f36c717c5d5d77a8e9c15879e95cd825f74e77c7ed24e7cccbefeb38a2165" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoCreateDevice", - "IofCallDriver", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IoDeleteDevice", - "ProbeForWrite", + "MmUnmapIoSpace", "MmMapIoSpace", - "KeInitializeEvent", - "RtlInitAnsiString", "IofCompleteRequest", - "KeWaitForSingleObject", + "IoDeleteDevice", + "IoCreateDevice", "KeBugCheckEx", - "MmUnmapIoSpace", "RtlInitUnicodeString", - "PsGetVersion", - "RtlUnwindEx", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -27555,294 +13202,275 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "2f8653034a35526df88ea0c62b035a42", - "SHA1": "68ca9c27131aa35c7f433dc914da74f4b3d8793f", - "SHA256": "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036", + "Filename": "NTIOLib.sys", + "MD5": "4a06bcd96ef0b90a1753a805b4235f28", + "SHA1": "27eab595ec403580236e04101172247c4f5d5426", + "SHA256": "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "MSI ComCenService Driver", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a5f87835956f86d2acccd4c8012a4fcd", - "SHA1": "2e37b05cd1bafe18e0a1a33560b0ec5aa99b0192", - "SHA256": "e650b4e4b5a95cba582b9749cac4c40e67e854d78eb8494f46f6d11f1fcea4d6" + "MD5": "1a384cdc0edc4e14d6dfb5b242e9313f", + "SHA1": "13874ae76957845e9315eedf0f5f2b59eedcb9a6", + "SHA256": "1f210a62de46c5acb868a083465b94287331ec28acd3b269e64ab6c3f372021f" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2013 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", "MmUnmapIoSpace", "MmMapIoSpace", - "ProbeForWrite", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "RtlInitAnsiString", - "KeWaitForSingleObject", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "e747f164fc89566f934f9ec5627cd8c3", - "SHA1": "a958734d25865cbc6bcbc11090ab9d6b72799143", - "SHA256": "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02", + "Filename": "NTIOLib.sys", + "MD5": "63e333d64a8716e1ae59f914cb686ae8", + "SHA1": "78b9481607ca6f3a80b4515c432ddfe6550b18a8", + "SHA256": "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib for MSIFrequency_CC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "b98238e731280f6d726e61b0016cb877", - "SHA1": "820a00a0e0fc628d06ac1f779eb9e88d613d8934", - "SHA256": "b46fb3ed5a7a84ef594ab0b76f384aa2dca0614574478fb98308806612609465" + "MD5": "9e87790870d27c78e12a870557a5decf", + "SHA1": "ff09c47ebaa82cdde41a1be4e65f5a7cafb28322", + "SHA256": "051dad67cc6cb6b6e20b1230b04c09cc360d106a6b7000e0991381356ace0811" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2017 CPUID", - "MachineType": "IA64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "IofCompleteRequest", - "MmMapIoSpace", "MmUnmapIoSpace", - "ProbeForWrite", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "RtlUnwindEx", - "RtlPcToFileHeader", - "READ_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "READ_PORT_UCHAR", - "HalCallPal", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "c08063f052308b6f5882482615387f30", - "SHA1": "252157ab2e33eed7aa112d1c93c720cadcee31ae", - "SHA256": "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba", + "Filename": "NTIOLib.sys", + "MD5": "79483cb29a0c428e1362ec8642109eee", + "SHA1": "414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c", + "SHA256": "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a28d6b501a18377685e448a214f370a6", - "SHA1": "732fdb7d346543552b44e6d127fa907df7ef8d81", - "SHA256": "942a7b2ebca0edeff5803c8f899ee455c0ec279542c41d2db2664d58c1025c86" + "MD5": "4f3fc3f46b55c66e36a411e0389d9740", + "SHA1": "fed54cfff38966133b7fbc067246bbfca871118b", + "SHA256": "9a1d483d6ca994942533fcfe10c11b1725bbb9551e435476453a57ce7ff17029" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -27860,95 +13488,98 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "549e5148be5e7be17f9d416d8a0e333e", - "SHA1": "6d9e22a275a5477ea446e6c56ee45671fbcbb5f6", - "SHA256": "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c", + "Filename": "NTIOLib.sys", + "MD5": "23cf3da010497eb2bf39a5c5a57e437c", + "SHA1": "d9c09dd725bc7bc3c19b4db37866015817a516ef", + "SHA256": "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "00556fc028ef505e2a528e054c435923", - "SHA1": "f645fd2deb256b7e3b8dcb7213c4fb61f2e209ec", - "SHA256": "c2159219e9986ab9e07e00a87fb83835230a2b99174e7f9b94096046c2dace55" + "MD5": "d3ef4e7146fce9f2a17134d42c07166b", + "SHA1": "ee34907ac4afce04fe1bab85e68d7e743db05841", + "SHA256": "a6bf32fafa57bcbb84b06db0d7d28e4b1457ead69c33fa883d5abe84ecd91b51" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "IA64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "IofCompleteRequest", - "MmMapIoSpace", "MmUnmapIoSpace", - "ProbeForWrite", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", "__C_specific_handler", - "READ_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", "HalSetBusDataByOffset", - "READ_PORT_UCHAR", - "HalCallPal", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -27959,304 +13590,281 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "d0c2caa17c7b6d2200e1b5aa9d07135e", - "SHA1": "bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0", - "SHA256": "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe", + "Filename": "NTIOLib.sys", + "MD5": "9638f265b1ddd5da6ecdf5c0619dcbe6", + "SHA1": "9c256edd10823ca76c0443a330e523027b70522d", + "SHA256": "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib For NTIOLib_ECO", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.2", + "FileVersion": "1.0.0.2", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "1a595aaefa6bd782d63e97de4fcec464", - "SHA1": "eae1ab9e3aac1a4de139993b7e63542befccf0df", - "SHA256": "6045d564286f00fc1efedd25ffd22ecb7eaf2b3a6c778e392319380c77e45658" + "MD5": "ff9b15a51f11874a9abe7a1b9f4cfd0d", + "SHA1": "0d3956de7c3a7788727358867abf34880eaa7100", + "SHA256": "cf3ec8972720f84d73e907bb293de40468a0d605ce0da658a786f7b4842b3c62" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", "MmMapIoSpace", - "ExFreePoolWithTag", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "DbgPrint", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "f310b453ac562f2c53d30aa6e35506bb", - "SHA1": "eb44a05f8bba3d15e38454bd92999a856e6574eb", - "SHA256": "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0", + "Filename": "NTIOLib.sys", + "MD5": "f2f728d2f69765f5dfda913d407783d2", + "SHA1": "35829e096a15e559fcbabf3441d99e580ca3b26e", + "SHA256": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "423e8ee5a464bc64032924ee428b40af", - "SHA1": "37552fe06a39175032793e6317d124008a892f18", - "SHA256": "abf635a246752555868f203a565ead519c9ada06ea007545a47bf352678c342a" + "MD5": "2d87365d63e81ef0edc577bf0cb33995", + "SHA1": "b472d32094e258b2af60914db8604cd0bf439c4b", + "SHA256": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "aa69b4255e786d968adbd75ba5cf3e93", - "SHA1": "af5f642b105d86f82ba6d5e7a55d6404bfb50875", - "SHA256": "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289", + "Filename": "NTIOLib.sys", + "MD5": "992ded5b623be3c228f32edb4ca3f2d2", + "SHA1": "b8de3a1aeeda9deea43e3f768071125851c85bd0", + "SHA256": "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "2d28bedef20cc63f0ae1b726a5cb34e0", - "SHA1": "92524be5b5320c3e08d880ecbcd36a9c8037a921", - "SHA256": "47c9323ae818bd2a3b55fc04abd984bd940cd4e27b6d4af311edcb66988ce941" + "MD5": "1d0d0ef174a767359bb32e53fe346416", + "SHA1": "4dbbf2558cdbdaf4a5e5ec65e844f5abdace5514", + "SHA256": "809403706c3669a0d67bd35a87f66714989d1bc66e2aa6ca5979781ae3c4fdb0" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "ProbeForWrite", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "IoDeleteSymbolicLink", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -28267,99 +13875,85 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "3411fdf098aa20193eee5ffa36ba43b2", - "SHA1": "ad05bff5fe45df9e08252717fc2bc2af57bf026f", - "SHA256": "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc", + "Filename": "NTIOLib.sys", + "MD5": "c3fea895fe95ea7a57d9f4d7abed5e71", + "SHA1": "054a50293c7b4eea064c91ef59cf120d8100f237", + "SHA256": "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "41fd82e071d4afdfd8a895d0ab4fb568", - "SHA1": "b72edd113acbd4bb98374b80c1d238eb1e348f15", - "SHA256": "3b2a3b74127c7ecf095e0fe5a65af31b9701d2ba6dc2a4d87882de65d84842c0" + "MD5": "922f6d3d0dda7748bad7a537a8bc9e4e", + "SHA1": "71355d9ebcf35492b60c3f936550d30310a31049", + "SHA256": "9d734d6443a707d601d76577692dc613b35201518856d0189b037f7a4fbd420d" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", "MmUnmapIoSpace", - "RtlInitAnsiString", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "RtlUnwind", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -28377,89 +13971,91 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "f60a9b88c6ff07d4990d8653d0025683", - "SHA1": "0cc60a56e245e70f664906b7b67dfe1b4a08a5b7", - "SHA256": "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63", + "Filename": "NTIOLib.sys", + "MD5": "0395b4e0eb21693590ad1cfdf7044b8b", + "SHA1": "d94f2fb3198e14bfe69b44fb9f00f2551f7248b2", + "SHA256": "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a3d5faa9e1a6f47f8e0a23ef837afe38", - "SHA1": "bb21b535fa0adaef1a9a29759e0d2b2a5faf1965", - "SHA256": "5e9099b95b2074fecc6efa6d59552651b1e082aaa3612889f417064d378a797f" + "MD5": "c6830e904e56ea951005ea7639eedd35", + "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", + "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "IA64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "IofCompleteRequest", - "MmMapIoSpace", "MmUnmapIoSpace", - "ProbeForWrite", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "RtlUnwindEx", - "RtlPcToFileHeader", - "READ_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "READ_PORT_UCHAR", - "HalCallPal", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -28469,6 +14065,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -28477,307 +14080,268 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "c046ca4da48db1524ddf3a49a8d02b65", - "SHA1": "5635bb2478929010693bc3b23f8b7fe5fdbc3aed", - "SHA256": "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c", + "Filename": "NTIOLib.sys", + "MD5": "68dde686d6999ad2e5d182b20403240b", + "SHA1": "01a578a3a39697c4de8e3dab04dba55a4c35163e", + "SHA256": "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib For MSIRatio_CC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "49da5e87cba74d3bd91bd589e49b0d1a", - "SHA1": "e79179e0a586067e9d9654c2a8dfd45963ddcac3", - "SHA256": "36729c2c714e05ebf9bc7262bc7f0d5d25d9dc9c8e0c4fdce27143bbdd9d9aa7" + "MD5": "3b7d9b57810ca80137223615a97635e0", + "SHA1": "8d9f65a6a9048ec91dd010216071c4ec983887c7", + "SHA256": "4e92baa37cd8b665ca0851f8442766aaf3b96fa61ea137d5972d5eb059389a05" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2015 CPUID", - "MachineType": "IA64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "IofCompleteRequest", - "MmMapIoSpace", "MmUnmapIoSpace", - "ProbeForWrite", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", "__C_specific_handler", - "READ_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", "HalSetBusDataByOffset", - "READ_PORT_UCHAR", - "HalCallPal", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "0283b43c6bc965175a1c92b255d39556", - "SHA1": "8325e8d7fd2edc126dcf1089dee8da64e79fb12e", - "SHA256": "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1", + "Filename": "NTIOLib.sys", + "MD5": "34069a15ae3aa0e879cd0d81708e4bcc", + "SHA1": "14bf0eaa90e012169745b3e30c281a327751e316", + "SHA256": "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib_X64", + "Product": "NTIOLib_X64", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib_X64.sys", "Authentihash": { - "MD5": "b978a03408c0e9ea44ffdeecc35ab83e", - "SHA1": "fed654a9c5f2bf2a1ad9a2e94da162633fb468c5", - "SHA256": "72f9cb24cfa641876f34967b96244259f95987ef24d1d729c0e483b3eb9a2740" + "MD5": "066bcfa3fdd0925385faf92debce887c", + "SHA1": "a2948b9d2e2ee9f4929b39acad6c850ea70dd34c", + "SHA256": "7fa5c326b294f4fc537207a27947c2fcbbfa4eabde1ba4727c92cd8613e0fc7f" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "I386", + "InternalName": "NTIOLib_X64.sys", + "Copyright": "Copyright (C) 2014 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", "MmUnmapIoSpace", - "RtlInitAnsiString", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "4a85754636c694572ca9f440d254f5ce", - "SHA1": "dd55015f5406f0051853fd7cca3ab0406b5a2d52", - "SHA256": "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b", + "Filename": "NTIOLib.sys", + "MD5": "3f39f013168428c8e505a7b9e6cba8a2", + "SHA1": "f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79", + "SHA256": "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "3a19663e83c3569a86812ef915de52bc", - "SHA1": "cd9a022e078eaa2364155e00942edbecb85619b0", - "SHA256": "8d3ed9427dcc4f79be3585d41ab9c0bb447d6a0258dd919c4d49e02dedbaa47b" + "MD5": "7c60ced61bb34cad2982f5ddb1306754", + "SHA1": "d02d19abf19569df72ea2c5071330de3d57e0982", + "SHA256": "fa861c61102cbcaa1e5f6020deaa066c4fcdfaee3ded1ee156ab81d59ad54f9a" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", "MmMapIoSpace", - "ExFreePoolWithTag", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -28795,497 +14359,459 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "8741e6df191c805028b92cec44b1ba88", - "SHA1": "ba0938512d7abab23a72279b914d0ea0fb46e498", - "SHA256": "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775", + "Filename": "NTIOLib.sys", + "MD5": "1ed043249c21ab201edccb37f1d40af9", + "SHA1": "6100eb82a25d64a7a7702e94c2b21333bc15bd08", + "SHA256": "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a67c91579145d058cf7cd3f8f60bf613", - "SHA1": "cb981516b9979025669c080a74c9308dca04963a", - "SHA256": "02fcbc5372c9bf31903376bde11d558ab7c7f13bde005120e24bdb1aef5d0134" + "MD5": "ef516589154145d31284df600c9ad58b", + "SHA1": "dbed3d7755df2c30d7e445529ed2bbe60ce9ee2d", + "SHA256": "6bed7f1304c6785a06064b04e0e3cb55384588f18ea2fc348a6fcd5784f47558" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "bf581e9eb91bace0b02a2c5a54bf1419", - "SHA1": "13df48ab4cd412651b2604829ce9b61d39a791bb", - "SHA256": "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2", + "Filename": "NTIOLib.sys", + "MD5": "96b463b6fa426ae42c414177af550ba2", + "SHA1": "bf87e32a651bdfd9b9244a8cf24fca0e459eb614", + "SHA256": "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "b2c31454c057d73fb6d240356a32f8f1", - "SHA1": "f965db8fa1ef4ce0a738aad55d82c0cf63a47915", - "SHA256": "16398965e9cea179b2e5ca884e3af032dece08d4ef33bdd83234ee441d71a5fa" + "MD5": "133e1582c5d14c52ac3590c9d2ada850", + "SHA1": "a22e6b855062f1154ae8f244e2652e04b4ea5b4c", + "SHA256": "5a63937a6320f50c4782d0675104932907d16a91d89088ac979a7a0129aad986" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2015 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "94ccef76fda12ab0b8270f9b2980552b", - "SHA1": "e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8", - "SHA256": "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126", + "Filename": "NTIOLib.sys", + "MD5": "0752f113d983030939b4ab98b0812cf0", + "SHA1": "28b1c0b91eb6afd2d26b239c9f93beb053867a1a", + "SHA256": "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "ac9131c2fc8e77ef414ad451d35e4d1e", - "SHA1": "7b63ad1179825964aae9d1486fefed1b8f26a8a8", - "SHA256": "1a8a5aebf83d1fa6daf74e48fc600e22b8fdceafb5dd7c7e14db2aa2a28e8c24" + "MD5": "761bee6879171d50932f73cfa9c718e0", + "SHA1": "33b2e3af695f0febd39d02d8f931e92ad88461f4", + "SHA256": "e951858d5317724c015eef07d402e8bcb33cf1a7c2ccf7a75cea63e3430d16a2" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "PsGetVersion", "MmUnmapIoSpace", - "IoBuildDeviceIoControlRequest", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "MmMapIoSpace", "IofCompleteRequest", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "IofCallDriver", - "IoGetDeviceObjectPointer", - "RtlInitUnicodeString", "IoDeleteDevice", - "MmMapIoSpace", - "KeBugCheckEx", - "RtlInitAnsiString", "IoCreateDevice", - "KeInitializeEvent", - "RtlUnwindEx", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2007-02-08 00:00:00", - "ValidTo": "2009-02-07 23:59:59", - "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "9b157f1261a8a42e4ef5ec23dd4cda9e", - "SHA1": "99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4", - "SHA256": "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88", + "Filename": "NTIOLib.sys", + "MD5": "6cce5bb9c8c2a8293df2d3b1897941a2", + "SHA1": "879fcc6795cebe67718388228e715c470de87dca", + "SHA256": "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib for MSIDDR_CC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "99cba45243e4a9e5999224b5719ccc2d", - "SHA1": "43ffee630881d6ae82640c59c674e9ee57cb5eac", - "SHA256": "94f39e23194d01698b2d8e7bb1c212bf192e81df59766d4adf5f7e33bbe13181" + "MD5": "63ea2f5ce789857efaf657ae86d029c5", + "SHA1": "33286e984b12811b38b2ad3396451388e2f24424", + "SHA256": "98f5cb928827e8dadc79c1be4f27f67755dbeb802c3485af9cace78b9eb65c59" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2015 CPUID", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", "MmUnmapIoSpace", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlInitAnsiString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "KeStallExecutionProcessor", + "__C_specific_handler", "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "5212e0957468d3f94d90fa7a0f06b58f", - "SHA1": "ad1616ea6dc17c91d983e829aa8a6706e81a3d27", - "SHA256": "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad", + "Filename": "NTIOLib.sys", + "MD5": "64efbffaa153b0d53dc1bccda4279299", + "SHA1": "15df139494d2c40a645fb010908551185c27f3c5", + "SHA256": "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "9b4bb5dc9df3edd0d7d859629c80c2dc", - "SHA1": "706789b1bf76e4d337957a36d60b96b7743f9f62", - "SHA256": "eb6807c46e2d4808f07cca9242e7a59393fdab6ccf4da1aec124ef2a34398d43" + "MD5": "c6788d75093368b6dc2bc373df4591b8", + "SHA1": "a3799e1aa983ad65de762a430f3286eefeff61e0", + "SHA256": "1ef80a6b63766ca36e2f2a7d29c49dc5859a58604bd8fde15011d8c379f76e01" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -29295,6 +14821,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -29303,100 +14836,77 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "56b54823a79a53747cbe11f8c4db7b1e", - "SHA1": "1d9fd846e12104ae31fd6f6040b93fc689abf047", - "SHA256": "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c", + "Filename": "NTIOLib.sys", + "MD5": "2da209dde8188076a9579bd256dc90d0", + "SHA1": "1f7501e01d84a2297c85cb39880ec4e40ac3fe8a", + "SHA256": "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "c8b8d6e4b9b4f42714f3abfb66880ccf", - "SHA1": "5848f7c4dadcb1ea16f4d9e533a84a6d6f522f8b", - "SHA256": "057e45b47fe0ca96fe3741058bc4365c9a866dff925cab8cfea4c161b990e8e2" + "MD5": "5e4c54660e02b951d67e54ce3c16dcc9", + "SHA1": "14e798609095df77d135dd2afae8277e0a968d99", + "SHA256": "5eb233ed9df3c1def326e2c63ee304dc85af303f8c9f038c993aa6e34f91ffaf" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", "MmMapIoSpace", - "ExFreePoolWithTag", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "DbgPrint", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -29414,198 +14924,187 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "29872c7376c42e2a64fa838dad98aa11", - "SHA1": "8ec28d7da81cf202f03761842738d740c0bb2fed", - "SHA256": "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4", + "Filename": "NTIOLib.sys", + "MD5": "84ba7af6ada1b3ea5efb9871a0613fc6", + "SHA1": "152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67", + "SHA256": "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib for DebugLED", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "3c2269699f0187275c2b144f9b60d5e6", - "SHA1": "69aabc267344bd9f98bd2fddc7213de735ba79d7", - "SHA256": "2fb8f2a0a32f2e73921a16a7836ff14122da45582aae742e6afd4d7ca15b3da3" + "MD5": "e2fde714a590d75cec614058707ac9d7", + "SHA1": "450a92b5d604ad2c7d848ab96dc1c0455c7d1f92", + "SHA256": "5dfb950d4771c35f4f82626b5d8859cce74bf03db67f2be3036631894a62eca8" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2016 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2013 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "557fd33ee99db6fe263cfcb82b7866b3", - "SHA1": "0a6e0f9f3d7179a99345d40e409895c12919195b", - "SHA256": "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399", + "Filename": "NTIOLib.sys", + "MD5": "1b32c54b95121ab1683c7b83b2db4b96", + "SHA1": "5f8356ffa8201f338dd2ea979eb47881a6db9f03", + "SHA256": "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "b8844b695f5170c70ac66f95324f836a", - "SHA1": "195024cc4a4adea16e6c2df8f2f8489a28f36beb", - "SHA256": "66cc007348a41fb33fab59f5ea265006534ba82db4eb7327039cbe2b4ce7e077" + "MD5": "b36ce3dc6e3ca0e76c9f9a7d4d331524", + "SHA1": "0b68901f632deadc3f0691febe7d0dacb8a2d4d8", + "SHA256": "bb4e3aa888a779238b210d6406aa480f01d27ea28d20699b1ec29a59dae19913" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2012 CPUID", - "MachineType": "IA64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "IofCompleteRequest", - "MmMapIoSpace", "MmUnmapIoSpace", - "ProbeForWrite", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "RtlUnwindEx", - "RtlPcToFileHeader", - "READ_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "READ_PORT_UCHAR", - "HalCallPal", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -29616,515 +15115,467 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "c516acb873c7f8c24a0431df8287756e", - "SHA1": "f6f7b5776001149496092a95fb10218dea5d6a6b", - "SHA256": "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa", + "Filename": "NTIOLib.sys", + "MD5": "b0baac4d6cbac384a633c71858b35a2e", + "SHA1": "a7bd05de737f8ea57857f1e0845a25677df01872", + "SHA256": "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "a14a1ba39405f52d67d289b65f0c7eb9", - "SHA1": "11172e3f08444d643f277be83aaabe9f2aea74ca", - "SHA256": "3ce4a30668938fb7785c9958772e3c171af320ecfea8fc298160e80fbf80fb73" + "MD5": "498e18a0df3d49779e5d50e2ce1e8385", + "SHA1": "cb7ed29416920b38a00695d11751ca6766a7b5f9", + "SHA256": "48ac8ae911c490e1b7f7813c0f345677e110ffaa9ef385b86ca25e5519e2c0de" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2017 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", - "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "641243746597fbd650e5000d95811ea3", - "SHA1": "da42cefde56d673850f5ef69e7934d39a6de3025", - "SHA256": "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e", + "Filename": "NTIOLib.sys", + "MD5": "b89b097b8b8aecb8341d05136f334ebb", + "SHA1": "cce9b82f01ec68f450f5fe4312f40d929c6a506e", + "SHA256": "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "560b782df855c5ea30b76ee4a9930d28", - "SHA1": "6423659ab76fad7627fd7fb16f05a40b8df8da4d", - "SHA256": "62daa7ab93684d935cdada8af43cba552d7692cb992411d27ba1ee50a9fb1883" + "MD5": "b70f71ebef5d45dcf99098beb0f72951", + "SHA1": "049b1cd656849214bd5c864c79e3b27be6b46b34", + "SHA256": "c1795ec9d05d0efe56e76bf4b76a09a804d3cd5b0e75bc47049d5ee488fc2bec" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "6.1.7600.16385", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "ProbeForWrite", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "a453083b8f4ca7cb60cac327e97edbe2", - "SHA1": "53f7fc4feb66af748f2ab295394bf4de62ae9fcc", - "SHA256": "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26", + "Filename": "NTIOLib.sys", + "MD5": "a711e6ab17802fabf2e69e0cd57c54cd", + "SHA1": "e35a2b009d54e1a0b231d8a276251f64231b66a3", + "SHA256": "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "b3bf90b99dec81a927b9fa8467d20e11", - "SHA1": "0632e0c8fdb6e629fd2efa5ccdf4a8415131bc58", - "SHA256": "536333c1fb9066a12c7791b740fcf637f6f86b45bd57baf0f27ae33c3b6c6cf1" + "MD5": "ec3966c4b4ec6fc15ff0940548fd10c2", + "SHA1": "531a782723ecc50ea4fcfbbfe4b94465782a21d0", + "SHA256": "eae8045d43f16e33232fd8bd2399f48b14f8a6391c9fffe38960c03fee978b27" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2013 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "07493c774aa406478005e8fe52c788b2", - "SHA1": "34a07ae39b232cc3dbbe657b34660e692ff2043a", - "SHA256": "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98", + "Filename": "NTIOLib.sys", + "MD5": "490b1f404c4f31f4538b36736c990136", + "SHA1": "37364cb5f5cefd68e5eca56f95c0ab4aff43afcc", + "SHA256": "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "63e4ba0a05ddac75e9f2b90c28291331", - "SHA1": "34c6aeb2bc32ff8da525641af75ff600e7249252", - "SHA256": "653601cf8c3c2c4b778f9025d4e964c887966cc3216bb35a73a3ae75477b4476" + "MD5": "364af1be1135ce8bede31bb6c201f7bb", + "SHA1": "3d0c8e9e7fcd431a91d4c4ea088d94fa371d546b", + "SHA256": "c1c18591d7b68fafa870f3d0f1124a353682765236674cc7476c5f1cc71b1528" }, - "Description": "CPUID Driver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "PsGetVersion", "MmUnmapIoSpace", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "RtlAnsiStringToUnicodeString", + "MmMapIoSpace", "IofCompleteRequest", - "RtlFreeUnicodeString", - "IofCallDriver", - "IoGetDeviceObjectPointer", - "RtlInitUnicodeString", "IoDeleteDevice", - "ProbeForWrite", - "MmMapIoSpace", - "KeBugCheckEx", - "RtlInitAnsiString", "IoCreateDevice", - "KeInitializeEvent", - "RtlUnwindEx", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2007-02-08 00:00:00", - "ValidTo": "2009-02-07 23:59:59", - "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "e425c66663c96d5a9f030b0ad4d219a8", - "SHA1": "bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6", - "SHA256": "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578", + "Filename": "NTIOLib.sys", + "MD5": "6f5d54ab483659ac78672440422ae3f1", + "SHA1": "d62fa51e520022483bdc5847141658de689c0c29", + "SHA256": "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib_X64.sys", "Authentihash": { - "MD5": "a10d1df81f81710baf68826e4c32befa", - "SHA1": "ecbde8d7d911f64666f89356ce6194d92741bdc4", - "SHA256": "cd7754a6ec6bf19724fb266ec4f1d02607e9b310791d8725d7db5ac84d5430e2" + "MD5": "c7069e41aab11ec8cb06657e6e8babd0", + "SHA1": "156907d0ca2ecff7efa07f479622b018af74bf2f", + "SHA256": "9c513f4d4c38a10af9f4a967bb6c7901275adf0df8046fc7e1b7e4c3e3c7c3cf" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2014 CPUID", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2015 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", "MmUnmapIoSpace", - "RtlInitAnsiString", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", - "KeInitializeEvent", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -30134,6 +15585,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -30142,106 +15600,84 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "ccb09eb78e047c931708149992c2e435", - "SHA1": "ada23b709cb2bef8bedd612dc345db2e2fdbfaca", - "SHA256": "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15", + "Filename": "NTIOLib.sys", + "MD5": "dd04cd3de0c19bede84e9c95a86b3ca8", + "SHA1": "93aa3bb934b74160446df3a47fa085fd7f3a6be9", + "SHA256": "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "e4b3d527845f6574b5959b6381f925f8", - "SHA1": "baf46ac272c1a6d8c32683965b1d849386908079", - "SHA256": "68b0a239031b158e2927bb5dc8844b662cb4616ee8c1363fa729aa8fa0d86cff" + "MD5": "55cd6f1f309b3409bf2cb92a4eb56e74", + "SHA1": "e7558eaa5e3357ca3010ee219cf52fdf46e5cd5a", + "SHA256": "a502c904a7fe42183d3ea66f1e01fbd4321eb202280b054b9124dd333f093ba2" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -30252,516 +15688,440 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "43bfc857406191963f4f3d9f1b76a7bf", - "SHA1": "9329a0ce2749a3a6bea2028ce7562d74c417db64", - "SHA256": "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b", + "Filename": "NTIOLib.sys", + "MD5": "95e4c7b0384da89dce8ea6f31c3613d9", + "SHA1": "ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b", + "SHA256": "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib for MSIClock_CC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "68fb744e92133e8bb6b59fea9304667c", - "SHA1": "de1a168f24f5da29b9f8bf8333fff57bfa0d21a4", - "SHA256": "d70bfea03deeea92a253f2b4a8b7181a3064f62c5207f94b5f7ce5a9e62ab4cf" + "MD5": "0c06dcbb129db21d296df3f6f8e98514", + "SHA1": "d3642da8e37cb772b1dd7b75a69323a4a00566c8", + "SHA256": "ce89124d29b5e562bbcc2f07b1dfac0f22dd66ad3deb32dd32c8c138a3739ef8" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2016 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", - "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "8f5b84350bfc4fe3a65d921b4bd0e737", - "SHA1": "76046978d8e4409e53d8126a8dcfc3bf8602c37f", - "SHA256": "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90", + "Filename": "NTIOLib.sys", + "MD5": "9aa7ed7809eec0d8bc6c545a1d18107a", + "SHA1": "35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd", + "SHA256": "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.01", + "FileVersion": "1.0.0.01", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "76a420a5ac2a6250c57d129de361695a", - "SHA1": "3736434ca3094fed9f1f3378e9fb966a5e9411f1", - "SHA256": "3e423caaff9002b38e1d90005df181aa2b3711ebbf6d1eb83941656ccc313811" + "MD5": "37256f56e87f5530dd63e3069a3e3252", + "SHA1": "17f4ab1865a5a2be4768cd25019439441fd0e10b", + "SHA256": "61a3bf24d4e3eac56c380b022dfc195bad4cc8d03156cdc3ba743faab582284a" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2010 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2012-01-06 00:00:00", - "ValidTo": "2015-02-06 23:59:59", - "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "53c8b54713882d4d5439511804935e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "ce57844fb185d0cdd9d3ce9e5b6a891d", - "SHA1": "32888d789edc91095da2e0a5d6c564c2aebcee68", - "SHA256": "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe", + "Filename": "NTIOLib.sys", + "MD5": "c02f70960fa934b8defa16a03d7f6556", + "SHA1": "3805e4e08ad342d224973ecdade8b00c40ed31be", + "SHA256": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "649db3854efa0c9a10fdcca1bcc5fc0b", - "SHA1": "3c738ea73287a493a2254c6011c35f31569cf2b9", - "SHA256": "472e29b63e1d9d44269a99962b186113586fbd3603eac3a23c520c7ef73a69cf" + "MD5": "c6830e904e56ea951005ea7639eedd35", + "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", + "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2017 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "RtlAnsiStringToUnicodeString", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", - "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", - "HalGetBusDataByOffset", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "cpuz.sys", - "MD5": "8ad9dfc971df71cd43788ade6acf8e7d", - "SHA1": "7241b25c3a3ee9f36b52de3db2fc27db7065af37", - "SHA256": "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c", + "Filename": "NTIOLib.sys", + "MD5": "300c5b1795c9b6cc1bc4d7d55c7bbe85", + "SHA1": "65d8a7c2e867b22d1c14592b020c548dd0665646", + "SHA256": "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "fa889613bb0522d6e546e8cbd011105a", - "SHA1": "62ee17440edaf819966eb823a26dfd46c24447b4", - "SHA256": "991228f3ea6c1ae8083aa405d1d066e48cd6dbd7d6bc01c81599b2c28f3923f1" + "MD5": "6b5dd12cfdee0cf8a654eacc65028c36", + "SHA1": "081d87fdb40a348b85382c63ea029281f213b778", + "SHA256": "d82a938dc7b0077a06d940bd3ce6097e3b02cdc254ec6fd863c0e526f2af69fa" }, - "Description": "CPUID Driver", - "Company": "CPUID", - "InternalName": "cpuz.sys", - "OriginalFilename": "cpuz.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "Copyright": "Copyright(C) 2015 CPUID", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAnsiStringToUnicodeString", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeEvent", - "RtlInitAnsiString", "MmUnmapIoSpace", - "IoCancelIrp", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ExFreePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "KeWaitForSingleObject", - "PsGetVersion", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoDeleteDevice", "IoCreateDevice", - "IofCallDriver", "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "ExAllocatePoolWithTag", - "RtlUnwindEx", + "__C_specific_handler", "HalSetBusDataByOffset", - "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", - "ValidFrom": "2014-12-02 00:00:00", - "ValidTo": "2018-03-02 23:59:59", - "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2d8021d84f098e7abde199f818e211a4", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "cpuz.sys" - ] - }, - { - "Id": "5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create PanIO.sys binPath=C:\\windows\\temp\\PanIO.sys type=kernel && sc.exe start PanIO.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "PanIO.sys", - "MD5": "9a9dbf5107848c254381be67a4c1b1dd", - "SHA1": "291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb", - "SHA256": "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960", + "Filename": "NTIOLib.sys", + "MD5": "3dbf69f935ea48571ea6b0f5a2878896", + "SHA1": "c8d87f3cd34c572870e63a696cf771580e6ea81b", + "SHA256": "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1", "Signature": [ - "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "MICRO-STAR INTERNATIONAL CO., LTD.", "GlobalSign CodeSigning CA - G2", - "GlobalSign" + "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", - "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", - "Description": "Temperature and system information driver", - "Product": "PanIO Library", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", "ProductVersion": "1.0.0.0", "FileVersion": "1.0.0.0", - "MachineType": "I386", - "OriginalFilename": "PanIO.sys", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "5af91c612918020b1dbc829a040d1c88", - "SHA1": "b65163db28ef590620b8966f14ec78fe7788ac6c", - "SHA256": "f246b9d22b3ffe15f2e97f306d049020f38ed162150c97d7a72e3ae0b22c79ad" + "MD5": "c80d819869c1718a58dfada2167e842c", + "SHA1": "0d6b74ac325c816bfdc20aa4a0fc0eb2cd45f4e6", + "SHA256": "f8ffb8a23be71c26f784905110b7e752473be55216300d08a83c40c1496fb6c1" }, - "InternalName": "PanIO.sys", - "Copyright": "Copyright (c) 2012-2014 Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", "MmUnmapIoSpace", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoCreateDevice", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", - "RtlUnwind", + "IoCreateDevice", "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -30769,10 +16129,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -30783,20 +16150,13 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "ValidFrom": "2014-04-15 15:12:40", - "ValidTo": "2015-04-15 10:41:35", - "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", "ValidFrom": "2006-05-23 17:00:51", "ValidTo": "2016-05-23 17:10:51", @@ -30806,327 +16166,57 @@ ], "Signer": [ { - "SerialNumber": "1121506480253469e07e54ee8612041fbb92", + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "PanIO.sys" - ] - }, - { - "Id": "2da3a276-9e38-4ee6-903d-d15f7c355e7c", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create vboxdrv.sys binPath=C:\\windows\\temp\\vboxdrv.sys type=kernel && sc.exe start vboxdrv.sys", - "Description": "Used by unknown actor in Acid Rain malware. vboxdrv.sys is a vulnerable driver.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://unit42.paloaltonetworks.com/acidbox-rare-malware/", - "https://www.coresecurity.com/core-labs/advisories/virtualbox-privilege-escalation-vulnerability", - "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "vboxdrv.sys", - "MD5": "bce7f34912ff59a3926216b206deb09f", - "SHA1": "696d68bdbe1d684029aaad2861c49af56694473a", - "SHA256": "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f", + "Filename": "NTIOLib.sys", + "MD5": "8d63e1a9ff4cafee1af179c0c544365c", + "SHA1": "c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60", + "SHA256": "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a", "Signature": [ - "Sun Microsystems, Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", - "Company": "Sun Microsystems, Inc.", - "Description": "VirtualBox Support Driver", - "Product": "Sun VirtualBox", - "ProductVersion": "2.2.0.r45846", - "FileVersion": "2.2.0.r45846", + "Company": "MSI", + "Description": "NTIOLib For MSISimple_OC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.2", + "FileVersion": "1.0.0.2", "MachineType": "AMD64", - "OriginalFilename": "VBoxDrv.sys", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "368a4f14c62575191a0f1f3464513964", - "SHA1": "3ce88266cfc41e8980d4c185235fd55999f5a67a", - "SHA256": "a5a2fe8ab935cf47f21e0c5e0de11a98271054109827dc930293b947d3b05079" + "MD5": "7e9154ee514d494701eb8559524f8e2e", + "SHA1": "95c5f63e97d18e1ccc449a79ec952a5f6e76b9eb", + "SHA256": "543ee203b355c4cbac74d9bac71fb73c0c5c5c3afe268e2ae8ae48d61d350709" }, - "InternalName": "VBoxDrv.sys", - "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "AssertMsg1", - "AssertMsg2", - "RTAssertShouldPanic", - "RTErrConvertFromNtStatus", - "RTLogCloneRC", - "RTLogComPrintf", - "RTLogComPrintfV", - "RTLogCopyGroupsAndFlags", - "RTLogCreate", - "RTLogCreateEx", - "RTLogCreateExV", - "RTLogDefaultInit", - "RTLogDefaultInstance", - "RTLogDestroy", - "RTLogFlags", - "RTLogFlush", - "RTLogFlushRC", - "RTLogFlushToLogger", - "RTLogFormatV", - "RTLogGetDefaultInstance", - "RTLogGroupSettings", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogLoggerV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogRelLoggerV", - "RTLogRelPrintfV", - "RTLogRelSetDefaultInstance", - "RTLogSetDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTLogWriteCom", - "RTLogWriteDebugger", - "RTLogWriteStdErr", - "RTLogWriteStdOut", - "RTLogWriteUser", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemDup", - "RTMemDupEx", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpIsCpuPossible", - "RTMpIsCpuWorkPending", - "RTMpNotificationDeregister", - "RTMpNotificationRegister", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTPowerNotificationDeregister", - "RTPowerNotificationRegister", - "RTPowerSignalEvent", - "RTProcSelf", - "RTR0Init", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapKernelEx", - "RTR0MemObjMapUser", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTR0Term", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTStrFormat", - "RTStrFormatNumber", - "RTStrFormatTypeDeregister", - "RTStrFormatTypeRegister", - "RTStrFormatTypeSetUser", - "RTStrFormatV", - "RTStrPrintf", - "RTStrPrintfEx", - "RTStrPrintfExV", - "RTStrPrintfV", - "RTStrToInt16", - "RTStrToInt16Ex", - "RTStrToInt16Full", - "RTStrToInt32", - "RTStrToInt32Ex", - "RTStrToInt32Full", - "RTStrToInt64", - "RTStrToInt64Ex", - "RTStrToInt64Full", - "RTStrToInt8", - "RTStrToInt8Ex", - "RTStrToInt8Full", - "RTStrToUInt16", - "RTStrToUInt16Ex", - "RTStrToUInt16Full", - "RTStrToUInt32", - "RTStrToUInt32Ex", - "RTStrToUInt32Full", - "RTStrToUInt64", - "RTStrToUInt64Ex", - "RTStrToUInt64Full", - "RTStrToUInt8", - "RTStrToUInt8Ex", - "RTStrToUInt8Full", - "RTThreadNativeSelf", - "RTThreadPreemptDisable", - "RTThreadPreemptIsEnabled", - "RTThreadPreemptRestore", - "RTThreadSleep", - "RTThreadYield", - "RTTimeMilliTS", - "RTTimeNanoTS", - "RTTimeNow", - "RTTimeSystemMilliTS", - "RTTimeSystemNanoTS", - "RTTimerCreateEx", - "RTTimerDestroy", - "RTTimerGetSystemGranularity", - "RTTimerReleaseSystemGranularity", - "RTTimerRequestSystemGranularity", - "RTTimerStart", - "RTTimerStop", - "SUPR0ComponentDeregisterFactory", - "SUPR0ComponentQueryFactory", - "SUPR0ComponentRegisterFactory", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0EnableVTx", - "SUPR0GetPagingMode", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjAddRefEx", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAlloc", - "SUPR0PageAllocEx", - "SUPR0PageFree", - "SUPR0PageMapKernel", - "SUPR0UnlockMem", - "g_szRTAssertMsg1", - "g_szRTAssertMsg2" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", - "ObfDereferenceObject", - "ExUnregisterCallback", - "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "ExRegisterCallback", - "ExCreateCallback", "IoCreateSymbolicLink", - "IoCreateDevice", - "IoGetStackLimits", - "memchr", - "strncmp", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForSingleObject", - "KeResetEvent", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeDelayExecutionThread", - "ZwYieldExecution", - "ExFreePoolWithTag", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", - "ExAllocatePoolWithTag", - "KeQueryActiveProcessors", - "strchr", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "KeSetTimerEx", - "KeRemoveQueueDpc", - "KeCancelTimer", - "KeInitializeTimerEx", - "KeQueryTimeIncrement", - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "MmUnmapIoSpace", - "MmUnlockPages", - "IoFreeMdl", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmUnmapLockedPages", - "MmProtectMdlSystemAddress", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocatePagesForMdl", + "IoDeleteSymbolicLink", "__C_specific_handler", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -31134,231 +16224,94 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", - "ValidFrom": "2008-06-11 00:00:00", - "ValidTo": "2011-06-11 23:59:59", - "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "Filename": "vboxdrv.sys", - "MD5": "eaea9ccb40c82af8f3867cd0f4dd5e9d", - "SHA1": "7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c", - "SHA256": "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986", + "Filename": "NTIOLib.sys", + "MD5": "e9a30edef1105b8a64218f892b2e56ed", + "SHA1": "d34a7c497c603f3f7fcad546dc4097c2da17c430", + "SHA256": "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa", "Signature": [ - "innotek GmbH", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "d146876f270e848875465ed081396d3b", - "SHA1": "c54fe31ff5c3cfe1937b7b0906882a1786f453b6", - "SHA256": "597e7d5feb149d9087888926d1454dc06f1078ab18c948b44f090910da8645f8" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "AssertMsg1", - "RTAssertDoBreakpoint", - "RTErrConvertFromNtStatus", - "RTLogDefaultInstance", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpDoesCpuExist", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTProcSelf", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapUser", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTThreadNativeSelf", - "RTThreadSleep", - "RTThreadYield", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAlloc", - "SUPR0PageFree", - "SUPR0UnlockMem" + "Company": "MSI", + "Description": "NTIOLib for MSICPU_CC", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", + "Authentihash": { + "MD5": "01a9049b40b0e848649dd1e0d224e63e", + "SHA1": "9030ba396131afec733fc208ef55a4d37b6ffc07", + "SHA256": "826e80ea5f657c75127c066b86caea8089f33b09b12c3d393fca8efedd40c1ef" + }, + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "KeCancelTimer", - "KeInsertQueueDpc", - "__C_specific_handler", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "KeSetTimerEx", - "ExSetTimerResolution", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", - "KeInitializeTimerEx", - "MmGetPhysicalAddress", - "KeQueryActiveProcessors", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "IoCreateSymbolicLink", "IoCreateDevice", - "memchr", - "strncmp", - "PsGetCurrentProcessId", - "IoGetCurrentProcess", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeInitializeEvent", - "KeSetEvent", - "KeResetEvent", - "KeWaitForSingleObject", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmProtectMdlSystemAddress", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace" + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -31366,17 +16319,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=DE, O=innotek GmbH, CN=innotek GmbH, emailAddress=info@innotek.de", - "ValidFrom": "2007-12-27 14:37:17", - "ValidTo": "2010-12-27 14:37:17", - "Signature": "2a6d31919705290526ee3286d2825883af75a52ec1257276e9ab0eeff47a83adeab4bc2068eb7f76f84a356d466012e17b91d4f5c2913d28c73ee15018243e2ba7487f70d21f954eeeefb9854fc980d1ee61bf9a779e6e9a661938d7d9d6d101ddb49a9917264622f0ce4d63ac106b50769c38e9361a34f6cf5c5cae3ef50eb2a49d0f02c001af28d1f1fe250f2c99e5436b485a107eab17295180e5750eb31faee1ea0937a827bc140906a014b85409d8c48afbfcee20bf53f4e74661c1f555823c4bee18fde06e1e3e44fb8930e3ea84385e5006fd994fe8e69205a84ed7ed0f25c7b9f8fcb6f7d5b30188c27bf99050175afb1fc60f89ed2462ce999ca5dc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -31387,17 +16333,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -31410,430 +16356,624 @@ ], "Signer": [ { - "SerialNumber": "010000000001171c092665", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "vboxdrv.sys" - ] - }, - { - "Id": "0567c6c4-282f-406f-9369-7f876b899c25", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create procexp.sys binPath=C:\\windows\\temp\\procexp.Sys type=kernel && sc.exe start procexp.Sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "procexp.Sys", - "MD5": "e6cb1728c50bd020e531d19a14904e1c", - "SHA1": "2dd916cb8a9973b5890829361c1f9c0d532ba5d6", - "SHA256": "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85", + "Filename": "NTIOLib.sys", + "MD5": "361a598d8bb92c13b18abb7cac850b01", + "SHA1": "1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b", + "SHA256": "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "fe54aac5dfae8729c48361d2ea4f7271", - "SHA1": "2a4e81a1d23e3b7d9c14b6fbc393ecfad5f34133", - "SHA256": "c5732937c3ab5e0fd244cc1b820eaa1fb7d97110c213cd6b9dadebafe3ea853d" + "MD5": "94faebdbb74a0b99a8a17430671cdf9e", + "SHA1": "aca4c47b4823b5653cb42e599ee6168f435bdcc7", + "SHA256": "21a6689456d9833453d5247e4c5faf13edcd4835408e033c40ae1a225711ae8f" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "16.32", - "Product": "Process Explorer", - "ProductVersion": "16.32", - "Copyright": "Copyright (C) Mark Russinovich 1996-2020", - "MachineType": "AMD64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "MmUnmapIoSpace", + "MmMapIoSpace", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-03-04 19:12:18", - "ValidTo": "2021-03-03 19:12:18", - "Signature": "36f61260ed044bf89549c232aa8ee2004a952d0e542dc7388d42439d56f055eae824b2cf5be28cfae13b7c6064dc82e4ad88ddd542db32adc513e2b2b4c2a8e842cef37844682e569326e401f11243c4a2ad8b3b164909afdc57a9ee36d6b3e2a29785a8c1e60368581989af87b0d0e614102a64d39a621887b25fc02b846c65e0f2bfcd5385942c77aafae5cb3d7a89ea7fd71b65d6e33506286ac35ff7c3d1600eb51989271921b449a20ba70f383eb24c015a621af60f0593cc7cecaca55697f3a41c550aefa048fff0999175778613a8f902166e58bd46cb10e6c7a4e605073a7615d414476ee5cf4c51662cba47e7dc85324fd8fd13cbbcbe47a7287e29", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000009484c47568579aafe9000000000094", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "fea9319d67177ed6f36438d2bd9392fb", - "SHA1": "db6170ee2ee0a3292deceb2fc88ef26d938ebf2d", - "SHA256": "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1", + "Filename": "NTIOLib.sys", + "MD5": "7b43dfd84de5e81162ebcfafb764b769", + "SHA1": "0b8b83f245d94107cb802a285e6529161d9a834d", + "SHA256": "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d", + "Signature": [ + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "fbc316e1e634e967c5413a200cde7ad6", - "SHA1": "a1dd17b946ade947b621e9fec4fe7ad0835f0ac9", - "SHA256": "4533a11f4f190354b749f2842b57233e5e9e8b37fa4031bcb976118cff902101" + "MD5": "85dcbf05c91ceacc919a1638dd3c8f9f", + "SHA1": "3d947aff431bb8ec02d9be3b4499312a62d4fec9", + "SHA256": "5c22b7f65de948fdb74ffc3b5bae68f109bf7404a154ddbfa25dfd53e1bde667" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "16.42", - "Product": "Process Explorer", - "ProductVersion": "16.42", - "Copyright": "Copyright (C) Mark Russinovich 1996-2021", - "MachineType": "ARM64", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ - "HAL.dll", - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KfRaiseIrql", - "KfLowerIrql", - "strncpy", - "RtlInitUnicodeString", - "MmGetSystemRoutineAddress", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "PsGetVersion", + "MmUnmapIoSpace", + "MmMapIoSpace", "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", "IoCreateSymbolicLink", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObCloseHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObOpenObjectByName", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:30", - "ValidTo": "2021-12-02 22:15:30", - "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "eeb8e039f6d942538eb4b0252117899a", - "SHA1": "bebf97411946749b9050989d9c40352dbe8269ea", - "SHA256": "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e", + "Filename": "NTIOLib.sys", + "MD5": "f66b96aa7ae430b56289409241645099", + "SHA1": "c969f1f73922fd95db1992a5b552fbc488366a40", + "SHA256": "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03", + "Signature": [ + "Micro-Star Int'l Co. Ltd.", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "750ecd21c673a6fda9199887013d3751", - "SHA1": "82d3299c06b944895385fd2f3d9d18391273019d", - "SHA256": "8e38148ad4ed9946e8600b37f63996bf17c0101e3f50123b3b8513c895a4b521" + "MD5": "b9951498dd00ac42a36a6f5d59ebe98d", + "SHA1": "0c429ee64668374fdf6d187071d4f0a932992a5f", + "SHA256": "2e5648f892460e2a2a450519b523007ca6973a3679a59c07582aa5bdbd6584d4" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "12.00", - "Product": "Process Explorer", - "ProductVersion": "12.00", - "Copyright": "Copyright (C) M. Russinovich 1996-2010", - "MachineType": "I386", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObQueryNameString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ZwQueryObject", - "KeDetachProcess", - "ObReferenceObjectByHandle", - "KeAttachProcess", - "ObfDereferenceObject", - "PsLookupProcessByProcessId", - "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "ZwQuerySystemInformation", - "MmIsAddressValid", - "memset", - "ObOpenObjectByPointer", - "RtlUnicodeStringToAnsiString", - "NtClose", - "ZwOpenProcessToken", - "memcpy", + "MmUnmapIoSpace", + "MmMapIoSpace", "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", "IoCreateDevice", - "NtBuildNumber", - "KeTickCount", "KeBugCheckEx", - "strncpy", - "ZwQueryInformationProcess", - "RtlFreeAnsiString", - "RtlUnwind", - "KfLowerIrql", - "KfRaiseIrql" + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2010-03-04 00:00:00", - "ValidTo": "2013-04-18 23:59:59", - "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] + } + ], + "Tags": [ + "NTIOLib.sys" + ], + "yara": true + }, + { + "Id": "8750b245-af35-4bc6-9af3-dc858f9db64f", + "Author": "Michael Haag", + "Created": "2023-04-05", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create blacklotus_driver.sys binPath=C:\\windows\\temp\\blacklotus_driver.sys type=kernel && sc.exe start blacklotus_driver.sys", + "Description": "The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality. Once the persistence is configured, the BlackLotus bootkit is executed on every system start. The bootkits goal is to deploy a kernel driver and a final user-mode component.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/" + ], + "Acknowledgement": { + "Person": "Martin Smolár, ESET", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "0x3440_blacklotus_v2_driver.sys", + "MD5": "4ad8fd9e83d7200bd7f8d0d4a9abfb11", + "SHA1": "17fa047c1f979b180644906fe9265f21af5b0509", + "SHA256": "749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "f5742f4fb216979627236a799f614c43", + "SHA1": "5aba7fa2330d68a679c18cfa2c652ac8b3b4770d", + "SHA256": "83ac9bf01c2d2ab0f66782fade462864f42b86e53dc455e1441c2a16d0ec2847" + }, + "InternalName": "", + "Copyright": "", + "Imports": [], + "ExportedFunctions": [ + "restore" + ], + "ImportedFunctions": "", + "Signatures": {} }, { - "FileName": "procexp.Sys", - "MD5": "c56a9ed0192c5a2b39691e54f2132a2f", - "SHA1": "9099482b26e9ba8e1d303418afc9111a3bffd6b3", - "SHA256": "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb", + "Filename": "0x3040_blacklotus_beta_driver.sys", + "MD5": "a42249a046182aaaf3a7a7db98bfa69d", + "SHA1": "1f3799fed3cf43254fe30dcdfdb8dc02d82e662b", + "SHA256": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "eb6ceb9aa0eaedee2d112b167908e871", - "SHA1": "4d68ec346d13359525da958af0fada57bc9ff35a", - "SHA256": "7a4e4ee169fe0f1f079e5f5c1da38ea70fe717e728faf054deb180f9e37fe574" + "MD5": "188d812252f224a8ea618f8e9f1fdadb", + "SHA1": "ede3868d6bb27bee5c0b9a71fef486e405d59816", + "SHA256": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "11.30", - "Product": "Process Explorer", - "ProductVersion": "11.30", - "Copyright": "Copyright (C) M. Russinovich 1996-2008", + "InternalName": "", + "Copyright": "", + "Imports": [], + "ExportedFunctions": [ + "restore" + ], + "ImportedFunctions": "", + "Signatures": {} + }, + { + "Filename": "0x3040_blacklotus_beta_driver.sys", + "MD5": "a42249a046182aaaf3a7a7db98bfa69d", + "SHA1": "1f3799fed3cf43254fe30dcdfdb8dc02d82e662b", + "SHA256": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "188d812252f224a8ea618f8e9f1fdadb", + "SHA1": "ede3868d6bb27bee5c0b9a71fef486e405d59816", + "SHA256": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d" + }, + "InternalName": "", + "Copyright": "", + "Imports": [], + "ExportedFunctions": [ + "restore" + ], + "ImportedFunctions": "", + "Signatures": {} + }, + { + "Filename": "blacklotus_beta_driver.sys", + "SHA1": "4B882748FAF2C6C360884C6812DD5BCBCE75EBFF", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "blacklotus_beta_driver_2.sys", + "SHA1": "91F832F46E4C38ECC9335460D46F6F71352CFFED", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "blacklotus_beta_driver_3.sys", + "SHA1": "994DC79255AEB662A672A1814280DE73D405617A", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "blacklotus_beta_driver_4.sys", + "SHA1": "FFF4F28287677CAABC60C8AB36786C370226588D", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "blacklotus_driver.sys" + ], + "yara": false + }, + { + "Id": "351ff5ca-f07b-4eb6-9300-d5d31514defb", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create nscm.sys binPath=C:\\windows\\temp \\n \\n \\n scm.sys type=kernel && sc.exe start nscm.sys", + "Description": "nscm.sys is a vulnerable driver. CVE-2013-3956.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "nscm.sys", + "MD5": "4a23e0f2c6f926a41b28d574cbc6ac30", + "SHA1": "64e4ac8b9ea2f050933b7ec76a55dd04e97773b4", + "SHA256": "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22", + "Signature": [ + "Novell, Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Novell, Inc.", + "Description": "Novell XTier Session Manager", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "FileVersion": "3.1.11.0", "MachineType": "AMD64", + "OriginalFilename": "nscm.sys", + "Authentihash": { + "MD5": "0d1a4e506e7c928f1683a9cf38eb0835", + "SHA1": "50471608c91621cb84ba646974311da0abf6b3e9", + "SHA256": "0e291148da43ea6a491b8b94bdf573365087940c9b90f6a15a4e589da86a518d" + }, + "InternalName": "", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "NtBuildNumber", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", - "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeInitializeMutex", + "IoQueueWorkItemEx", "IoDeleteDevice", - "ObfDereferenceObject", - "ExGetPreviousMode", - "IoCreateDevice", - "MmGetSystemRoutineAddress", - "ObOpenObjectByPointer", - "ZwQueryObject", - "RtlUnicodeStringToAnsiString", - "SePrivilegeCheck", - "ZwQuerySystemInformation", - "ZwOpenProcessToken", - "SeReleaseSubjectContext", - "KeDetachProcess", - "ObQueryNameString", - "strncpy", - "ExAllocatePool", - "SeCaptureSubjectContext", - "NtClose", + "IoFreeWorkItem", + "RtlEqualUnicodeString", + "ZwOpenProcessTokenEx", + "IoAllocateWorkItem", "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "IoDeleteSymbolicLink", - "ZwDuplicateObject", - "ExFreePoolWithTag", - "RtlFreeAnsiString", - "KeAttachProcess", + "ZwOpenProcess", + "DbgPrint", + "PsGetCurrentProcessId", + "IoCreateDevice", + "ZwQueryInformationToken", + "PsSetCreateProcessNotifyRoutine", + "SeRegisterLogonSessionTerminatedRoutine", + "SeUnregisterLogonSessionTerminatedRoutine", + "ZwOpenThreadTokenEx", + "IoGetCurrentProcess", + "SeMarkLogonSessionForTerminationNotification", "KeBugCheckEx", - "__C_specific_handler" + "KeWaitForSingleObject", + "ZwQueryInformationProcess", + "KeReleaseMutex", + "NicmCreateInstance", + "NicmDeregisterClassFactory" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2007-03-05 00:00:00", - "ValidTo": "2010-04-19 23:59:59", - "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2010-04-03 00:00:00", + "ValidTo": "2013-04-26 23:59:59", + "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -31846,244 +16986,387 @@ ], "Signer": [ { - "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] + } + ], + "Tags": [ + "nscm.sys" + ], + "yara": true + }, + { + "Id": "9889da50-3908-4499-a729-187295a60a0e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create asrdrv104.sys binPath=C:\\windows\\temp\\asrdrv104.sys type=kernel && sc.exe start asrdrv104.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7.yara" }, { - "FileName": "procexp.Sys", - "MD5": "6ff59faea912903af0ba8e80e58612bc", - "SHA1": "736531c76b8d9c56e26561bf430e10ecabff0186", - "SHA256": "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "asrdrv104.sys", + "SHA1": "6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "asrdrv104.sys", + "SHA1": "e039c9dd21494dbd073b4823fc3a17fbb951ec6c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "asrdrv104.sys", + "SHA1": "7eec3a1edf3b021883a4b5da450db63f7c0afeeb", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "asrdrv104.sys", + "SHA1": "e5021a98e55d514e2376aa573d143631e5ee1c13", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "asrdrv104.sys", + "MD5": "de1cc5c266140bff9d964fab87a29421", + "SHA1": "729a8675665c61824f22f06c7b954be4d14b52c4", + "SHA256": "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "I386", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "8b8a646469bdd1bab7b402ac83dba4a5", - "SHA1": "075998a905d4afda2e1727f6f31030c4d126dcc5", - "SHA256": "083828dd2e4afe22f5d27b56bd7f5a60e43aea7ec8f8cb0a138be84ee639a09c" + "MD5": "6b214126743cbf8efdfae0a4fb7d78eb", + "SHA1": "efc91a1317eb086196fa1a2f94fbf96258b5ec2e", + "SHA256": "5b08d996938a0ab9a3b7a65e3049482dff819028102d41f7c5924af467b0a3e4" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "cng.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", + "memset", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemorySpecifyCache", + "IoFreeIrp", + "IoFreeMdl", + "MmUnlockPages", + "IofCallDriver", + "IoBuildAsynchronousFsdRequest", + "RtlQueryRegistryValues", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "KeTickCount", + "KeBugCheckEx", + "RtlCompareMemory", + "MmMapIoSpace", + "MmUnmapIoSpace", + "memcpy", + "MmGetSystemRoutineAddress", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", "ZwSetSecurityObject", + "ObOpenObjectByPointer", "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "_snwprintf", "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", "SeExports", - "wcschr", + "IoIsWdmVersionAvailable", "_wcsnicmp", - "RtlLengthSid", "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", "ZwOpenKey", "ZwCreateKey", "ZwQueryValueKey", "ZwSetValueKey", - "KeBugCheckEx" + "RtlFreeUnicodeString", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "KeStallExecutionProcessor", + "BCryptGenerateSymmetricKey", + "BCryptCloseAlgorithmProvider", + "BCryptOpenAlgorithmProvider", + "BCryptDestroyKey", + "BCryptDecrypt" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:3BD4,4B80,69C3, CN=Microsoft Time,Stamp service", - "ValidFrom": "2018-08-23 20:20:24", - "ValidTo": "2019-11-23 20:20:24", - "Signature": "70b7312f4250cdf1d3def3c43951f5a88b8f263b88f82996cb1cdaa8c9fd2bc5cb16304482e1d4a3cd7c2680f316e8d04d560716707e31ee044018f77802b3e1620e9ddb7a9c4b7266af30fe4d6224225f47eaf7e9d4598e46e9069c9ecdd3c0500570cebcee298bec6254fcc5bf44c88b40b0b228839cf17e2c71689143f6558bcad70c395d627f74f7338012b15fd471a905d91b5a4b26aff62f1d0eef7131633d3b1423cd634e504b5bb9d8ad3ef506ef2ddd2d806c4df1b713395b2b17747e9e5afcaab83a1428b276c5ee6c4d9ec09ced00cc55888ce5ba6fec026cc4c502f7fe6ea6c8e101356f1b508e18b958d3b3bec3b629f1ff9c3ffedee98df4c4", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-04-18 18:42:23", - "ValidTo": "2020-03-27 18:42:23", - "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2018-09-20 17:42:01", - "ValidTo": "2021-05-09 23:28:13", - "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2014-03-07 00:00:00", + "ValidTo": "2017-05-05 23:59:59", + "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000387a14cce6619d8c51000200000038", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "8e78ab9b9709bafb11695a0a6eddeff9", - "SHA1": "2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28", - "SHA256": "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc", + "Filename": "asrdrv104.sys", + "SHA1": "2b4d0dead4c1a7cc95543748b3565cfa802e5256", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "asrdrv104.sys", + "SHA1": "4a7d66874a0472a47087fabaa033a85d47413379", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "asrdrv104.sys" + ], + "yara": false + }, + { + "Id": "bd7e78db-6fd0-4694-ac38-dbf5480b60b9", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsIO.sys binPath=C:\\windows\\temp\\AsIO.sys type=kernel && sc.exe start AsIO.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "AsIO.sys", + "MD5": "1dc94a6a82697c62a04e461d7a94d0b0", + "SHA1": "b97a8d506be2e7eaa4385f70c009b22adbd071ba", + "SHA256": "2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "acacde5c8a3a37b4fa43d9b651df85ea", - "SHA1": "f14e20cea5fac19bca02f5b067d12a459a393467", - "SHA256": "c286dfac5ca413efeb1936e876688b6bd46d25dc64206f86efb4f52ad83d1889" + "MD5": "9fd03554246c6c74c232919c680d7be8", + "SHA1": "b25550309c902a21b03367ae27694c5a29b891b5", + "SHA256": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) M. Russinovich 1996-2011", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ObOpenObjectByPointer", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "__C_specific_handler", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "ObQueryNameString", - "ExFreePoolWithTag", - "strlen", - "strncpy", - "wcslen", - "ExAllocatePoolWithTag", - "ZwQueryObject", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "ObCloseHandle", - "IoFileObjectType", - "ZwQuerySystemInformation", - "MmIsAddressValid", - "PsThreadType", - "ZwQueryInformationProcess", - "PsProcessType", - "KeWaitForSingleObject", - "ZwOpenProcessToken", - "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", + "ZwOpenSection", + "RtlInitUnicodeString", "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ObOpenObjectByName", + "ZwClose", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "MmGetSystemRoutineAddress", - "NtBuildNumber", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2010-03-04 00:00:00", - "ValidTo": "2013-04-18 23:59:59", - "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -32099,11 +17382,18 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -32111,111 +17401,78 @@ ] }, { - "FileName": "procexp.Sys", - "MD5": "a91a1bc393971a662a3210dac8c17dfd", - "SHA1": "e4fcb363cfe9de0e32096fa5be94a41577a89bb0", - "SHA256": "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa", + "Filename": "AsIO.sys", + "MD5": "798de15f187c1f013095bbbeb6fb6197", + "SHA1": "92f251358b3fe86fd5e7aa9b17330afa0d64a705", + "SHA256": "436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "455eb57840b64c8fe0d942ea5da23c6b", - "SHA1": "aa8756d00691d3d8959b68c3626ba896cc2709fb", - "SHA256": "1a902521c5f82ad9acac815229a00e6ed9137b8d49106b64147b088ff89d0f01" + "MD5": "7bb2dcc29ba50372d08fea800c190f09", + "SHA1": "e5c090903a20744ba3583a8ea684d035e8cecc34", + "SHA256": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "11.40", - "Product": "Process Explorer", - "ProductVersion": "11.40", - "Copyright": "Copyright (C) M. Russinovich 1996-2010", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObQueryNameString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ZwQueryObject", - "KeDetachProcess", "ObReferenceObjectByHandle", - "KeAttachProcess", - "ObfDereferenceObject", - "PsLookupProcessByProcessId", + "ZwOpenSection", + "RtlInitUnicodeString", "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "ZwQuerySystemInformation", - "MmIsAddressValid", - "memset", - "ObOpenObjectByPointer", - "RtlUnicodeStringToAnsiString", - "NtClose", - "ZwOpenProcessToken", - "memcpy", - "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", + "ZwMapViewOfSection", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "MmGetSystemRoutineAddress", - "NtBuildNumber", - "KeTickCount", - "KeBugCheckEx", - "strncpy", - "ZwQueryInformationProcess", - "RtlFreeAnsiString", - "RtlUnwind", - "ZwSetSecurityObject", - "IoDeviceObjectType", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KfLowerIrql", - "KfRaiseIrql" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2007-03-05 00:00:00", - "ValidTo": "2010-04-19 23:59:59", - "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -32224,113 +17481,97 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "e4a0bba88605d4c07b58a2cc3fac0fe9", - "SHA1": "ac31d15851c0af14d60cfce23f00c4b7887d3cb7", - "SHA256": "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7", + "Filename": "AsIO.sys", + "MD5": "1392b92179b07b672720763d9b1028a5", + "SHA1": "8b6aa5b2bff44766ef7afbe095966a71bc4183fa", + "SHA256": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "24263d0e152884eb7d180070164830c8", - "SHA1": "929c28f99d550278415c7087b71511e44439a41c", - "SHA256": "b4f9272894f926d4f3b957fca673140a3a24dc896f1a49badaa1e04687b223cd" + "MD5": "1e97ead4c5049f8fefe2b72edd5fa90e", + "SHA1": "2a95f882dd9bafcc57f144a2708a7ec67dd7844c", + "SHA256": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) M. Russinovich 1996-2011", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ObOpenObjectByPointer", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "__C_specific_handler", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "ObQueryNameString", - "ExFreePoolWithTag", - "strlen", - "strncpy", - "wcslen", - "ExAllocatePoolWithTag", - "ZwQueryObject", - "KeDetachProcess", - "KeAttachProcess", - "PsLookupProcessByProcessId", - "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "ZwQuerySystemInformation", - "MmIsAddressValid", - "ZwQueryInformationProcess", - "KeWaitForSingleObject", - "NtClose", - "ZwOpenProcessToken", - "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", + "ZwOpenSection", + "RtlInitUnicodeString", "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", + "ZwClose", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "MmGetSystemRoutineAddress", - "NtBuildNumber", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2010-03-04 00:00:00", - "ValidTo": "2013-04-18 23:59:59", - "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -32346,11 +17587,18 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -32358,98 +17606,71 @@ ] }, { - "FileName": "procexp.Sys", - "MD5": "880686bceaf66bfde3c80569eb1ebfa7", - "SHA1": "10b9ae9286837b3bf6a00771c7e81adbdea3cbfe", - "SHA256": "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5", + "Filename": "AsIO.sys", + "MD5": "fef9dd9ea587f8886ade43c1befbdafe", + "SHA1": "af6e1f2cfb230907476e8b2d676129b6d6657124", + "SHA256": "dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "5d265a745ca048fb2ee0a59cc7ffc8aa", - "SHA1": "e5d5076fca6ed125d14d9f70fff802a1fa992ac6", - "SHA256": "17bdeeb4447f0758c3720991d3ed43a405efb49fd2cdbb37f7b5feb349693acb" + "MD5": "9e7fb1f3c75f1f5e6769813c545643fc", + "SHA1": "86f07797273b7f0e0805d2add8c1a0be116eb88c", + "SHA256": "191689c53195dbe828f406b206cb167dcd4671ecdab32b80e01c885f706a6baf" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "12.00", - "Product": "Process Explorer", - "ProductVersion": "12.00", - "Copyright": "Copyright (C) M. Russinovich 1996-2010", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "PsLookupProcessByProcessId", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", "IoDeleteDevice", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "ZwQueryObject", - "RtlUnicodeStringToAnsiString", - "ZwQuerySystemInformation", - "ZwOpenProcessToken", - "SeReleaseSubjectContext", - "KeDetachProcess", - "ObQueryNameString", - "strncpy", - "SeCaptureSubjectContext", - "NtClose", + "IoDeleteSymbolicLink", "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "ZwDuplicateObject", - "RtlFreeAnsiString", - "KeAttachProcess", - "ZwOpenProcess", - "ZwQueryInformationProcess", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "ObOpenObjectByPointer", - "SePrivilegeCheck", - "KeBugCheckEx", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "__C_specific_handler" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2010-03-04 00:00:00", - "ValidTo": "2013-04-18 23:59:59", - "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -32465,108 +17686,246 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] + } + ], + "Tags": [ + "AsIO.sys" + ], + "yara": false + }, + { + "Id": "49920621-75d5-40fc-98b0-44f8fa486dcc", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create zam64.sys binPath=C:\\windows\\temp\\zam64.sys type=kernel && sc.exe start zam64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91.yara" }, { - "FileName": "procexp.Sys", - "MD5": "ad03f225247b58a57584b40a4d1746d3", - "SHA1": "e525f54b762c10703c975132e8fc21b6cd88d39b", - "SHA256": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "zam64.sys", + "MD5": "21e13f2cb269defeae5e1d09887d47bb", + "SHA1": "16d7ecf09fc98798a6170e4cef2745e0bee3f5c7", + "SHA256": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91", + "Signature": [ + "Zemana Ltd.", + "DigiCert High Assurance Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "Zemana Ltd.", + "Description": "ZAM", + "Product": "ZAM", + "ProductVersion": "2.21.63", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "9e4c2a2e8832f10ecdd2be70eb6bc300", - "SHA1": "2b15e90dc654ce779bd460787352639768cd8baa", - "SHA256": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34" + "MD5": "3f2771b22553380efcee72a27dc4d96c", + "SHA1": "0d15b7de0f1129b540f48d7a3cba2c6bf5d44112", + "SHA256": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "Zemana Ltd. All rights reserved.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "ZwWriteFile", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", + "IoAllocateMdl", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ObQueryNameString", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", "ExGetPreviousMode", "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", "KeStackAttachProcess", "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", + "ZwOpenThread", "PsProcessType", - "PsThreadType", - "NtBuildNumber", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", "ZwOpenKey", - "ZwCreateKey", + "ZwEnumerateKey", + "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "PsLookupProcessByProcessId", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySystemInformation", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -32584,125 +17943,196 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", - "ValidFrom": "2013-04-06 00:00:00", - "ValidTo": "2016-05-05 23:59:59", - "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "zam64.sys" + ], + "yara": true + }, + { + "Id": "4f93e19c-4600-4e2e-943f-a986875fd7d2", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create ni.sys binPath=C:\\windows\\temp \\n \\n \\n i.sys type=kernel && sc.exe start ni.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "ni.sys", + "SHA256": "ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "ni.sys" + ], + "yara": false + }, + { + "Id": "2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create vmdrv.sys binPath=C:\\windows\\temp\\vmdrv.sys type=kernel && sc.exe start vmdrv.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921.yara" }, { - "FileName": "procexp.Sys", - "MD5": "90f8c1b76f786814d03ef4c51d4abb6d", - "SHA1": "d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6", - "SHA256": "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "vmdrv.sys", + "MD5": "6d67da13cf84f15f6797ed929dd8cf5d", + "SHA1": "1a17cc64e47d3db7085a4dc365049a2d4552dc8a", + "SHA256": "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921", "Authentihash": { - "MD5": "028b8d642c1c76b18b74f3e0f76b3522", - "SHA1": "1aa871802d7278272172d9d7faabf8c8292996a3", - "SHA256": "76adb3fa346058e95ba3fd549fd48a15adaf4920a3109391f52053ebf39e62cc" + "MD5": "9ee5190f4bd124445626451cc09d49ce", + "SHA1": "b73a1aae1e15b9a7e2cc0d486449e132671aebec", + "SHA256": "fabe94809d90ade89dad012b22243e3fb755a131800140f8f8b30c989c371301" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) M. Russinovich 1996-2011", + "Description": "Voicemod Virtual Audio Device (WDM)", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "vmdrv.sys", + "OriginalFilename": "vmdrv.sys", + "FileVersion": "10.0.10011.16384", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "10.0.10011.16384", + "Copyright": "Copyright (C) Voicemod S.L.2010-2020", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "portcls.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ObOpenObjectByPointer", - "ObReferenceObjectByHandle", - "__C_specific_handler", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "ObQueryNameString", - "ExFreePoolWithTag", - "strlen", - "strncpy", - "wcslen", - "ExAllocatePoolWithTag", - "ZwQueryObject", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "ObCloseHandle", - "IoFileObjectType", - "ZwQuerySystemInformation", - "MmIsAddressValid", - "PsThreadType", - "ZwQueryInformationProcess", - "PsProcessType", - "KeWaitForSingleObject", - "ZwOpenProcessToken", + "RtlInitUnicodeString", + "KeClearEvent", + "KeSetEvent", + "ExFreePool", "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ObOpenObjectByName", - "IoCreateSymbolicLink", - "MmGetSystemRoutineAddress", - "NtBuildNumber", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ExEventObjectType", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExSystemTimeToLocalTime", + "_purecall", + "KeInitializeDpc", + "KeFlushQueuedDpcs", + "KeInitializeMutex", + "KeReleaseMutex", + "KeInitializeTimerEx", + "KeCancelTimer", + "KeSetTimerEx", + "KeWaitForSingleObject", + "KeInitializeSpinLock", + "IoAllocateWorkItem", + "IoFreeWorkItem", + "IoQueueWorkItem", + "RtlIsNtDdiVersionAvailable", + "PcInitializeAdapterDriver", + "PcDispatchIrp", + "PcAddAdapterDevice", + "PcRegisterAdapterPowerManagement", + "PcNewServiceGroup", + "PcRegisterSubdevice", + "PcRegisterPhysicalConnection", + "PcNewPort" ], "Signatures": [ { @@ -32710,123 +18140,197 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", - "ValidFrom": "2013-04-06 00:00:00", - "ValidTo": "2016-05-05 23:59:59", - "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=ES, ??=Private Organization, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", + "ValidFrom": "2019-12-13 00:00:00", + "ValidTo": "2020-12-17 12:00:00", + "Signature": "3d61f91d3417ea68406f8f16faa42f704866212beb1e47ede42931cefc8e5a240a6320d9cdc2eb1911c5a72db5514cdfa4a40e554c2874d9da134ef850077c6859f540b5d89f3e2168a0ad1b26ffa730588d98ec52b386174b06e96f6254c86315cb6c982c1f6c3748ec1f28b779cfee301ab12ce5fc1b817b018637dd93ac6419957f3d3dd4e362b8f34b41664444e4743c12309e9c14996430719db60684117206890b140b5e87f708838b3b53b5395a1e1a562840c2939c64e2e5f50c40d148830fdeb425077e74fbabfde856bf8ccb0036fbec5d49e58056200cdb24eba2382fc9a1b60ba342759097634855dfd66520763cf7c04c2b85abebd5b5057052", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "02c5372170daa825b5e24b614268c5b5", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "f9d04e99e4cab90973226a4555bc6d57", - "SHA1": "96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11", - "SHA256": "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7", + "FileName": "vmdrv.sys", + "MD5": "0e625b7a7c3f75524e307b160f8db337", + "SHA1": "5088c71a740ef7c4156dcaa31e543052fe226e1c", + "SHA256": "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3", "Authentihash": { - "MD5": "8e66ec7a60a2b67386516a2e9a236d6b", - "SHA1": "07dfb6fe9b3876c0e1b1cda010cb3cc24ff2ce25", - "SHA256": "6b3316496ab1e2d1ef02be966d9caa171674856e8fb8ea78d6a3bcfe8e2013c1" + "MD5": "b402effbea875040846c88d9b8b08b36", + "SHA1": "08e1ee43f0e00155730448f017a4616efa2afdf0", + "SHA256": "57ae8d2d962cdde554831415725583fcf4ae5fc844c19983a7c37e31b12109a3" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", + "Description": "Voicemod Virtual Audio Device (WDM)", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "vmdrv.sys", + "OriginalFilename": "vmdrv.sys", + "FileVersion": "10.0.10011.16384", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "10.0.10011.16384", + "Copyright": "Copyright (C) Voicemod S.L.2010-2020", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "portcls.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", + "KeClearEvent", + "KeSetEvent", + "ExFreePool", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ExEventObjectType", "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "ExSystemTimeToLocalTime", + "_purecall", + "KeInitializeDpc", + "KeFlushQueuedDpcs", + "KeInitializeMutex", + "KeReleaseMutex", + "KeInitializeTimerEx", + "KeCancelTimer", + "KeSetTimerEx", + "KeWaitForSingleObject", + "KeInitializeSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "IoAllocateWorkItem", + "IoFreeWorkItem", + "IoQueueWorkItem", + "RtlIsNtDdiVersionAvailable", + "PcInitializeAdapterDriver", + "PcDispatchIrp", + "PcAddAdapterDevice", + "PcRegisterAdapterPowerManagement", + "PcNewServiceGroup", + "PcRegisterSubdevice", + "PcRegisterPhysicalConnection", + "PcNewPort" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "??=ES, ??=Private Organization, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", + "ValidFrom": "2019-12-13 00:00:00", + "ValidTo": "2020-12-17 12:00:00", + "Signature": "3d61f91d3417ea68406f8f16faa42f704866212beb1e47ede42931cefc8e5a240a6320d9cdc2eb1911c5a72db5514cdfa4a40e554c2874d9da134ef850077c6859f540b5d89f3e2168a0ad1b26ffa730588d98ec52b386174b06e96f6254c86315cb6c982c1f6c3748ec1f28b779cfee301ab12ce5fc1b817b018637dd93ac6419957f3d3dd4e362b8f34b41664444e4743c12309e9c14996430719db60684117206890b140b5e87f708838b3b53b5395a1e1a562840c2939c64e2e5f50c40d148830fdeb425077e74fbabfde856bf8ccb0036fbec5d49e58056200cdb24eba2382fc9a1b60ba342759097634855dfd66520763cf7c04c2b85abebd5b5057052", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "02c5372170daa825b5e24b614268c5b5", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + } + ], + "Tags": [ + "vmdrv.sys" + ], + "yara": true + }, + { + "Id": "90ecbbf7-b02f-424d-8b7d-56cc9e3b5873", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create eneio64.sys binPath=C:\\windows\\temp\\eneio64.sys type=kernel && sc.exe start eneio64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "FileName": "eneio64.sys", + "MD5": "66066d9852bc65988fb4777f0ff3fbb4", + "SHA1": "24343ec4dfec11796a8800a3059b630e8be89070", + "SHA256": "38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0", + "Authentihash": { + "MD5": "2a99d8330fe122a45ba45dcf897c1bf9", + "SHA1": "b4afe8a5554e68bf22994725cf096b77430a9cf1", + "SHA256": "b45d78a6780f125143dbd198ac2439be78424e7ae37a4234541ecb327dc190c1" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "DbgPrint", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "ObfDereferenceObject", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -32834,130 +18338,112 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:BBEC,30CA,2DBE, CN=Microsoft Time,Stamp Service", - "ValidFrom": "2018-08-23 20:20:02", - "ValidTo": "2019-11-23 20:20:02", - "Signature": "18296d831c69501fcc0fba56af62fea612d3e1df8e88026af0152c003451479cc1ed1574a00da10660272dc5dd446a18c647b100a47b4c65d0ab4004131aebb3c988b6937214ee9dc7c2e381988b8fe0582c47fa97c21c9b0f11e198b8449015b171f00cb487241b0e339902adfd55f0adbc38b374e77f6daa6e5868b6197ba2122f927de072de2aa467f3175f948d3c29dacac8c697f26e08d840876c6c919bc522b59cf1fb5ee1b23bd9047b02b3a9edd5b1ad4b3be3bf7dec5a093e5732f75c5389eb28c6f95f1bd1c81381e96725eaf4df641c32aed1e77a8fdcdaa360c4b39c6257c5c14c57dc1a380e165cc2f3bfffc9c9ce9d36907e2c74cafdd5f722", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-06-08 17:24:26", - "ValidTo": "2019-05-29 17:24:26", - "Signature": "507e1dabe5c8a200d7b848d718478b9b2278f88da52f23c4c297c0694d76611430bff53bbe64c2bf85fa5ed551cef1d014dcf7f38109ebb5d8474c628715d4c10dd49f303cbe25aaca38d589b581c1e9786abfb23e79aa332cca8ddeeae9958623887375b40836c23f972646b8b8eac96f0b3dcbc88d56062c54a14d1e7f52ed4eb9d6e0e876fab6029355c1c7f791c63ce9ecfe5d78ffb5ba3ffb21fa78edca381c8717d1c23d01c3f0aa36cb01434f68c981c5924f04089d731c26846e466255679fab67bdfc16ab0debbc2d17f9458dcf4176ac6d63e1bb673a2d7daec55618183ae25d420dc2f7874c295fd7a4afef5cf609247c7c50f75aba8f0195fe03", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2012-06-04 21:05:46", - "ValidTo": "2020-06-04 21:15:46", - "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000317c61d46115ceba6a000100000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "659a59d7e26b7730361244e12201378e", - "SHA1": "c21510569fd84a5fe04508aa28e3cf9c8cc45b7a", - "SHA256": "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c", + "FileName": "EneIo64.sys", + "MD5": "86fd54c56dcafe2de918c36f8dfda67e", + "SHA1": "0b01c4c1f18d72eb622be2553114f32edfe7b7aa", + "SHA256": "9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3", "Authentihash": { - "MD5": "3798eddcccab7da4682f64997533d27d", - "SHA1": "0d753c1d21c4e6c6eb74d3436eb4c5f376cc7364", - "SHA256": "a4859c5456d03f799de89d2f8cbb36b4518259a6c7c0bc909b1fd16f48363d5a" + "MD5": "6055cbe0b4c535baa8c15473fc97e61a", + "SHA1": "ce280412dd778cafbe6dbb05b8cab42e98d3ae56", + "SHA256": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5" }, - "Description": " ", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": " ", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "cng.sys", + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "BCryptCloseAlgorithmProvider", + "BCryptGetProperty", + "BCryptDecrypt", + "BCryptImportKey", + "BCryptDestroyKey", + "BCryptSetProperty", + "BCryptOpenAlgorithmProvider", "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "wcsstr", "ObfDereferenceObject", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetCurrentProcessId", + "RtlTimeToSecondsSince1970", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "RtlInitUnicodeString", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -32965,129 +18451,115 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF,4BBC,9335, CN=Microsoft Time,Stamp service", - "ValidFrom": "2018-08-23 20:20:28", - "ValidTo": "2019-11-23 20:20:28", - "Signature": "9d7642feb515917887e958cc8890ccc717f8b1b164f2248f2657c2dd3bc82767e8a80b860b39f6469c373f7db0e6bf50975f396197e28b8b47b1c36014316a5fecd78d4528fe00e0c5a92321319a4be66b2359c99f01a27514f95879324fc6c121d6958cade3c4e366f75ebd979c4ee701a63655ae846982f63439c44099f0a18de3b3d9ae023e8c5c49406c94c556a7dee459a92b543f395dde5cfe106e0540f7710430d130862c6693445d18efaac409f2cd7d319e21a12c5184e767993562b324ff9db371cce7a932d3be5ee3396cf1864a609bbe6ebcf8834cbb11c44729119a6a5abc5e3ef8947dcb0bc6b554217a3e39a079e4bd733dc46b77b8f39a3c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", + "ValidFrom": "2022-06-09 00:00:00", + "ValidTo": "2031-11-09 23:59:59", + "Signature": "9a1602a501ef81fb0db458b278ada82319d97337da609e51d7cbf82f40b9a31f7c404e333e903ce789017585e8627b1d56e071bade5ec637bc795c62004df8497a514d0632f3c5d2002a2720ea892e1539e02c3ef8757c2c824161350f23d0ed3595d288952943cbe0a658107c538e9f45c9203714c0ed19ba7e7739d25496c7a611df3433f67552424b1c9d8d96d5956c471214245f2641fa1a46bddeb0e5914703ac1808cbcbdb66897f2b9c65bfbe374ebe2df39d4ac3cccc475ec89595add1cbbb2a0620f93f72ea36eb4572927a297b14033cfb4dd648717a10118a0874cd6c1b045cd28a950376515053d62ef74a46c3ae102c714cb087b62737446044", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-04-18 18:42:23", - "ValidTo": "2020-03-27 18:42:23", - "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2018-09-20 17:42:01", - "ValidTo": "2021-05-09 23:28:13", - "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-03-29 00:00:00", + "ValidTo": "2033-03-14 23:59:59", + "Signature": "0d2d2374a6d1f5f8ea4b993f01e4f60ce4af169dd9b38c9782299c436f012dab38b57011bf84198b3f5de5864fbe933ade2a395a394ed88459a5bc1b98aae86cefd1486919385bcf89391d7070d94edf23226cd5dff659cba1c2ea4c76caa1dca12b96b89b55a91a6b7dd1f502094f82d6a57388c49880dfee4995b7b3ccc5a7ee0ee1ef1e388a9fef11c9314a58b6df387ccbfa5cf7e453bf6e0a7c7ed7de98d52965890fa29cc065f4012265c7ea5e74a65b3592507cf417a687644f3e46891663206bcbf27bd035e34a7048a9b6e71d60bd04221525700672a9443b694711d3eee9c7a03e4f10b93036e4f3aa6909a88b7e64a2659411fb6e32f1f5bb38adcdc09311d532784a4b372a4cf35cdcb685c0bb70305578d698fe546d7f71a9481a78dd46772e1b7ac0338af84a288c12a873cf2df9d323f29e19e00d9428a0ebdb1a51a095828e286ba4ce9d76dea973aa486a5943ae5feaf80f06429ddf066896fe2aa0745b6366de6b2cb878aa4d706df02cf107157e35b4e6b50ca299a5d7156b350e85d6e02ccce00c24b87c520b1e997cefc8c8c58c5869afab3de1cfcc7d15ae14bf8a71dfca97b1d847ea1c85e0454e121c142958cc6fd37fcbbec10e4a6f209caed973325908e72d92a11a11fe3298a65d2b97e08bd39ccc6db50dae47633847175b6f13da6a106e1f49b7445bb4080a875a59047611a1a77702131c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=Private Organization, ??=TW, serialNumber=16505809, C=TW, L=HSINCHU CITY, O=ENE TECHNOLOGY INC., CN=ENE TECHNOLOGY INC.", + "ValidFrom": "2021-07-06 00:00:00", + "ValidTo": "2024-08-29 23:59:59", + "Signature": "1c799045dbfc1da5f1dfdadef58c38978109600b513226a29abbc20ec9b30e03e9a0c7679f1b7d388009015a1edc77a4bbd817838d7b17c62493514bf6c095ff9d6d1ae40f761678be2b04ced07db70e5f6a58be33016c1de06f7bf2008b1040c2f8677a62667b4b110e5fe57816934686086bdf2941c980fc79945950338e2e9dbe37e24e8cb745f6f54a0f6b26feca8b6894545afd98da94e45ab6574b16043ad7458e750834b853a57c0ece0114268a0a099f9178ef3939b8871218f6376f0b870a49e29d0c83bae3fcf4444e04b7eda9453813e65de04312e0e6311616bc9b9d90f4bc784b9a5fc1a4ede394a5c742564ba9ed93f0a517bc4888e08a0a37cb74e40c86de9cc01de3dcd5dd30d6f76773f933812fa246c439380cf61a4d31d390da3c6b067b7b8628f9059a1160cc72c47d1bf593cde1ddfabcea0ddec96bc2953e0354765744be490ec3223488075bbbabb4a800016b076e26319da7901e01083c46dd90fc51aa08d7038600801043b46db5d5e992a7bb8682f7cf4b2598740159e69e83e8c47f9998316abc1c02385ed99c16bb9dbd11789023c7c16ffe832fa802142b8c4c34856a60062802e24a230cd118c1926be1dcc155cd06dd75f6eabd6be9be0eeddf3efe9bd342d2cc4687d4e9527120e4843ddd295647d8a2a0c88327dac8df1a0ccd94eaef279629eecedf87a23c60cd2355deabb77b8b06", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000387a14cce6619d8c51000200000038", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "0d6403ef47571a33435fc827ccefc858", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] - }, + } + ], + "Tags": [ + "eneio64.sys" + ], + "yara": false + }, + { + "Id": "7b893f79-b5b0-4373-9d29-c53a21fe6fc3", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create WinFlash64.sys binPath=C:\\windows\\temp\\WinFlash64.sys type=kernel && sc.exe start WinFlash64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "da6f7407c4656a2dbaf16a407aff1a38", - "SHA1": "ed40c1f7da98634869b415530e250f4a665a8c48", - "SHA256": "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf", + "FileName": "WinFlash64.sys", + "MD5": "a216803d691d92acc44ac77d981aa767", + "SHA1": "48be0ec2e8cb90cac2be49ef71e44390a0f648ce", + "SHA256": "316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d", "Authentihash": { - "MD5": "4eae8421b149baa7d0ce15a86470cde2", - "SHA1": "af5ff77f2106b31a8e433c3689b6a65628c2dfce", - "SHA256": "19d579e5a08bcb524405bdcbd2ea7247548af9f23ce64582a5be5ae3f184ad23" + "MD5": "62fecd37b50c9973478b3c1a02838c22", + "SHA1": "a1e4fbc16c0fc98a4c2256f2b0b45c1ece8f8f0b", + "SHA256": "ad6360cee0b1b293be38348f0f9deb7221e205516524f437aaf8f468b308cb4e" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "16.41", - "Product": "Process Explorer", - "ProductVersion": "16.41", - "Copyright": "Copyright (C) Mark Russinovich 1996-2021", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", "RtlFreeUnicodeString", + "IoCreateSymbolicLink", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", + "RtlAnsiStringToUnicodeString", + "RtlInitString", + "IofCompleteRequest", + "MmMapLockedPages", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "MmUnmapIoSpace", + "MmMapIoSpace", "KeBugCheckEx" ], "Signatures": [ @@ -33096,120 +18568,108 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:30", - "ValidTo": "2021-12-02 22:15:30", - "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", + "ValidFrom": "2006-10-17 00:00:00", + "ValidTo": "2007-10-17 23:59:59", + "Signature": "66da102458b1f7a00e4d83c2b5fc3f96e6c55489b52830af684ef682ba836adeaf11984c59a876a882bf9bf2de527d34872a457e01a02c8bb8c630e41e364b96980b7e774228d49597ba47674b21c4da7d9cccd87bb5af940b761a9b70c64d2d4455d764a0004a9e55cecb4cde90e49481fced746ec91fe2b63f0176df8b7400928964cb53088a06e779021ae79280e58c9d0a7ac19ad0b9ab042e223ea97c13830cc55dcad096dab50f11126be42fe8142814e943a0b408659ff0f155449719c2afbf4c911fd78cba7f91d4ca280b1959a40fc8e7785d58b7a71e5357c946e5ddf20ea489e58877cf26a28691eccdcf20b4a40f353dbaa91e703db89aa7470b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "2ca9ca93cd9b19a96ddad68aff3a668d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "procexp.Sys", - "MD5": "6b3abe55c4d39e305a11b4d1091dfaac", - "SHA1": "1c537fd17836283364349475c6138e6667cf1164", - "SHA256": "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675", + "FileName": "WinFlash64.sys", + "MD5": "bf2a954160cb155df0df433929e9102b", + "SHA1": "7a1689cde189378e7db84456212b0e438f9bf90a", + "SHA256": "8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d", "Authentihash": { - "MD5": "4b64921bd05ed4a30830f23facb43bde", - "SHA1": "3d9be989fbb447bbf7e4b081d9ee4d9b025476c3", - "SHA256": "e2e351efd57c89bc0c7b9d4d440113304d0b8a4c88cdf0126442171aa50634d4" + "MD5": "066fa975190d01fa5a8e99b0d5f3a5ae", + "SHA1": "0086ddd495c6c89c9b7732f2a2b58c06a82f31bc", + "SHA256": "63041a13d1658e22fecc34706e98ab08b54b94e7d028bf2b1308ff85995a01c3" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "11.40", - "Product": "Process Explorer", - "ProductVersion": "11.40", - "Copyright": "Copyright (C) M. Russinovich 1996-2010", - "MachineType": "IA64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "PsLookupProcessByProcessId", - "RtlInitUnicodeString", "IoDeleteDevice", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "ZwQueryObject", - "RtlUnicodeStringToAnsiString", - "ZwQuerySystemInformation", - "ZwOpenProcessToken", - "SeReleaseSubjectContext", - "KeDetachProcess", - "ObQueryNameString", - "strncpy", - "SeCaptureSubjectContext", - "NtClose", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "ZwDuplicateObject", - "RtlFreeAnsiString", - "KeRaiseIrql", - "KeAttachProcess", - "KeLowerIrql", - "ZwOpenProcess", - "ZwQueryInformationProcess", + "RtlFreeUnicodeString", "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "ObOpenObjectByPointer", - "SePrivilegeCheck", - "KeTickCount", - "KeBugCheckEx", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "__C_specific_handler" + "RtlAnsiStringToUnicodeString", + "RtlInitString", + "IofCompleteRequest", + "MmMapLockedPages", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "MmUnmapIoSpace", + "MmMapIoSpace" ], "Signatures": [ { "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", "ValidFrom": "2004-07-16 00:00:00", @@ -33217,24 +18677,24 @@ "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2007-03-05 00:00:00", - "ValidTo": "2010-04-19 23:59:59", - "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=TAIPEI, O=Universal ABIT Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R&D DIV. TECH.SUPP.DEPT, CN=Universal ABIT Co., Ltd.", + "ValidFrom": "2006-07-19 00:00:00", + "ValidTo": "2007-07-19 23:59:59", + "Signature": "72879dd41a0938989ce82b000bdea2326d4885c8c604fb6ec746303afda5ee11102860f7f94ffb67b5e49b8288d3775cbb244a5ef88a021987a48f4801691176d2fdf7092cc116f097e90fbe35d2415f7a64cdb1c1649c0de4bcb81a9e92796d34129ed6b5abe91b2a4a921895f6c1342afb5944338a5140de94c3a997033dabd6b14631bd78371cfdf0e10c0ef63c4310581f547febc19b6887c973a901a47d9d978644527fd2f1dcf0d5fd78f6c1d715ddf01ec40d5d30afa081a896c6d78897c507f361d63c9a702735b373588517ff2663a4a0c0aa91a0ce1446942d35cfd4e98f893fc3390948d3863f3731901e274988753f550c66bce31372052f96d2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", + "SerialNumber": "226a266fde87a6d82d69d22ba10dce2f", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] @@ -33242,91 +18702,47 @@ ] }, { - "FileName": "procexp.Sys", - "MD5": "cec257dcac9e708cefb17f8984dd0a70", - "SHA1": "da361c56c18ea98e1c442aac7c322ff20f64486b", - "SHA256": "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc", + "FileName": "WinFlash64.sys", + "MD5": "bc6ff00fb3a14437c94b37ac9a2101d4", + "SHA1": "d5326fea00bcde2ef7155acf3285c245c9fb4ece", + "SHA256": "8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59", "Authentihash": { - "MD5": "df8e20e6fb1d2a22135e155763bf9588", - "SHA1": "1915e95974b6f75f4793e81b85e148ebdaa35515", - "SHA256": "0c2d8e8487de5e7749f9899f6fefa6e7d40b394479449b5027a895392af23349" + "MD5": "32c5590f86eda2c188d19fa91107e3b7", + "SHA1": "d3bc762eaebf1ea4f291aeb614dd7e1d3c027a39", + "SHA256": "bddf1750dc00725c1384b34740e798b4f5f70218ab71ac62a5a96773b377df5a" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", "RtlFreeUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlAnsiStringToUnicodeString", + "RtlInitString", + "IofCompleteRequest", + "MmMapLockedPages", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "MmFreeContiguousMemorySpecifyCache", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "MmMapIoSpace", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", "KeBugCheckEx" ], "Signatures": [ @@ -33335,134 +18751,143 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, OU=nCipher DSE ESN:148C,C4B9,2066, CN=Microsoft Time,Stamp Service", - "ValidFrom": "2016-09-07 17:58:56", - "ValidTo": "2018-09-07 17:58:56", - "Signature": "96812d8a1bf7a71c8efb5c46a525ff9d7e890e935f85a824261bfa37f7b0cb6040b77890b3e9081ff67fcbae65e3dff7049d8c2bb648f16dd4fc7abc9cac5e4d81eeb45e611dc0f06d12b2852ffe709d163a7776daf7966db190c536c2fe4ec7804ee097fed2f4fdfacdcf6cb9cf64afc68d427589d5921b4b0aa5782aee6a52c3d495ee32238dd3346eea41776c4b08a7e87318d88abe546095a20bc0b491bfffe85f3f24bfe7d46af54f2ee665d8858d6e050442314d4debd049c0aad3affced1c0292ee0bd015d69162c651a0411aa503fc5140b2daba2de3e6a18a7897a28d84b34498136392f6d486dbb95e9aac8ad98692642f4e7d42880a0458239a22", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2016-10-12 20:32:53", - "ValidTo": "2018-01-05 20:32:53", - "Signature": "9fcff5d0683abc4c8daea4cc93841a3b037f2512114b780e6d1d0baf20ca63f15baf12e15392d0952d7ad3d6e270182085d8dd2a78af8a585f557506c975546138a087c58dcac5b9e5879a21dcaf4f026b9a97dc57c5b8a7e85f57861dedf618421b036a4b332cd12a4f6e2aba0aa1ff5249e9d93d7669d13eba761d5dddd495b86ac46eac38f724f525060c90079045e305a8ee0ccb626e4cd6722decd56f824d6e36eca2016fcbccf5479e9df7b3b123f6d1aa429d73808cf59f65b75e7f2da16f7d5c81b05430dc587c008f3fbf5afc42c99cf40b7f2ea7b27a314c22cb33eb2ebadfe904b7b6ea40f57eee80cc058229a617e31dead3909aad73885d21e7", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2012-06-04 21:05:46", - "ValidTo": "2020-06-04 21:15:46", - "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", + "ValidFrom": "2008-11-14 00:00:00", + "ValidTo": "2009-11-14 23:59:59", + "Signature": "addfb0156ef6ad5c431dffc5ef41cefa457136306d15d84146668cbe5be0f54450614be60c40f7b9ecf7b16b10fe5bcaeff5e31433abd8e218e5cfac8ecb246b3d59d8b3aa0b5ae88feab0b12dd24dc2f4cb51fec3a2a302f67903a652d52197b07e77410d4e480d0f2c3003e150f5da93bd09c91977fbc8d7652f4f5bb7c06d672dbda83f7458f6cb52719cd7f393395e1b036a9701608eccb8c1d2f42ccbee6e53e5fc342b9d5b65aac07d35b2d3b69fb8f51184699a46ac6d3ce7de8fa73353f74f58572f5d982d0d56ce29321d35633de97a04f99d73969c4c0b3bce7cdb95ec67c0b78deee1c5af17e49e9d4978db7f4063c9670adf5094c3e5a730d4fe", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000244d59538809906ea7000100000024", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "55272d7780471b989f3def09bb221c53", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - }, + } + ], + "Tags": [ + "WinFlash64.sys" + ], + "yara": false + }, + { + "Id": "d158321b-4d56-49c5-9a18-bcff9f4a2ebe", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_HWMIo64.sys binPath=C:\\windows\\temp\\BS_HWMIo64.sys type=kernel && sc.exe start BS_HWMIo64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "bf74d0706f5ab9c34067192260f4efb0", - "SHA1": "6b090c558b877b6abb0d1051610cadbc6335ecbb", - "SHA256": "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7", + "Filename": "BS_HWMIo64.sys", + "MD5": "338a98e1c27bc76f09331fcd7ae413a5", + "SHA1": "9c24dd75e4074041dbe03bf21f050c77d748b8e9", + "SHA256": "60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813", + "Signature": [ + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "c292f0024a454f42fba117b3505b12e9", - "SHA1": "d9ebe7ff8318eeece457fc72bec2b582d3350b61", - "SHA256": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4" + "MD5": "d6f9dc5cd435d1c210cd4053886b9f36", + "SHA1": "3281135748c9c7a9ddace55c648c720af810475f", + "SHA256": "3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", + "KeInitializeSemaphore", "IoCreateSymbolicLink", + "IoCreateDevice", + "KeSetEvent", + "MmUnmapIoSpace", + "KeDelayExecutionThread", + "PsCreateSystemThread", + "IoStartNextPacket", + "PsTerminateSystemThread", + "ExEventObjectType", + "MmMapIoSpace", "IoDeleteDevice", - "IoDeleteSymbolicLink", "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeReleaseSemaphore", "ObfDereferenceObject", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "IoStartPacket", + "IofCompleteRequest", + "KeRemoveEntryDeviceQueue", + "KeBugCheckEx", + "RtlInitUnicodeString", "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -33480,10 +18905,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", - "ValidFrom": "2013-04-06 00:00:00", - "ValidTo": "2016-05-05 23:59:59", - "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2013-08-26 00:00:00", + "ValidTo": "2016-11-24 23:59:59", + "Signature": "08f8dc4cc28122b327a65f1a10cc4ecb3bd6589e01f7c5677d9e8621c1134c6728007b58718aae4b35f14dd52e537626115f06baee260ff9200684ecf5eb0d30a415d4c1c3ca33d7ac85fbb343ec52c7c0e6c0d8e6d8e35e7738fe6eba1555dfda7a698c4fecf77a7108060989ebcfbd2468615f5ba1c3b7c60ebcd14d03e64bd04f42a1cc0d0fe67ce7b725f3415f1cc465e07fbb46fa3b5e0783c184c25366c7b09e8272c83d8e467ecf2b835fae9ccbd89ad3e2625a5e494cd08abe6f43dda05e1abde42b918f76e29c801e94981e59fdb7750e146e9a062eb939fb1d1e18df1f323d88c871acf85b5369669a12d21eb4443322801abf420a9c9a56fd682b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -33503,228 +18928,329 @@ ], "Signer": [ { - "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "SerialNumber": "32ba71c02f695ce02de7e6be26c4e481", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "BS_HWMIo64.sys" + ], + "yara": false + }, + { + "Id": "b1dd91b1-9ba3-4d68-a2d1-919039e18430", + "Author": "Michael Haag", + "Created": "2023-04-14", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create dcr.sys binPath=C:\\windows\\temp\\dcr.sys type=kernel && sc.exe start dcr.sys", + "Description": "DriveCrypt Dcr.sys vulnerability exploit for bypassing x64 DSE", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/wjcsharp/DriveCrypt" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "92927c47d6ff139c9b19674c9d0088f6", - "SHA1": "a98734cd388f5b4b3caca5ce61cb03b05a8ad570", - "SHA256": "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb", + "Filename": "dcr.sys", + "MD5": "c24800c382b38707e556af957e9e94fd", + "SHA1": "b49ac8fefc6d1274d84fef44c1e5183cc7accba1", + "SHA256": "3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "26f48296b5ef64120e55008690060a6e", - "SHA1": "8d59ed924e8c76b0ab8b7ee653510f43062eaa3e", - "SHA256": "cd1beb64cd67169d57ca4dbc602a94f74891962221bb49c09abf3339ce35bc90" + "MD5": "accf79b751fafb101c1ce17fb7611b70", + "SHA1": "8f2f1684a7305f32015d54c402790a47c6c7a0c9", + "SHA256": "2b60228db4f3092063e115537b5731ef3487ecf55c036e812605c5149071332c" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "16.42", - "Product": "Process Explorer", - "ProductVersion": "16.42", - "Copyright": "Copyright (C) Mark Russinovich 1996-2021", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", + "RtlInitAnsiString", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "PsTerminateSystemThread", + "PoStartNextPowerIrp", "ObfDereferenceObject", + "KeInitializeMutex", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "wcsncat", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "KeInitializeSemaphore", + "ZwReadFile", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "ZwSetInformationFile", + "IoSetHardErrorOrVerifyDevice", + "ZwWriteFile", + "sprintf", + "KeSetPriorityThread", + "RtlFreeUnicodeString", + "IoInitializeTimer", + "IoStartTimer", + "RtlDeleteRegistryValue", + "RtlWriteRegistryValue", + "RtlCreateRegistryKey", + "ExAllocatePoolWithTag", + "RtlInitUnicodeString", + "ZwCreateFile", + "IoAttachDevice", + "ProbeForRead", + "IoDeleteDevice", + "PoCallDriver", + "KeSetEvent", + "IofCallDriver", + "KeClearEvent", + "ProbeForWrite", + "PsCreateSystemThread", + "KeReleaseSemaphore", + "ExInterlockedRemoveHeadList", + "ExInterlockedInsertTailList", + "KeInitializeEvent", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "IoGetRelatedDeviceObject", + "IoSetThreadHardErrorMode", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "KeReleaseMutex", + "IoFileObjectType", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "IoFreeIrp", + "MmUnlockPages", + "ZwQueryInformationFile", + "IoAllocateMdl", + "MmUnmapLockedPages", + "IoBuildDeviceIoControlRequest", + "IoAllocateIrp", + "ZwDeviceIoControlFile", + "ZwFsControlFile", + "__C_specific_handler", + "__chkstk" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:30", - "ValidTo": "2021-12-02 22:15:30", - "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=DE, O=SecurStar GmbH, CN=SecurStar GmbH, emailAddress=contact@securstar.com", + "ValidFrom": "2007-04-13 10:29:04", + "ValidTo": "2010-04-13 10:29:04", + "Signature": "70ede326923eed24cf9fffcf121f86edcd8bcfa745f802c4fcc103bc1d14f7db3764a59088c51d10d9818c0cc5f096c90c3e69a0a96f5a1cb7e24f7af7e037d9750a6934e939cb6275aab2d5cde6c4368046624543e93cdc4f22993f130a09e0ac2b93e1cb7f84f67bd4ad1c1fc572d79b3ce6626fb9ae9bd36a2c5598629ac35ff3734387bd1984c0471e14f34f2142c8c958c2b71110995b5d672255bd12f49a9e9365dda42358ca9d80780df6095aead057d0632356da85501a92e0a610f8e247d0caa415939cf2f77a01dcc7ad79c265774c9f407b1e3c2715c99fd60ae370f891f232c7bc1228147a9d838ddec1878399b8590cd3f33c4cc3449151b751", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Comodo Time Stamping Signer", + "ValidFrom": "2005-05-17 00:00:00", + "ValidTo": "2010-05-16 23:59:59", + "Signature": "4a8ffc1e30a83c75e847e773aeb0697ab24dbc50d69a8f81b6602af702a5483a1e15c7186b1c18a4c9dffdf1cef7b82ad66da7cde57d213d1e3f74c8a2b8799628aee1fa7343f27abe802e6704da17fa9e5a96f59c6d7e7e8c6c8127507f68d889fa7d0459670f2d74e49987d7c1e15d114a26f726108067c2c3f7cf341bc47921cc6035bfa960779ecbbc5232226caddadf6dddf32e36cdc5a754e0f4a4cce3f5d4624f99060ce56f596f11c7cf5824bfaf251d4511779965ae31d45d489d8cc372722999e50af1b9cc5a3c48d3ff40cecd10033dbf339c08f310222a47b0772bee5b4e65e0d3233c03c4cf2e4562690e1bd20bf9f3200f531ad07c71f138d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "01000000000111ea7d2e62", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] - }, + } + ], + "Tags": [ + "dcr.sys" + ], + "yara": false + }, + { + "Id": "7e80423f-8b30-4ee2-b904-9f5421826a8c", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank.sys binPath=C:\\windows\\temp\\daxin_blank.sys type=kernel && sc.exe start daxin_blank.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "2e219df70fccb79351f0452cba86623e", - "SHA1": "2740cd167a9ccb81c8e8719ce0d2ae31babc631c", - "SHA256": "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2", + "Filename": "daxin_blank.sys", + "MD5": "62c18d61ed324088f963510bae43b831", + "SHA1": "8302802b709ad242a81b939b6c90b3230e1a1f1e", + "SHA256": "49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530", + "Signature": "Signed", + "Date": "7:07 AM 1/23/2013", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "0f461053add90ebe0bac9e8be9d9a8e5", - "SHA1": "5b27248685b909d5ae4c8ec77e2d3dcb02d6cc4b", - "SHA256": "cddd341f267a6094f7bd7d1b56427ebc029ccb348e7f0714d9301c2c67fdd5df" + "MD5": "253bde63495fa4f995a6debae44e598e", + "SHA1": "57391d4c4e30f91e3e780d5242fd98a178ec67ac", + "SHA256": "a000d211840cb8fbcbf95c334b1d04eadb45ba03b0413c96472e47e9e22413ff" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", + "wcsncmp", + "DbgPrint", + "IoAllocateMdl", + "_stricmp", + "sprintf", + "RtlLengthRequiredSid", "ExAllocatePoolWithTag", + "vsprintf", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "RtlAnsiStringToUnicodeString", + "NtWriteFile", + "RtlCreateAcl", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "_wcsnicmp", + "ZwReadFile", + "RtlSetDaclSecurityDescriptor", + "KeInitializeApc", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "NtFsControlFile", + "KeInsertQueueApc", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", + "RtlAddAccessAllowedAce", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "ZwOpenFile", + "ZwWaitForSingleObject", + "ZwCreateFile", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "ZwFreeVirtualMemory", + "KeQueryTimeIncrement", "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", + "KeWaitForSingleObject", + "KeAttachProcess", + "PsGetVersion", + "PsThreadType", + "RtlCompareUnicodeString", "ZwOpenProcess", - "RtlInitUnicodeString", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "memcpy", - "memset", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", - "strncpy", - "KeStackAttachProcess", - "memmove", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", - "RtlUnwind", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", + "ZwTerminateProcess", + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", + "ZwWriteFile", + "NtReadFile", + "PsLookupThreadByThreadId", "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeTickCount", - "KeBugCheckEx", - "KfLowerIrql", - "KfRaiseIrql" + "KeAcquireSpinLockRaiseToDpc", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "PsGetCurrentProcessId", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "MmUserProbeAddress", + "MmBuildMdlForNonPagedPool", + "memchr", + "KeDelayExecutionThread", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisCopyFromNetBufferToNetBuffer", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -33734,13 +19260,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Test PCA", - "ValidFrom": "2010-05-10 07:00:00", - "ValidTo": "2020-12-29 07:00:00", - "Signature": "a5e89be29a34018c5eb99e6500101e7bde49d04c42f76ece04cacdaaac0de80f586b1ba7bbc841d892fe7477ab3c28f2a507ca45c4e65cfe487d0add256644c366d8f417666a7f11e622a8c31b09663524d9da9f092f3576291e00a4186ae9c857d0af477baa74d02fa3bbbb1f13e37dcd2855295be421278d806e2d597c72ff42aab3fef101b0bfd34d94e14a54f1394a541d08ee74119115dc5079db43cd1cad7ca84c57f843f68ef6f75e1d917e0ddbb1b6724be9a53df535c8cb77f59eb4", - "SignatureAlgorithmOID": "1.3.14.3.2.29" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -33749,96 +19268,163 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "DC=com, DC=microsoft, DC=corp, DC=redmond, CN=MSIT Test CodeSign CA 2", - "ValidFrom": "2014-01-03 23:17:17", - "ValidTo": "2018-01-03 23:17:17", - "Signature": "600ff8df535a796bbfced445b646d9269fe514eabe10b53277af5085fa3e5e54e21e649f474d88898b7a3dc3256b7397224f7055466bc237465c153b87ee9529e08a3f0d2076719b25f9b3bb421b3ba628448696e986ee3a204078c0c2652735080ef7577a6b3e47a09174e5e863929dac616d67a63f6741a99f7ad7647a3ce18fb9541cb3b79b96ac18e68af065442cad6915e597b2758f33957345c682658eefc1da2f56580b15630e4e0dbeeadbe57bffb975fdbedcde81ed18bc34562ab05d52f9005126dd43a5a5ea46b0a6ec62d3a040c0f804650cabb2f8fd55e7cb7108172f71fee99a648a869fb1d73e9fc2700a6efad07bad0aa21be22e8ea8914e", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "CN=Mark Russinovich", - "ValidFrom": "2015-06-30 15:50:49", - "ValidTo": "2016-06-29 15:50:49", - "Signature": "a5e48ed2bb14b9940826f88cb72b09bf1cd99dcf8f9816164bb14db8dc7805b2b1aa0e197e3dbc2ca73d591759a93077ea140b9d62d80e29b1d3bfdd9cbe8055064139c70256c5d4ca4f7a23671a00a94963ed2fccf1a618391343b96cabe8c075be2b6ffa0dc0f1ffc2d832185f3010fd555d1d8a7ec669dd872eb8856624f480a3ed5ad27ddcf485fe761ecea5f90754d956f07132ac9e68e78c84f875fe72790c6581a6e22d1d0ab22f637b87668d930f664299dbf1ca09d65647521fff791d3ca79fe2dc01c8d97d41a8332bc383eac81578243ebde8c9ff1f6a87bea0b1eeda190920d020e775b6216d04cb9dcbdcd299745e5fbcb91d919a7d41d61125", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "77005ec5ff32646dcbf76aac900003005ec5ff", - "Issuer": "DC=com, DC=microsoft, DC=corp, DC=redmond, CN=MSIT Test CodeSign CA 2" + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "daxin_blank.sys" + ], + "yara": false + }, + { + "Id": "f4990bdd-8821-4a3c-a11a-4651e645810c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create IOMap64.sys binPath=C:\\windows\\temp\\IOMap64.sys type=kernel && sc.exe start IOMap64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41.yara" }, { - "FileName": "procexp.Sys", - "MD5": "0ef05030abd55ba6b02faa2c0970f67f", - "SHA1": "f6d826d73bf819dbc9a058f2b55c88d6d4b634e3", - "SHA256": "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "IOMap64.sys", + "MD5": "a01c412699b6f21645b2885c2bae4454", + "SHA1": "2fc6845047abcf2a918fce89ab99e4955d08e72c", + "SHA256": "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "ASUSTeK Computer Inc.", + "Description": "ASUS Kernel Mode Driver for NT ", + "Product": "ASUS Kernel Mode Driver for NT ", + "ProductVersion": "1.00", + "FileVersion": "1.00", + "MachineType": "AMD64", + "OriginalFilename": "IOMap.sys", "Authentihash": { - "MD5": "82ece436a712985b767d42a178872ab3", - "SHA1": "e7bedb9528d3da5e7e161a14db260140a02facca", - "SHA256": "d28acafeb6a85294d2672fa894a2934599713aa9ce1b21184dc1ec34131af7bb" + "MD5": "3d840e2458fef30b0871bf1c13b060ff", + "SHA1": "63b773c3c8308ddfa783b318d0ea67724fa1dc2f", + "SHA256": "34b3acdeac5002880071f73b70aa3abd3a6facb9e281b5c93cc82a7a8a6d5cc1" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "9.30", - "Product": "Process Explorer", - "ProductVersion": "9.30", - "Copyright": "Copyright (C) M. Russinovich 1996-2005", - "MachineType": "I386", + "InternalName": "IOMap.sys", + "Copyright": "Copyright 2010 ASUSTeK Computer Inc.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObQueryNameString", - "ZwClose", - "ZwDuplicateObject", - "ZwOpenProcess", - "KeDetachProcess", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "KeAttachProcess", - "PsLookupProcessByProcessId", - "MmIsAddressValid", - "ObOpenObjectByPointer", - "ZwQueryInformationProcess", - "NtBuildNumber", - "RtlUnicodeStringToAnsiString", - "IofCompleteRequest", - "SeReleaseSubjectContext", - "SePrivilegeCheck", - "ExGetPreviousMode", - "SeCaptureSubjectContext", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "KeInitializeMutex", "RtlInitUnicodeString", + "IoDeleteDevice", + "MmUnmapIoSpace", + "MmMapIoSpace", + "PoStartNextPowerIrp", + "IofCompleteRequest", + "ExFreePoolWithTag", "IoCreateSymbolicLink", "IoCreateDevice", + "IofCallDriver", + "KeReleaseMutex", + "KeWaitForSingleObject", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "PoCallDriver", "ExAllocatePoolWithTag", - "RtlUnwind", - "strncpy", - "ZwOpenProcessToken", - "RtlFreeAnsiString", - "KfLowerIrql", - "KfRaiseIrql" + "HalTranslateBusAddress", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -33849,209 +19435,313 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2006-02-02 00:00:00", - "ValidTo": "2007-04-04 23:59:59", - "Signature": "5af17754974b15636dc46a7e5295ee11668ae831cec469f15925a66f796b3aa4f912b02278957d3faf1a4df6a88b6e4720c082286400fcf2ca9b56c64197ff5c13a01dd81af41255c57cd1acf1cd790b613446332e716235469f0b2fd62d02d3ebea5965dcb2c6bc7e389e09308a895ef339ff981c4f3c8f5c8d907df45d44eb385e787cfded041491e9d72532a9ef8c8ee1d3931583c078656d1ce3d0316d8806faa8921b4837f0b5f0af1a50b2a798904ebde9bb438b06e2558c97a56145614d7e32193dcc85482bbaf4cc632094946b45ff6c1fde47cc0808344ec175d3555b66ebedd451d88e6bbf3463faf9bf65a0595d37d9e2033ae65ab7e08e081078", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "75c1a798b875894335c78cddbf05cbff", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - }, + } + ], + "Tags": [ + "IOMap64.sys" + ], + "yara": true + }, + { + "Id": "ea86fce4-911a-40b4-8d35-61b5a9d556bd", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create semav6msr64.sys binPath=C:\\windows\\temp\\semav6msr64.sys type=kernel && sc.exe start semav6msr64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "b7ca4c32c844df9b61634052ae276387", - "SHA1": "6df6d5b30d04b9adb9d2c99de18ed108b011d52b", - "SHA256": "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c", + "Filename": "semav6msr64.sys", + "MD5": "07f83829e7429e60298440cd1e601a6a", + "SHA1": "643383938d5e0d4fd30d302af3e9293a4798e392", + "SHA256": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33", + "Signature": [ + "Intel(R) Code Signing External", + "Intel External Basic Issuing CA 3B", + "Intel External Basic Policy CA", + "Sectigo (AddTrust)" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "1694c87131cee15e63d71936859506b8", - "SHA1": "5eb106f413ad1d8de4c04661a1c5162410164d50", - "SHA256": "120f7983011211e6740d7a3a4cd2354507866ef7d36a48e2e3a9bd5b52c21c8a" + "MD5": "79553d83580570e382d3b9c7e101df2b", + "SHA1": "e3dbe2aa03847df621591a4cad69a5609de5c237", + "SHA256": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "11.01", - "Product": "Process Explorer", - "ProductVersion": "11.01", - "Copyright": "Copyright (C) M. Russinovich 1996-2007", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "NtBuildNumber", - "ZwOpenProcess", - "PsLookupProcessByProcessId", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", - "MmIsAddressValid", - "IoDeleteDevice", - "ObfDereferenceObject", - "ExGetPreviousMode", - "IoCreateDevice", - "MmGetSystemRoutineAddress", - "ObOpenObjectByPointer", - "ZwQueryObject", - "RtlUnicodeStringToAnsiString", - "SePrivilegeCheck", - "ZwQuerySystemInformation", - "ZwOpenProcessToken", - "SeReleaseSubjectContext", - "KeDetachProcess", - "ObQueryNameString", - "strncpy", - "ExAllocatePool", - "SeCaptureSubjectContext", - "NtClose", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeQueryActiveProcessors", + "KeQueryActiveProcessorCount", "IoDeleteSymbolicLink", - "ZwDuplicateObject", - "ExFreePoolWithTag", - "RtlFreeAnsiString", - "KeAttachProcess", + "KeSetSystemAffinityThreadEx", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "KeRevertToUserAffinityThreadEx", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlAssert", + "DbgPrint", "KeBugCheckEx", "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Code Signing External", + "ValidFrom": "2015-04-16 17:22:30", + "ValidTo": "2016-04-15 17:22:30", + "Signature": "47ef93216b05a90df10512c9bb24dc20894c255a5943bd567c461f9d76dd3bfeebd65fa524ed3774b4894150c798d9647d64b8c45e0516cf03bdbc819185f494db80e56758fbad4b62f3aed983120533327039d23d550ee32f40d785fa8624a10bbcc4bf531db4c07f1a793be86b015098a62884970e3e58268820f7698ae23d609d2e20b4a75ebacbc98f01edb71c12049594593fd65f62c62b59ac0f269eeb113185fb7ae56cc8da9bd4a9abb7d3332d8ce732638afb3b2b786e56c256bf6211362b498b348b7e370c638b634d7fbd947b57e5c9f923612869cf1d9737fc51075ae92763045c2d2fed944763c14521521bab177c2aad1301d43a8679187077", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", - "ValidFrom": "2007-03-05 00:00:00", - "ValidTo": "2010-04-19 23:59:59", - "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", + "ValidFrom": "2014-12-09 21:30:38", + "ValidTo": "2017-12-09 21:30:35", + "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "330000b6712f575e402cf8708400020000b671", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" } ] } ] + } + ], + "Tags": [ + "semav6msr64.sys" + ], + "yara": false + }, + { + "Id": "c3cca618-5a7f-4a51-8785-cb328fbfb0df", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create viraglt64.sys binPath=C:\\windows\\temp\\viraglt64.sys type=kernel && sc.exe start viraglt64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495.yara" }, { - "FileName": "procexp.Sys", - "MD5": "9beecfb3146f19400880da61476ef940", - "SHA1": "d5beca70469e0dcb099ba35979155e7c91876fd2", - "SHA256": "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "viraglt64.sys", + "MD5": "43830326cd5fae66f5508e27cbec39a0", + "SHA1": "05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d", + "SHA256": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495", + "Signature": [ + "TG Soft S.a.s. Di Tonello Gianfranco e C.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "TG Soft S.a.s.", + "Description": "VirIT Agent System", + "Product": "VirIT Agent System", + "ProductVersion": "1, 0, 0, 11", + "FileVersion": "1, 0, 0, 11", + "MachineType": "AMD64", + "OriginalFilename": "viragt64.sys", "Authentihash": { - "MD5": "c292f0024a454f42fba117b3505b12e9", - "SHA1": "d9ebe7ff8318eeece457fc72bec2b582d3350b61", - "SHA256": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4" + "MD5": "68a2f77cfa5aec4556b4276852be637f", + "SHA1": "0188096c79f0cdde9233e52d4117c0f53e667e3d", + "SHA256": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "viragt.sys", + "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2016 - www.tgsoft.it", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", + "mbstowcs", "ExAllocatePoolWithTag", + "KeSetTargetProcessorDpc", + "ZwCreateKey", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "KeInitializeMutex", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "strstr", + "RtlInitUnicodeString", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "RtlInitAnsiString", + "ZwSetValueKey", + "_strupr", + "KeInitializeDpc", + "ZwQuerySystemInformation", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "ZwSetInformationFile", + "KeReleaseMutex", + "KeDelayExecutionThread", + "ZwCreateFile", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "ExSystemTimeToLocalTime", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "KeInsertQueueDpc", + "ZwEnumerateValueKey", "ZwClose", - "MmIsAddressValid", + "sprintf", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlTimeToTimeFields", + "MmProbeAndLockPages", "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", + "MmUnlockPages", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "ZwTerminateProcess", + "KeNumberProcessors", + "ZwQueryInformationFile", + "MmIsNonPagedSystemAddressValid", + "ZwWriteFile", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "IoAllocateMdl", "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "ObOpenObjectByName", + "swprintf", + "RtlUnicodeStringToAnsiString", + "ZwOpenDirectoryObject", + "IoFileObjectType", + "IoDriverObjectType", + "ZwQueryDirectoryObject", + "wcstombs", + "KeQueryActiveProcessors", + "KeBugCheckEx", + "IofCompleteRequest", + "ExQueueWorkItem", + "__C_specific_handler", + "__chkstk", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -34069,17 +19759,24 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", - "ValidFrom": "2013-04-06 00:00:00", - "ValidTo": "2016-05-05 23:59:59", - "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2016-01-20 00:00:00", + "ValidTo": "2019-03-11 23:59:59", + "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -34092,649 +19789,717 @@ ], "Signer": [ { - "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "viraglt64.sys" + ], + "yara": true + }, + { + "Id": "de365e80-45cb-48fb-af6e-0a96a5ad7777", + "Author": "zwclose", + "Created": "2023-05-22", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "True", + "Commands": { + "Command": "sc.exe create CtiIo64.sys binPath=C:\\windows\\temp\\CtiIo64.sys type=kernel && sc.exe start CtiIo64.sys", + "Description": "The driver is part of Dragon Center (or MSI Center?) from MSI. It creates \\Device\\CtiIo ACLless DO and provides access to memory and IO. The driver is signed with WHQL cert.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/magicsword-io/LOLDrivers/pull/81" + ], + "Acknowledgement": { + "Person": "zwclose", + "Handle": "@zwclose" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109.yara" }, { - "FileName": "procexp.Sys", - "MD5": "b79475c4783efdd8122694c6b5669a79", - "SHA1": "d612165251d5f1dcfb1f1a762c88d956f49ce344", - "SHA256": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc", - "Authentihash": { - "MD5": "bee5a87f72b42f3bb5958ba541f4caff", - "SHA1": "9e0516a6ce73163e2ff5bf0740b57da46846228b", - "SHA256": "74716032cc2f63c67b9df0882c6794b4bf66147d943329db5f233a04c2fd9b12" - }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "16.32", - "Product": "Process Explorer", - "ProductVersion": "16.32", - "Copyright": "Copyright (C) Mark Russinovich 1996-2020", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-03-04 19:12:18", - "ValidTo": "2021-03-03 19:12:18", - "Signature": "36f61260ed044bf89549c232aa8ee2004a952d0e542dc7388d42439d56f055eae824b2cf5be28cfae13b7c6064dc82e4ad88ddd542db32adc513e2b2b4c2a8e842cef37844682e569326e401f11243c4a2ad8b3b164909afdc57a9ee36d6b3e2a29785a8c1e60368581989af87b0d0e614102a64d39a621887b25fc02b846c65e0f2bfcd5385942c77aafae5cb3d7a89ea7fd71b65d6e33506286ac35ff7c3d1600eb51989271921b449a20ba70f383eb24c015a621af60f0593cc7cecaca55697f3a41c550aefa048fff0999175778613a8f902166e58bd46cb10e6c7a4e605073a7615d414476ee5cf4c51662cba47e7dc85324fd8fd13cbbcbe47a7287e29", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000009484c47568579aafe9000000000094", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" - } - ] - } - ] + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "FileName": "procexp.Sys", - "MD5": "318e309e11199ec69d8928c46a4d901b", - "SHA1": "63bb17160115f16b3fca1f028b13033af4e468c6", - "SHA256": "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476", + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "", + "MD5": "3f8cdaf7413000d34d6a1a1d5341a11b", + "SHA1": "c1c869deee6293eee3d0d84b6706d90fab8f8558", + "SHA256": "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Creative Technology Innovation Co., LTd.", + "Description": "CTI IO driver", + "Product": "CtiIo64 Driver Version 1.0", + "ProductVersion": "1.0 x64", + "FileVersion": "1.0 x64 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "CtiIo64.sys", "Authentihash": { - "MD5": "decbda17e27f012c72e5ff39c8c19089", - "SHA1": "ecdaa78f29e1f1a27d28b45a9de5f93af9f18f15", - "SHA256": "ee24071d9a0ef38dc98929cfb4d316f9fb010de107c110fad2403022cf1eebfc" + "MD5": "6bbd44ee42e3bbc6b4acc12fe11d765a", + "SHA1": "a19ec41abb65a26116bce1413470271d89d18995", + "SHA256": "2b4af74d74a4380130a1c46d2f1ffe112d87d9d7646540bbbd201c5bd176082b" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "CtiIo64.sys", + "Copyright": "Copyright (c) 2021 CTI", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "DbgPrint", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "IoCreateSymbolicLink", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:BBEC,30CA,2DBE, CN=Microsoft Time,Stamp Service", - "ValidFrom": "2018-08-23 20:20:02", - "ValidTo": "2019-11-23 20:20:02", - "Signature": "18296d831c69501fcc0fba56af62fea612d3e1df8e88026af0152c003451479cc1ed1574a00da10660272dc5dd446a18c647b100a47b4c65d0ab4004131aebb3c988b6937214ee9dc7c2e381988b8fe0582c47fa97c21c9b0f11e198b8449015b171f00cb487241b0e339902adfd55f0adbc38b374e77f6daa6e5868b6197ba2122f927de072de2aa467f3175f948d3c29dacac8c697f26e08d840876c6c919bc522b59cf1fb5ee1b23bd9047b02b3a9edd5b1ad4b3be3bf7dec5a093e5732f75c5389eb28c6f95f1bd1c81381e96725eaf4df641c32aed1e77a8fdcdaa360c4b39c6257c5c14c57dc1a380e165cc2f3bfffc9c9ce9d36907e2c74cafdd5f722", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-06-08 17:24:26", - "ValidTo": "2019-05-29 17:24:26", - "Signature": "507e1dabe5c8a200d7b848d718478b9b2278f88da52f23c4c297c0694d76611430bff53bbe64c2bf85fa5ed551cef1d014dcf7f38109ebb5d8474c628715d4c10dd49f303cbe25aaca38d589b581c1e9786abfb23e79aa332cca8ddeeae9958623887375b40836c23f972646b8b8eac96f0b3dcbc88d56062c54a14d1e7f52ed4eb9d6e0e876fab6029355c1c7f791c63ce9ecfe5d78ffb5ba3ffb21fa78edca381c8717d1c23d01c3f0aa36cb01434f68c981c5924f04089d731c26846e466255679fab67bdfc16ab0debbc2d17f9458dcf4176ac6d63e1bb673a2d7daec55618183ae25d420dc2f7874c295fd7a4afef5cf609247c7c50f75aba8f0195fe03", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2012-06-04 21:05:46", - "ValidTo": "2020-06-04 21:15:46", - "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "ValidFrom": "2020-12-15 22:25:28", + "ValidTo": "2021-12-02 22:25:28", + "Signature": "3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000317c61d46115ceba6a000100000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "33000000433a68189e33902987000000000043", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - }, + } + ], + "Tags": [ + "CtiIo64.sys" + ], + "yara": true + }, + { + "Id": "cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create magdrvamd64.sys binPath=C:\\windows\\temp\\magdrvamd64.sys type=kernel && sc.exe start magdrvamd64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "procexp.Sys", - "MD5": "c69c292e0b76b25a5fa0e16136770e11", - "SHA1": "05eff2001f595f9e2894c6b5eee756ae72379a6d", - "SHA256": "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06", + "Filename": "magdrvamd64.sys", + "MD5": "49938383844ceec33dba794fb751c9a5", + "SHA1": "e22495d92ac3dcae5eeb1980549a9ead8155f98a", + "SHA256": "be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57", + "Signature": [ + "Samsung Electronics Co., Ltd.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "92c56a03fbcd375d9569e1cf60bf78cd", - "SHA1": "be428ed7b322ad13b2207294b934b0a67aa8345d", - "SHA256": "fa959c48c055ec149d434a5adeb9f9938d1c260a65ee8a4ea1d67bfbdceab83f" + "MD5": "4bc9c678b740fdbb6da3da4af3444c09", + "SHA1": "592989e3e6942baf38127b50e39dd732b323a92d", + "SHA256": "911e01544557544de4ad59b374f1234513821c50a00c7afa62a8fcca07385b2f" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "NTOSKRNL.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "MmUnmapIoSpace", + "MmMapIoSpace" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, OU=nCipher DSE ESN:B1B7,F67F,FEC2, CN=Microsoft Time,Stamp Service", - "ValidFrom": "2015-10-07 18:14:02", - "ValidTo": "2017-01-07 18:14:02", - "Signature": "01d47ac81233981cb030b0fbeeabdd39641bb136ee8863bea04f5ea087ad995f71743f3525cc1e89f20ba37b31e60e2b8e6838f8820ed9ba2201fef412b9831a62d323f9e0a752bc92dd2da8a110e7eb47ce16bd0b933a624a7554d44eaf30e718572ab6968e3234701ded6156b8ecdd53c36cac5ca802437198616ce6b84e707c80548ca7e638ea7acdc0ef56430f030e89c83a701d9ac7541d637b31f2e616a122db3a08ab044a93cc61e2fc4a31a61df406ad6f634bc04d9c1244e0a986c60bebf7f82b44cb769bc5f016f01cf32877adc0cd23e78494c23597207de815f1abe1217416477b62b0dacb176b10a8a9e0663e1f5ad41fec1fb51d2ddc6c8491", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation", - "ValidFrom": "2015-06-04 17:42:45", - "ValidTo": "2016-09-04 17:42:45", - "Signature": "a6a85391df3b01fe615d065aeb66f00cd8f7d984d300510e10d1a4d11728e78c33382bd843c6038b75eb3392f4a9e267fd02dba51d4e43455d1b49e3e04f16f07e8ff08811ca82ada4fba6a95ff59760c87bc4bf7c9b69ed1f82c1f1cd8e784b62f5d70d1cd75312d69652ef35bd198ea04093a10aa52d169cc2467408ebdbf4d8a549365412115503b37b16fb47fefb68fcc0455ce23f127933a2ef82c5de401907ee15c50a9b590541a9d0979e819e035bfc4ae31a2e05ac50472f8cfa79d81e20f805fb296b1814fa7204b70ba79a64ec115d4f45498d291a2dfbd0b609535f3494e016c4b9ea7335e857efe1eb16c318c706b33bcf6184e2b6448994a386", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2010-05-10 00:00:00", + "ValidTo": "2015-05-10 23:59:59", + "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA", - "ValidFrom": "2010-08-31 22:19:32", - "ValidTo": "2020-08-31 22:29:32", - "Signature": "59393e7f2646afeb6f40b132b56aeb0e2f6ea849f7eb5f75ed4c3b2dd743ad0bfecbe92d31a323cc7c509880215dac3d2f4cbaa2a8569ce370bbb8b4f879b54972f73eea417fcae10c1769cba59c202dfa0b50c456cd2de34ad2bc70e7a80da203a556e0b88a4b57f295429cf1f3efeee3861f343cb8569af05323852aa4821c93e294071df2e24ef88ca1cae813a5914ec81bd28f72952a716d9b1af81cf053d667cc22ff5c1dcda28cbd27b279635644a251cdf9e9a35856dd9b0245442f5ff4daaed482326efca49513e4eb69e7a9a22cbec82b100e658e99dbf5a2fa122609653894f17a1f4abbd1e156e8d07896185cc935165fdd931d498e2dbead34441cee10151a005ddd355b21ce98c709ee850e8c4f6d0e134e3d7c29489c72d1f36ccac1ec70a35792577d948da01b48035af7cfa3670a74a536ed2d2f17c8e6723712f46fb13c6782f952b28d3316651e0e8add10de64f46fce46d4d317e979c404b4d3fb2cdf1f8a9eac0afb132740ade4f9e1a97f46bb0760476560404eb042ec4eedb37679d80a34096d1c80311fe20e54dde5a1fbe54710ad6498ff50162e7cbf05217ae295412769c3938f95c98dd89b21ae0d5c9cf0a2ae8668830c6a2dbb766b001d96adf2167bf6168324b988cf6aa847312f9adce3713dd7007e6247d1ce88c9b818fa0e728dc1a33daf02406aff699b96e210a810b4375008d6c33d", + "Subject": "C=KR, ST=Gyeonggi,Do / Korea, L=Hwasung,City, O=Samsung Electronics Co., Ltd., CN=Samsung Electronics Co., Ltd.", + "ValidFrom": "2012-10-09 11:25:07", + "ValidTo": "2015-10-10 11:25:07", + "Signature": "5fe3fc15d97d52d4b48417db069212fa1633b7b9d3b12f086f330cdcd18fd0e14f2a1a4ef4671d0be6f2a8608f47615d05c2f84aeb9efb68fcef3494fd8fdb25103da6d421066123c28af746358c1c8ea787b109fba16d159f1f3c654d92ce1f973e808267c2af6ed5f0cef0b5e749576fcfb38b8899fc9bdc7ba713f489a654d3564d82dbe16f0f2938dbf7edeade05fa9869ab6c642d37d93a7823e886cc308fbad46e0a9e76f6850d6b3edcd28402371bb2f53d062fb675ae2480602309b360b6ed1069a8fed7491ef01bda5e99db1f44fd87bf20f1518393d6b8836e19e0593da3b88e6548bb65600df0f9edea73414ad49ec400ab03445a9645f8e1025c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000010a2c79aed7797ba6ac00010000010a", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA" + "SerialNumber": "1121d54c6060d0acf70c52ceac844116f169", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] + } + ], + "Tags": [ + "magdrvamd64.sys" + ], + "yara": false + }, + { + "Id": "dfb0270d-4892-4fe5-97ed-0afd2e3fbe52", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create zamguard64.sys binPath=C:\\windows\\temp\\zamguard64.sys type=kernel && sc.exe start zamguard64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91.yara" }, { - "FileName": "procexp.Sys", - "MD5": "9982da703f13140997e137b1e745a2e3", - "SHA1": "511b06898770337609ee065547dbf14ce3de5a95", - "SHA256": "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "zamguard64.sys", + "MD5": "21e13f2cb269defeae5e1d09887d47bb", + "SHA1": "16d7ecf09fc98798a6170e4cef2745e0bee3f5c7", + "SHA256": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91", + "Signature": [ + "Zemana Ltd.", + "DigiCert High Assurance Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "Zemana Ltd.", + "Description": "ZAM", + "Product": "ZAM", + "ProductVersion": "2.21.63", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "db32843b80c6e8c9173847c3faab2200", - "SHA1": "fffeec16afdeedd2bee22860f0942c846ba9ee1a", - "SHA256": "cee01c69cb0c06dd0d98ff05aeb2b0a34a4aa1a71d35a3033bf9c1a35b637c55" + "MD5": "3f2771b22553380efcee72a27dc4d96c", + "SHA1": "0d15b7de0f1129b540f48d7a3cba2c6bf5d44112", + "SHA256": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "Zemana Ltd. All rights reserved.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "ZwWriteFile", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", + "IoAllocateMdl", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ObQueryNameString", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", "ExGetPreviousMode", "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", "KeStackAttachProcess", "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", + "ZwOpenThread", "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", "ZwOpenKey", - "ZwCreateKey", + "ZwEnumerateKey", + "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "PsLookupProcessByProcessId", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySystemInformation", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF,4BBC,9335, CN=Microsoft Time,Stamp service", - "ValidFrom": "2018-08-23 20:20:28", - "ValidTo": "2019-11-23 20:20:28", - "Signature": "9d7642feb515917887e958cc8890ccc717f8b1b164f2248f2657c2dd3bc82767e8a80b860b39f6469c373f7db0e6bf50975f396197e28b8b47b1c36014316a5fecd78d4528fe00e0c5a92321319a4be66b2359c99f01a27514f95879324fc6c121d6958cade3c4e366f75ebd979c4ee701a63655ae846982f63439c44099f0a18de3b3d9ae023e8c5c49406c94c556a7dee459a92b543f395dde5cfe106e0540f7710430d130862c6693445d18efaac409f2cd7d319e21a12c5184e767993562b324ff9db371cce7a932d3be5ee3396cf1864a609bbe6ebcf8834cbb11c44729119a6a5abc5e3ef8947dcb0bc6b554217a3e39a079e4bd733dc46b77b8f39a3c", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-04-18 18:42:23", - "ValidTo": "2020-03-27 18:42:23", - "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2018-09-20 17:42:01", - "ValidTo": "2021-05-09 23:28:13", - "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000387a14cce6619d8c51000200000038", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "zamguard64.sys" + ], + "yara": true + }, + { + "Id": "edd29861-6984-4dbe-8e7c-22e9b6cf68d0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create krpocesshacker.sys binPath=C:\\windows\\temp\\krpocesshacker.sys type=kernel && sc.exe start krpocesshacker.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/312791-bypaph-process-hackers-bypass-read-write-process-virtual-memory-kernel-mem.html#post2315763", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c.yara" }, { - "FileName": "procexp.Sys", - "MD5": "9b9d367cb53df0a2e0850760c840d016", - "SHA1": "631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8", - "SHA256": "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "krpocesshacker.sys", + "MD5": "bbbc9a6cc488cfb0f6c6934b193891eb", + "SHA1": "d8498707f295082f6a95fd9d32c9782951f5a082", + "SHA256": "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c", + "Signature": [ + "Wen Jia Liu", + "DigiCert High Assurance Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "wj32", + "Description": "KProcessHacker", + "Product": "KProcessHacker", + "ProductVersion": "2.8", + "FileVersion": "2.8", + "MachineType": "AMD64", + "OriginalFilename": "kprocesshacker.sys", "Authentihash": { - "MD5": "dafa4bdbdbbd96532d03022cd6900fed", - "SHA1": "f2ff9b749f7c5f21043b42d97b8a386c702d4435", - "SHA256": "ab5324c992c7547020f85de3456516e0dba2c3c5aab10371723a96188354abaf" + "MD5": "a9ccdbae433c4377abce8f514e4fe43e", + "SHA1": "61b55bb7c111f93bd3ea9ac71591e1a6b89feee1", + "SHA256": "c7b1bb39dcd7f0331989f16fcc7cd29a9ae126bee47746a4be385160da3c5a29" }, - "Description": "Process Explorer", - "Company": "Sysinternals - www.sysinternals.com", - "InternalName": "procexp.sys", - "OriginalFilename": "procexp.Sys", - "FileVersion": "15.00", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "Licensed under the GNU GPL, v3.", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "RtlInitUnicodeString", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "ProbeForWrite", + "ZwQuerySystemInformation", + "ZwQueryValueKey", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", + "IofCompleteRequest", + "PsGetCurrentProcessId", + "IoCreateDevice", "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", + "ZwOpenKey", + "ProbeForRead", + "RtlGetVersion", + "RtlCompareMemory", + "MmGetSystemRoutineAddress", + "PsProcessType", "ObOpenObjectByName", - "__C_specific_handler", + "ZwQueryObject", + "RtlEqualUnicodeString", + "KeUnstackDetachProcess", + "ExEnumHandleTable", + "ObQueryNameString", "IoFileObjectType", - "PsProcessType", + "IoDriverObjectType", + "IoGetCurrentProcess", + "ObReferenceObjectByHandle", + "ObCloseHandle", + "PsInitialSystemProcess", + "ObSetHandleAttributes", + "ZwQueryInformationProcess", + "ObfDereferenceObject", + "ExAllocatePoolWithQuotaTag", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "ExAcquireRundownProtection", + "PsLookupProcessByProcessId", + "PsJobType", + "PsReferencePrimaryToken", + "SeTokenObjectType", + "ExReleaseRundownProtection", + "ZwSetInformationProcess", + "PsGetProcessJob", + "PsLookupProcessThreadByCid", + "ZwTerminateProcess", + "PsDereferencePrimaryToken", + "IoThreadToProcess", + "RtlWalkFrameChain", + "KeInitializeApc", + "KeSetEvent", + "KeInsertQueueApc", + "KeInitializeEvent", + "PsSetContextThread", + "PsGetThreadWin32Thread", + "ZwSetInformationThread", + "KeWaitForSingleObject", "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "PsAssignImpersonationToken", + "PsGetContextThread", + "PsLookupThreadByThreadId", + "MmUnmapLockedPages", + "ExRaiseStatus", + "MmHighestUserAddress", + "MmMapLockedPagesSpecifyCache", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmIsAddressValid", + "KeBugCheckEx", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:B8EC,30A4,7144, CN=Microsoft Time,Stamp Service", - "ValidFrom": "2018-08-23 20:19:30", - "ValidTo": "2019-11-23 20:19:30", - "Signature": "7be0d660424af8eac275a9459174b3ce3f76e30006b180babd8949b702315798d46cfdc5fb6e6f0b489316944aab7252418e255760c2550c6404f8feea766d14fcf7ab9529c10737079214ba8fc5f789160b14cd0fb3f5fb47e12f7e217f95ee8d0707856807dd90f5075de7a1ea44915a2f36eca695c9a525db6ddb6b0638dfa21612ae4ce571e75643ab00363b309586d9e1c5b1183101dda77c613ccb9cf66d7306384789f8f543a751abc6fcd074b494546cc38ee1fc9400c06be11db4b58b9d82fa1744af0155511f60fea641ad501ba321de896e25bde327ba58a437cc3115e1dd2f58ea9a1fbbaeeda1dc5b2fb69f9f5562d7577afdb8cde903074a76", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-04-18 18:42:23", - "ValidTo": "2020-03-27 18:42:23", - "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", - "ValidFrom": "2018-09-20 17:42:01", - "ValidTo": "2021-05-09 23:28:13", - "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu", + "ValidFrom": "2013-10-30 00:00:00", + "ValidTo": "2015-11-04 12:00:00", + "Signature": "bbc031b3dd6b1c6ebec77b8dc1ecfa938149c64e0c959e5857db5c28ef549ddf0be920ccb7ec515aaeb180a28d64a1f4065d38cb997db59295f123851392903c673ed6d1db930ec1618add9989f0f1fc8d06ec5a945242cd7432d6838e33b4c3e4784e754b64dce078686ab2e6626848ff7dcd6fb7efebffdfdad1eefc1e98f9c338ff2565f05039176b24148a841614635157da5f61a17bbd6d479815714e8d3067f0320d5e8bfaa6e35731804925df9b85ba32c0d9f4ccd484d6d1b279bad0ef22b0da375826ea2e119d5c848d9a9275b93abb084c02af9f1b46c5357652f113f556fdb9d1900223341503f4e89b98bae134f7cc9d6409fcf72d2c746c714a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", - "ValidFrom": "2007-04-03 12:53:09", - "ValidTo": "2021-04-03 13:03:09", - "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000387a14cce6619d8c51000200000038", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" + "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } @@ -34742,84 +20507,99 @@ } ], "Tags": [ - "procexp.Sys" - ] + "krpocesshacker.sys" + ], + "yara": true }, { - "Id": "7c83cb1a-a5ab-4ea0-aa69-0e9a1d09a82f", + "Id": "93c84c08-4683-493d-abf7-22dc2d1cb567", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create GVCIDrv64.sys binPath=C:\\windows\\temp\\GVCIDrv64.sys type=kernel && sc.exe start GVCIDrv64.sys", + "Command": "sc.exe create PanIOx64.sys binPath=C:\\windows\\temp\\PanIOx64.sys type=kernel && sc.exe start PanIOx64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "GVCIDrv64.sys", - "MD5": "8b287636041792f640f92e77e560725e", - "SHA1": "e92817a8744ebc4e4fa5383cdce2b2977f01ecd4", - "SHA256": "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f", + "Filename": "PanIOx64.sys", + "MD5": "0d6fef14f8e1ce5753424bd22c46b1ce", + "SHA1": "814200191551faec65b21f5f6819b46c8fc227a3", + "SHA256": "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74", "Signature": [ - "GIGA-BYTE TECHNOLOGY CO., LTD.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" + "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "Description": "Temperature and system information driver", + "Product": "PanIO Library", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "PanIOx64.sys", "Authentihash": { - "MD5": "263d00295d36d976b90f44aadc1faa90", - "SHA1": "4eae38e9dc262eb7b6ede4b3d3f4ad068933845e", - "SHA256": "2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07" + "MD5": "7bd56fcd55d1fd188e5200b7db5cd7be", + "SHA1": "519926b0b385e27141d88c5576aa9f86d8d3bb0d", + "SHA256": "13aa698c09a31d642d3e2a9dd03be2363b11b4024689fb6c97234719446dbbd7" }, - "InternalName": "", - "Copyright": "", + "InternalName": "PanIOx64.sys", + "Copyright": "Copyright (c) 2012-2014 Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "IoCreateSymbolicLink", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", "IoCreateDevice", - "IofCompleteRequest", - "RtlCopyUnicodeString", - "DbgPrint", - "ZwClose", + "KeBugCheckEx", "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -34827,45 +20607,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=NEW TAIPEI, O=GIGA,BYTE TECHNOLOGY CO., LTD., CN=GIGA,BYTE TECHNOLOGY CO., LTD.", - "ValidFrom": "2016-07-21 00:00:00", - "ValidTo": "2019-09-19 23:59:59", - "Signature": "088e59029abef549a30601c39db2cb687032de13f40c63bd0d88dbe858d6ddddbdc235044f1f31ddf3f6c960583264c9b7306dadb38eb64160a40e804bfee6deac624b7283eba48591daa22ca7523b1518ce792115fbbc4d9c312d824dd0c4566aa985e8a60cb486447fbba0f2c1de3eff0d98cbdeef89653f045203fda3b6a421d08ed13e45616e7c196ed56284b68d16e24e62ba8222fa6b15c7b586132dd3777b42908d930ab082f549516d886449ae87c20bb0c8474777de6c91917d8f173468f72ef3f89898fed2d861c31a8ea2659eabc3cc023e2008fca26f4c1c7d05594faecb6e437d61c11e947f6fdb6cc0db9cdfd6546d5212c94ed8a37fb723e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "ValidFrom": "2014-04-15 15:12:40", + "ValidTo": "2015-04-15 10:41:35", + "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2ad22e071f61cafe7884bfa43a31b21b", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "1121506480253469e07e54ee8612041fbb92", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -34873,27 +20653,27 @@ } ], "Tags": [ - "GVCIDrv64.sys" - ] + "PanIOx64.sys" + ], + "yara": true }, { - "Id": "351ff5ca-f07b-4eb6-9300-d5d31514defb", + "Id": "d4664202-d1b9-44d4-97cc-fee2150082db", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create nscm.sys binPath=C:\\windows\\temp \\n \\n \\n scm.sys type=kernel && sc.exe start nscm.sys", - "Description": "nscm.sys is a vulnerable driver. CVE-2013-3956.", + "Command": "sc.exe create nvflsh64.sys binPath=C:\\windows\\temp \\n \\n \\n vflsh64.sys type=kernel && sc.exe start nvflsh64.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", @@ -34902,67 +20682,53 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "nscm.sys", - "MD5": "4a23e0f2c6f926a41b28d574cbc6ac30", - "SHA1": "64e4ac8b9ea2f050933b7ec76a55dd04e97773b4", - "SHA256": "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22", + "Filename": "nvflsh64.sys", + "MD5": "d3e40644a91327da2b1a7241606fe559", + "SHA1": "7667b72471689151e176baeba4e1cd9cd006a09a", + "SHA256": "a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3", "Signature": [ - "Novell, Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" + "NVIDIA Corporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Novell, Inc.", - "Description": "Novell XTier Session Manager", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "FileVersion": "3.1.11.0", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "nscm.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "0d1a4e506e7c928f1683a9cf38eb0835", - "SHA1": "50471608c91621cb84ba646974311da0abf6b3e9", - "SHA256": "0e291148da43ea6a491b8b94bdf573365087940c9b90f6a15a4e589da86a518d" + "MD5": "c3a003ae7b48dcd1dac8bced7cf93f28", + "SHA1": "118cbd8cae88dc0dfb0d6a24df9161c90b916b90", + "SHA256": "372c6118541efaa800bcba6e0c1780f9beb8cab6f2176bcc5fe3664ea19379e4" }, "InternalName": "", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "ObfDereferenceObject", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "KeInitializeMutex", - "IoQueueWorkItemEx", - "IoDeleteDevice", - "IoFreeWorkItem", - "RtlEqualUnicodeString", - "ZwOpenProcessTokenEx", - "IoAllocateWorkItem", - "ZwClose", - "ZwOpenProcess", - "DbgPrint", - "PsGetCurrentProcessId", + "IoCreateSymbolicLink", "IoCreateDevice", - "ZwQueryInformationToken", - "PsSetCreateProcessNotifyRoutine", - "SeRegisterLogonSessionTerminatedRoutine", - "SeUnregisterLogonSessionTerminatedRoutine", - "ZwOpenThreadTokenEx", - "IoGetCurrentProcess", - "SeMarkLogonSessionForTerminationNotification", + "ExAllocatePoolWithTag", "KeBugCheckEx", - "KeWaitForSingleObject", - "ZwQueryInformationProcess", - "KeReleaseMutex", - "NicmCreateInstance", - "NicmDeregisterClassFactory" + "IoDeleteDevice", + "ZwClose", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -34984,17 +20750,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2010-04-03 00:00:00", - "ValidTo": "2013-04-26 23:59:59", - "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -35003,12 +20762,26 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", + "ValidFrom": "2011-09-02 00:00:00", + "ValidTo": "2014-09-01 23:59:59", + "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "43bb437d609866286dd839e1d00309f5", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -35016,374 +20789,386 @@ } ], "Tags": [ - "nscm.sys" - ] + "nvflsh64.sys" + ], + "yara": false }, { - "Id": "90afa27c-0f67-46a6-b4a9-809f55157c71", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "50cfaec9-55f8-49df-aa3e-b9ec3f4f4ff3", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create nscm.sys binPath=C:\\windows\\temp\\nscm.sys type=kernel && sc.exe start nscm.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create mhyprot.sys binPath=C:\\windows\\temp\\mhyprot.sys type=kernel && sc.exe start mhyprot.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Mhyprot.yar", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "nscm.sys", - "MD5": "ba2c0fa201c74621cddd8638497b3c70", - "SHA1": "8f540936f2484d020e270e41529624407b7e107e", - "SHA256": "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7", + "Filename": "mhyprot.sys", + "MD5": "4b817d0e7714b9d43db43ae4a22a161e", + "SHA1": "0466e90bf0e83b776ca8716e01d35a8a2e5f96d3", + "SHA256": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6", + "Signature": [ + "miHoYo Co.,Ltd.", + "DigiCert Assured ID Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "3a5b83215c9ea17f8d3ad3812c30a340", - "SHA1": "533e0690528ff3f0d59edeed9dd53b4f37c0a110", - "SHA256": "1622ac0c618a86be17e0f97daa061f9aaa0e721dc0fd30d76bbc5c958e9a9d92" + "MD5": "ff295de93e6b6dcc3938d50901a7240d", + "SHA1": "484c72dd4fd91083b249f3ccc733a3c8335e583f", + "SHA256": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c" }, - "Description": "Novell XTier Session Manager", - "Company": "Novell, Inc.", "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "WDFLDR.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ + "NtQuerySystemInformation", + "RtlInitUnicodeString", + "ExAllocatePool", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "IofCompleteRequest", "IoCreateDevice", - "SeUnregisterLogonSessionTerminatedRoutine", - "KeInitializeMutex", + "IoCreateSymbolicLink", "IoDeleteDevice", - "SeRegisterLogonSessionTerminatedRoutine", - "ZwOpenProcessTokenEx", - "KeReleaseMutex", + "IoDeleteSymbolicLink", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ZwClose", - "SeMarkLogonSessionForTerminationNotification", - "ZwQueryInformationToken", - "ZwOpenThreadTokenEx", - "KeBugCheckEx", - "KeWaitForSingleObject", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", + "__C_specific_handler", + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "ZwQueryVirtualMemory", + "MmProbeAndLockPages", + "PsLookupProcessByProcessId", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", "IoGetCurrentProcess", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", "DbgPrint", - "NicmCreateInstance", - "NicmDeregisterClassFactory" + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "KeInitializeEvent", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmBuildMdlForNonPagedPool", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "mhyprot.sys" + ], + "yara": false + }, + { + "Id": "45f2c348-bf17-40ab-8306-ef14231cc996", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WinIO32B.sys binPath=C:\\windows\\temp\\WinIO32B.sys type=kernel && sc.exe start WinIO32B.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WinIO32B.sys", + "SHA1": "f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIO32B.sys" + ], + "yara": false + }, + { + "Id": "47fe1aaf-02cd-4a41-8bf5-0047015a2a6e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create phymem64.sys binPath=C:\\windows\\temp\\phymem64.sys type=kernel && sc.exe start phymem64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52.yara" }, { - "FileName": "nscm.sys", - "MD5": "4c76554d9a72653c6156ca0024d21a8e", - "SHA1": "6d3c760251d6e6ea7ff4f4fcac14876fac829cf9", - "SHA256": "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0", - "Authentihash": { - "MD5": "b546d6b223a9e1a42f8359dbf9d9737c", - "SHA1": "41f6704252efa14de0d72eeaf7475886ba7f3bdc", - "SHA256": "92ca1aec3afc90b44861c2e0be084a3db38d22d52f35e1697643d6477151392f" - }, - "Description": "Novell XTier Session Manager", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" - ], - "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "KeInitializeMutex", - "IoQueueWorkItemEx", - "IoDeleteDevice", - "IoFreeWorkItem", - "RtlEqualUnicodeString", - "ZwOpenProcessTokenEx", - "IoAllocateWorkItem", - "ZwClose", - "ZwOpenProcess", - "DbgPrint", - "PsGetCurrentProcessId", - "IoCreateDevice", - "ZwQueryInformationToken", - "PsSetCreateProcessNotifyRoutine", - "SeRegisterLogonSessionTerminatedRoutine", - "SeUnregisterLogonSessionTerminatedRoutine", - "ZwOpenThreadTokenEx", - "IoGetCurrentProcess", - "SeMarkLogonSessionForTerminationNotification", - "KeBugCheckEx", - "KeWaitForSingleObject", - "ZwQueryInformationProcess", - "KeReleaseMutex", - "NicmCreateInstance", - "NicmDeregisterClassFactory" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher", - "ValidFrom": "2022-01-27 19:31:19", - "ValidTo": "2023-01-26 19:31:19", - "Signature": "941777115fcaf24c60c4a8c891758c491887aa5e9f0902a704191e75dd6f99be3d14a24aa35b1f2a1c1c42dde08da3fa75a73edbf7b5ae0fe94b3716e43b838ff30149e19c51b8b87cc53377ae08bfc0f54c7fafa398db43e839de108493510bc34d0fe998a44fcd0a11b0dc0c7315421dac79ab09ca47f847f9fa88e15d57a564f7b074664409c0ce01c697b2dcfd31676fc908fbc6bb928f82170f0b5a54f52f4327797278b78188b87e37b192b493d00eaf661e30f12b9e67fbd1df9cc5843e6a1c68b45d4f62423450cdc990fab2367d7f57719cb8272f59d4f300284a36d88adfc976cb08c6b0da33d5e988be0e1a3cef2a9669b5227a5b8d027f804908", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", - "ValidFrom": "2011-10-19 18:41:42", - "ValidTo": "2026-10-19 18:51:42", - "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000036ce57eeb5d1cc2be1700000000036c", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" - } - ] - } - ] + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "FileName": "nscm.sys", - "MD5": "5f4a232d92480a1bebbe025ef64dc760", - "SHA1": "0cb14c1049c0e81c8655ab7ee7d698c11758ea06", - "SHA256": "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c", - "Authentihash": { - "MD5": "5d62cae57be434a4d56924574498c4f2", - "SHA1": "1a99d3141d75a3ef1998944b2d107089ce3ef6e4", - "SHA256": "a363deaf1790e9c0610e07a7203749aab8b60f5ededc944abc0ef3010f5e2105" - }, - "Description": "XTier Security Context Manager", - "Company": "Micro Focus", - "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.12.0", - "Product": "Micro Focus XTier", - "ProductVersion": "3.1.12", - "Copyright": "(C) Copyright 2000-2017, Micro Focus. All Rights Reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" - ], - "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "KeInitializeMutex", - "PsLookupProcessByProcessId", - "IoDeleteDevice", - "RtlEqualUnicodeString", - "ZwOpenProcessTokenEx", - "_vsnwprintf", - "ZwClose", - "ZwOpenProcess", - "ZwQueryInformationProcess", - "DbgPrint", - "IoCreateDevice", - "ZwQueryInformationToken", - "RtlDeleteRegistryValue", - "PsSetCreateProcessNotifyRoutine", - "SeRegisterLogonSessionTerminatedRoutine", - "SeUnregisterLogonSessionTerminatedRoutine", - "ZwOpenThreadTokenEx", - "IoGetCurrentProcess", - "SeMarkLogonSessionForTerminationNotification", - "PsGetCurrentProcessId", - "KeBugCheckEx", - "KeWaitForSingleObject", - "ObfDereferenceObject", - "KeReleaseMutex", - "NicmCreateInstance", - "NicmDeregisterClassFactory" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2021-09-09 19:15:59", - "ValidTo": "2022-09-01 19:15:59", - "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000004de597a775e3157f7b00000000004d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" }, { - "FileName": "nscm.sys", - "MD5": "f56f30ac68c35dd4680054cdfd8f3f00", - "SHA1": "fce3a95b222c810c56e7ed5a3d7fb059eb693682", - "SHA256": "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c", - "Authentihash": { - "MD5": "3050ced748b80cc81892435fd0868bfc", - "SHA1": "579e23f2b6ce2221ba435abc20801e98ab91a360", - "SHA256": "34f36a59ecf6174eeac15994e54c41fe1e3e3b1eee8ed4c399ec8c63212373d7" - }, - "Description": "Novell XTier Session Manager", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2011, Novell, Inc. All Rights Reserved.", + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "phymem64.sys", + "MD5": "2c54859a67306e20bfdc8887b537de72", + "SHA1": "d7f7594ff084201c0d9fa2f4ef1626635b67bce5", + "SHA256": "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52", + "Signature": [ + "Super Micro Computer, Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Super Micro Computer, Inc.", + "Description": "phymem Application", + "Product": "phymem", + "ProductVersion": "1, 0, 0, 0", + "FileVersion": "1, 0, 0, 0", "MachineType": "AMD64", + "OriginalFilename": "phymem.sys", + "Authentihash": { + "MD5": "aa43aa9f88e2fed984077a8852d85a4f", + "SHA1": "52a8cd44646973b59c244b5f7b04b33a412634a2", + "SHA256": "6ed3379d7ac1ad8bcfd13cd2502420569088ee7f1e04522ada48481d9a545a08" + }, + "InternalName": "phymem", + "Copyright": "Copyright(c) 1993-2015 Super Micro Computer, Inc.", "Imports": [ - "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "NTOSKRNL.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "SeUnregisterLogonSessionTerminatedRoutine", - "KeInitializeMutex", - "IoDeleteDevice", - "SeRegisterLogonSessionTerminatedRoutine", - "SeMarkLogonSessionForTerminationNotification", - "KeReleaseMutex", - "ZwOpenThreadTokenEx", - "ZwOpenProcessTokenEx", - "IoGetCurrentProcess", - "ZwClose", - "KeBugCheckEx", "KeWaitForSingleObject", - "ZwQueryInformationToken", - "DbgPrint", - "NicmCreateInstance", - "NicmDeregisterClassFactory" + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlInitUnicodeString", + "ExAllocatePool", + "IofCompleteRequest", + "ExFreePoolWithTag", + "IoFreeMdl", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "IoDeleteSymbolicLink", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2010-04-03 00:00:00", - "ValidTo": "2013-04-26 23:59:59", - "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -35392,193 +21177,507 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=San Jose, O=Super Micro Computer, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=Super Micro Computer, Inc.", + "ValidFrom": "2012-09-14 00:00:00", + "ValidTo": "2015-11-13 23:59:59", + "Signature": "47334026faeeba8c5d59d4971b4bfccff0fdf0a606adfb714c7ece1a3ddc350f198097d2ba6079ca9eabe64f03f7375b78366baa8ac1e9295c31d03b9fca004b8fb5f70d9c98b7905f4b151edc16ca82731498451fcc28f31665c1850d887f0ece1ef0fad9ffd0dd7b1515fa1e121e2575e6a31f25010f0306df2b81ddf291c9f17b3d582c0af97d219c007ec03b1a38a8794ab447b5cdb8637a8f6704124f9776eda3af121ab980a2525f0f09accea3213c6fa4d606d7e48580db97aee01a048ad3420d205b99b0023b59a4f8df1b3013e4e8bc496b73cd950e297202bd09a6c77011deecb43cbffb7038344e025dad84099324518c5a2deb3c6728b4346603", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "3676642ba91b1d0bdf1d3ad0a6efaf4b", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "phymem64.sys" + ], + "yara": true + }, + { + "Id": "1524a54d-520d-4fa4-a7d5-aaaa066fbfc4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create dbk64.sys binPath=C:\\windows\\temp\\dbk64.sys type=kernel && sc.exe start dbk64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "nscm.sys", - "MD5": "a1547e8b2ca0516d0d9191a55b8536c0", - "SHA1": "7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0", - "SHA256": "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2", + "Filename": "dbk64.sys", + "MD5": "1c294146fc77565030603878fd0106f9", + "SHA1": "6053d258096bccb07cb0057d700fe05233ab1fbb", + "SHA256": "18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6", + "Signature": [ + "Cheat Engine", + "GlobalSign Extended Validation CodeSigning CA - SHA256 - G3", + "GlobalSign", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "7e245f8b1d1bddfd217d1cd060b91657", - "SHA1": "8c89db8dd4d7947cb5eb13c7a12907564576cb91", - "SHA256": "00dfeab446afecac7b44b0b1680d5ca7d421eda243e16db8c08706bb593a8391" + "MD5": "50dadd183094b8711a4f00a198972e6b", + "SHA1": "d7512b033d7332edd747631f9d1ccc9276dadbe4", + "SHA256": "71dc8d678e0749599d3db144c93741f64def1b8b0efb98bef963d2215ebb4992" }, - "Description": "Novell XTier Session Manager", - "Company": "Novell, Inc.", "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", - "MachineType": "I386", + "Copyright": "", "Imports": [ + "ksecdd.sys", "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "WDFLDR.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "SeUnregisterLogonSessionTerminatedRoutine", - "SeRegisterLogonSessionTerminatedRoutine", - "KeInitializeMutex", + "BCryptVerifySignature", + "BCryptCreateHash", + "BCryptDestroyKey", + "BCryptFinishHash", + "BCryptDestroyHash", + "BCryptImportKeyPair", + "BCryptCloseAlgorithmProvider", + "BCryptGetProperty", + "BCryptHashData", + "BCryptOpenAlgorithmProvider", + "ExDeleteResourceLite", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObUnRegisterCallbacks", "ZwClose", + "ZwOpenKey", + "ZwQueryValueKey", + "SeSinglePrivilegeCheck", + "PsSetCreateProcessNotifyRoutineEx", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeFlushQueuedDpcs", + "KeRevertToUserAffinityThreadEx", + "KeSetSystemAffinityThreadEx", + "KeQueryActiveProcessors", + "KeInitializeEvent", + "KeSetEvent", "KeWaitForSingleObject", - "ZwOpenProcessTokenEx", - "ZwOpenThreadTokenEx", + "PsGetCurrentProcessId", + "PsGetCurrentThreadId", + "KeDelayExecutionThread", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "PsWrapApcWow64Thread", + "IoAllocateMdl", + "IoFreeMdl", "IoGetCurrentProcess", - "SeMarkLogonSessionForTerminationNotification", - "KeTickCount", - "DbgPrint", - "ZwQueryInformationToken", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ObRegisterCallbacks", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalMemoryRanges", + "MmGetPhysicalAddress", + "PsSetCreateThreadNotifyRoutine", + "PsGetProcessId", + "PsGetThreadProcessId", + "ExFreePoolWithTag", + "KeDetachProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "KeInitializeApc", + "KeInsertQueueApc", + "ZwOpenThread", + "ZwQueryInformationProcess", + "PsProcessType", + "PsThreadType", + "DbgBreakPointWithStatus", + "RtlGetVersion", + "ExAllocatePoolWithTag", + "MmGetVirtualForPhysical", + "PsLookupThreadByThreadId", + "__C_specific_handler", + "KeQueryActiveProcessorCount", + "KeClearEvent", + "ExAcquireResourceSharedLite", + "RtlInitializeGenericTable", + "RtlInsertElementGenericTable", + "RtlDeleteElementGenericTable", + "RtlLookupElementGenericTable", + "RtlGetElementGenericTable", + "KeReleaseSemaphore", + "KeInitializeSemaphore", + "KeWaitForMultipleObjects", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "MmBuildMdlForNonPagedPool", + "ZwCreateFile", + "ZwWriteFile", + "HalDispatchTable", + "KeInitializeMutex", "KeReleaseMutex", - "NicmCreateInstance", - "NicmDeregisterClassFactory" + "KeSetSystemAffinityThread", + "KeQueryMaximumProcessorCount", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemory", + "PsCreateSystemThread", + "ZwDeleteFile", + "ZwWaitForSingleObject", + "swprintf_s", + "MmMapIoSpace", + "MmUnmapIoSpace", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmAllocatePagesForMdl", + "ZwQueryInformationFile", + "ZwReadFile", + "RtlAppendUnicodeToString", + "RtlUnwindEx", + "RtlAnsiCharToUnicodeChar", + "KeBugCheckEx", + "ExInitializeResourceLite", + "RtlCopyUnicodeString", + "ExAllocatePool", + "DbgPrint", + "RtlInitUnicodeString", + "KeAttachProcess", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass", + "WdfVersionUnbind" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2009-11-18 10:00:00", + "ValidTo": "2019-03-18 10:00:00", + "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, serialNumber=50212036, ??=NL, C=NL, ST=Noord,Brabant, L=Eindhoven, ??=Frankendaal 32, O=Cheat Engine, CN=Cheat Engine", + "ValidFrom": "2018-01-26 17:35:01", + "ValidTo": "2019-05-04 16:21:19", + "Signature": "18beceb33f0c3f5f8ab5da7182304418e057d64a8b76da01bc40435890fb6acc3510536dd110b2f83b33b04cd1ce4bb98361336a9df16cc0984fc8fda7515a0af74769478718f10a998c8dc3fba375ce1051543703dbb4825fd8c33efaa5f0ec937e1347281058d2b42683b25596e31ef6738e38551c4c87652708d0c56157a4ff399d7875ba9a97848eb23a2cc46e42faa3dad68e9b5d079925ed84cc5b1df2167e53cd4317aa88a83348d2526b0f8563d56f40e19786433c4442a5539f34a7041ff54e3f4f9e1499b3ce6930849d96dd078072ac742dba3e209503408ecd4bf2f65e1b08cd6b51e80108124bf6a0278fcbe879856bfc9bf905c843d8ef8f94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1a9706fde692d88ca99b822d", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" } ] } ] }, { - "FileName": "nscm.sys", - "MD5": "bd5d4d07ae09e9f418d6b4ac6d9f2ed5", - "SHA1": "d61acd857242185a56e101642d15b9b5f0558c26", - "SHA256": "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f", + "Filename": "dbk64.sys", + "MD5": "3a48f0e4297947663fbb11702aa1d728", + "SHA1": "a54ae1793e9d77e61416e0d9fb81269a4bc8f8a2", + "SHA256": "626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "32265ccdfe3d7f66269cbee0d5555e5b", - "SHA1": "72e5f5f6f266410d827fef10dc82c7ec8541e036", - "SHA256": "253ed7f5c7115e957dfdb1f5c6c51592b491a70b27787903c8fd848e45b9cf22" + "MD5": "8950c65d305c42ada6cf31188f526674", + "SHA1": "1be4ba36ba9ce5b10d90137c08cc21f823379841", + "SHA256": "d041654d8cbf189c29919733fd40184ceaf0050295fc7a7e6e3f4cda45b5e090" }, - "Description": "Novell XTier Session Manager", - "Company": "Novell, Inc.", "InternalName": "", - "OriginalFilename": "nscm.sys", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ + "ksecdd.sys", "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "WDFLDR.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "KeInitializeMutex", - "IoQueueWorkItemEx", + "BCryptVerifySignature", + "BCryptCreateHash", + "BCryptDestroyKey", + "BCryptFinishHash", + "BCryptDestroyHash", + "BCryptImportKeyPair", + "BCryptCloseAlgorithmProvider", + "BCryptGetProperty", + "BCryptHashData", + "BCryptOpenAlgorithmProvider", + "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", - "IoFreeWorkItem", - "RtlEqualUnicodeString", - "ZwOpenProcessTokenEx", - "IoAllocateWorkItem", + "IoDeleteSymbolicLink", + "ObUnRegisterCallbacks", "ZwClose", - "ZwOpenProcess", + "ZwOpenKey", + "ZwQueryValueKey", + "SeSinglePrivilegeCheck", + "PsSetCreateProcessNotifyRoutineEx", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeFlushQueuedDpcs", + "KeRevertToUserAffinityThreadEx", + "KeSetSystemAffinityThreadEx", + "KeQueryActiveProcessors", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "PsGetCurrentThreadId", + "KeDelayExecutionThread", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmAllocatePagesForMdlEx", + "PsWrapApcWow64Thread", + "IoAllocateMdl", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ObRegisterCallbacks", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalMemoryRanges", + "MmGetPhysicalAddress", + "PsSetCreateThreadNotifyRoutine", + "PsGetProcessId", + "PsGetThreadProcessId", + "KeAttachProcess", + "KeDetachProcess", + "ExInitializeResourceLite", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "KeInitializeApc", + "KeInsertQueueApc", + "ZwOpenThread", + "ZwQueryInformationProcess", + "PsProcessType", + "PsThreadType", + "DbgBreakPointWithStatus", + "RtlGetVersion", + "MmGetVirtualForPhysical", + "PsLookupThreadByThreadId", + "__C_specific_handler", + "KeQueryActiveProcessorCount", + "KeClearEvent", + "ExAcquireResourceSharedLite", + "RtlInitializeGenericTable", + "RtlInsertElementGenericTable", + "RtlDeleteElementGenericTable", + "RtlLookupElementGenericTable", + "RtlGetElementGenericTable", + "KeReleaseSemaphore", + "KeInitializeSemaphore", + "KeWaitForMultipleObjects", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "MmBuildMdlForNonPagedPool", + "ZwCreateFile", + "ZwWriteFile", + "HalDispatchTable", + "KeInitializeMutex", + "KeReleaseMutex", + "KeSetSystemAffinityThread", + "KeQueryMaximumProcessorCount", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemory", + "PsCreateSystemThread", + "ZwDeleteFile", + "ZwWaitForSingleObject", + "swprintf_s", + "MmMapIoSpace", + "MmUnmapIoSpace", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmAllocateContiguousMemory", + "ZwQueryInformationFile", + "ZwReadFile", + "RtlAppendUnicodeToString", "DbgPrint", - "PsGetCurrentProcessId", - "IoCreateDevice", - "ZwQueryInformationToken", - "PsSetCreateProcessNotifyRoutine", - "SeRegisterLogonSessionTerminatedRoutine", - "SeUnregisterLogonSessionTerminatedRoutine", - "ZwOpenThreadTokenEx", - "IoGetCurrentProcess", - "SeMarkLogonSessionForTerminationNotification", + "RtlCompareMemory", + "ZwQueryInformationThread", + "RtlUnwind", + "RtlAnsiCharToUnicodeChar", "KeBugCheckEx", - "KeWaitForSingleObject", - "ZwQueryInformationProcess", - "KeReleaseMutex", - "NicmCreateInstance", - "NicmDeregisterClassFactory" + "ExDeleteResourceLite", + "RtlCopyUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePool", + "RtlInitUnicodeString", + "KeStackAttachProcess", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass", + "WdfVersionUnbind" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", - "ValidFrom": "2021-09-02 18:32:59", - "ValidTo": "2022-09-01 18:32:59", - "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2009-03-18 10:00:00", + "ValidTo": "2029-03-18 10:00:00", + "Signature": "4b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", - "ValidFrom": "2011-07-08 20:59:09", - "ValidTo": "2026-07-08 21:09:09", - "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2018-09-19 00:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "OU=GlobalSign Root CA , R6, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2019-02-20 00:00:00", + "ValidTo": "2029-03-18 10:00:00", + "Signature": "49ac5ec583f35acb612a4d974a15299fe41490aa09f9c47a9f35188a0a33156d7287224e413f6d0a9e18aedbe25ffc95d12c98143b8ec1f0365979f38d81cf74f618a4e4e168cfef7f655942e9ca5539bcd3c526ee7138fad721030fb74ed95b606a43b47d09d06061ddaaed005e4e321ee0b26c9e3cb2c2bb98d390766a69ad1adca889da584fd2c28b324ace54fb38e93b070b750a11db0b7c2527f1ac26cf1153e6dcc6e2613532f4cedd83e3193aebc268a37200c8243c4eb8533cb117abe6352cf9d34229e65f6003ac4261a6b1576a3342df353186ca3e372bdac4da24f54e12f2b6b9b747eabb20ad6116b7a033e32d89a7bcb33c017f231a800934e9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Code Signing Root R45", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2029-03-18 00:00:00", + "Signature": "acf7cc158b3079a81d0b28881909d71c7ffe86bd7b5a336e0d670e7b62d9e1185cb0bd135d1d23ae39507637aa44fd5f01235986564cccadbc64131430a420a8e03fe89c72dc7ef3d80c23baa82daa3cf6ec9f87310765f539a7518275e1f22f97f6d1e165968364fea11d51fbb5249bf5d27769bc852c5cfa5877d1aea7b10be2d677bba9b4344aa96f3df4f30d955de6f97a45b02517312edbf70f68e6831fa9f7e5d49d988cd3614b2fc3287e7ade930eb47da00a6d92c4b4663f7da758eeacf7ecc30801ab38fc0a1ca9c597b288c8090219f65c9a1af14d6c30d4b306ab0060480d78abcf17ad9293622077756cbdc832b4dc4debd9dfc1909629bdc17f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , SHA384 , G4", + "ValidFrom": "2018-06-20 00:00:00", + "ValidTo": "2034-12-10 00:00:00", + "Signature": "7fe288d957672b425f81a7090bbac4bb281856d64cbfdb1b0770c6fb0b09ad003a60331f39c6166b19404925081ee49bf7d6a40d8f1e96f286a217de41bf4fe1bcabcdeec0238cc685fe4b1524f91844ec1fc2a4acd0b2cfecc256651dbd7ff6de82c8b79f61d3b54648989702677a16954adb62c6d0b302cc34484555ddece94a9f5e14ed7210717670d20f96f3ea3757949118afdc8d99381958c2a9a17ea26e1526eab4f97f2ae7e74864692fd29aa172f6f7244b745a7d728635b302571f8b9cfcbbac4cdefade534c83fd12b1b649554f759dac6f4ac82e6ab9ca88c312304eb208739f5ea1d699cee97d4b962ccc166b18cde4593786092ce245d6b2cd6e8275a5da8d1eb75b2f882e3d7df1f29130059cce7b7ca0c5acaf5106f011c71d30c5515660e87c953d22e3d50a2453279780fa4889272c79e23ce59b1ee3aa8482893ec04af521fe6210ed1d30fcf6ccea48277c8b75427f6bcbf3a56b951f0458340a89ed8250e4d17ba8c9e6be48aa2b55d98db725200e1b51a0d463aa83ea6c72614ac9fa43c4c657c59db63cb08bb0b91c31efbdef14d814406c201dc22de80bc68d6d8cb671ed5221fe3ef69f9f391aaeacd22f7a20b1f4acaa1de22d149dfa966a1dc63ccaf3d91cbf534da447597c95c44341f925e22c107e81f90d94a77df2b509f5d8607240509520d44344befaa095e72059b678c6a46aaa229b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "??=Private Organization, serialNumber=50212036, ??=NL, C=NL, ST=Noord,Brabant, L=Waalre, ??=Irenelaan 24, O=Cheat Engine, CN=Cheat Engine", + "ValidFrom": "2021-04-13 18:52:42", + "ValidTo": "2022-07-04 16:21:19", + "Signature": "1729eb40672fd6a5d0a6ed2179dff5b7b5f0bc383a3a0b467bb0bb3c4a3fb0e28b6af2fc96c9f10b3977bd96f864d57f37ff04da2b39471302ede8a088b6bd210e2e8406fdae4b1ed9229edf2f405a76445fa74d5dcd12dc1e06370a1f226c7a509676519d965b6d2456b87c7c504c7adb3837815309c83350a797af3b9c85bf7f15911770a86b49f3b5f5d599c035bf2ba6f314405c4060ab2974b50717df93f426829bcaeefce35128426c76d6de47795e03c8d050d17ca2dae96733184c8bbed9ad8a92fb63090e62a2bf7cbd958c17e375922309b1a2126fe74241b806ce0d173bb4cfa8fa065802b92f5ca3c485448c3f0f88bbeda4e89bdeda72c3c668a8e1e02c4ba5cf75f8bd78a22ca34da125472a696799dfa3a2c9fceaf39973116b320052b7ba8ca8f00fbf53a19a593627060a229d792419d33313711fc7b130f8591515ace1b93837af42b4291566ca67cbbf48b79ac64d7221de318c0e73776a73747b202ddaba8147845608e275235df242563cfa074f76bcfaf220672e6e8fda87b7d25d643d1806e996bd06f869ab9dc31d20d4d839350cd1b735180beb41fc325906ea0ce87dc04e9b92067d4c0490091beeb36c7313c9cf9995aac7a8ff1a1b52f0294eacb0439c74bf0eb4e5dbb5b106e81f77840633517a332f13e022cca1e18aeb51a3f10bd1a8f721431a8585a90c86ccdab494b44c209977c0d2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=Globalsign TSA for MS Authenticode Advanced , G4", + "ValidFrom": "2021-05-27 10:00:16", + "ValidTo": "2032-06-28 10:00:15", + "Signature": "3893b77d358934ea1ad6aa7ace8d84dbe134b774a5ffd85d9436258fd2807ea165b19bcf35515ddba04b6ef721402eec4f6f1640721c751b300017398fc82fa471ce24332690d5e4ff39b961ef0bca39f32d5e8da0ff4ee156641fd49c7604a4445c3d6285702ff94ea4f78656db7a4926432d059be2c389b73aa12d272718c6438bdc43a1b6722d3fd9c6348a02d3623929f07d28d0a9c3648a466db3431c748bddb9a60b217b11a71f5da2db8ce055d369fa77d15d14b996ec91451b1b6c7e424024a4ed40c665fa418f48319ce3b8b317578279cacc1ec2d04f4f050e0d79d769dd95a1715d8a9ee75ac24fa8060f08897bdb58c8257dff68bc28a2709cbb0cb553e88e06b1b282818712a95e774c93ab18f844575811cbf693154931b7535021dad5fc607fdd30c5ac51440b67a5fad67734ad121f28fb88da519b449ade770eee321260560c919d588fbc9957f2becdb9c3732419da77a6e4ecf1de6fe0bc841d6fc3f1dbe1d5425186511242263ed3ea13f4289cad4d7ab7a2ba146a3f4055584e8c651cb3f675d67fae0f84802fbe88785c271f4717c23de4699ecbae9eef0268883710c26c268ac88c6590534dae5ddab84610d4900a8afff4284081e052c8f20164481884786a22faca9caa0e1dc58e72c3362219ebf8941fbfc2c50156e9a680ea011d133507e2b97414fd9a389e03d249f64ceba1bd1c14d2e399", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2030-07-28 00:00:00", + "Signature": "2575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000002528b33aaf895f339db000000000252", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + "SerialNumber": "3038811fdd430a77db5b3cc2", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020" } ] } @@ -35586,194 +21685,155 @@ } ], "Tags": [ - "nscm.sys" - ] + "dbk64.sys" + ], + "yara": false }, { - "Id": "a7628504-9e35-4e42-91f7-0c0a512549f4", + "Id": "d74fdf19-b4b0-4ec2-9c29-4213b064138b", "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Created": "2023-05-11", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create SANDRA binPath=C:\\windows\\temp\\SANDRA type=kernel && sc.exe start SANDRA", + "Commands": "sc.exe create irec binPath=C:\\windows\\temp\\irec.sys type=kernel && sc.exe start irec.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10", "Resources": [ - "Internal Research" + "https://github.com/alfarom256/HPHardwareDiagnostics-PoC" ], "Acknowledgement": { - "Person": [], - "Handle": "" + "Person": "Michael Alfaro", + "Handle": "@_mmpte_software" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "SANDRA", - "MD5": "c842827d4704a5ef53a809463254e1cc", - "SHA1": "09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5", - "SHA256": "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75", + "FileName": "irec.sys", + "MD5": "f1a203406a680cc7e4017844b129dcbf", + "SHA1": "d2fb46277c36498e87d0f47415b7980440d40e3d", + "SHA256": "dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094", "Authentihash": { - "MD5": "e4c579f7ebcf89c4f5790a584eb5af4c", - "SHA1": "6cec31c2fa78387a8d4d06934ac370033dd24ade", - "SHA256": "959860cea7a720811a960e28e0318c470948d96ab3ba3312d20fea0f24bc0979" + "MD5": "3a6ceda4dfa265ed536cbabe0f1d4466", + "SHA1": "719f659300ba463efeeab5916f0378c64fc1ad4a", + "SHA256": "457e2eb5ee1def0e336463b7f62dcc02fdde307b817cf750907a5f5465c4dcb7" }, - "Description": "Sandra Device Driver (Win64 x64)(Unicode)", - "Company": "SiSoftware", - "InternalName": "SANDRA", - "OriginalFilename": "SANDRA", - "FileVersion": "10.7.1.1 built by: WinDDK", - "Product": "SiSoftware Sandra", - "ProductVersion": "10.7.1.1", - "Copyright": "Copyright © SiSoftware Ltd 1995-2007. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "FLTMGR.SYS", + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwSetValueKey", - "NtQueryInformationProcess", - "ZwClose", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoQueryDeviceDescription", - "ZwSetInformationThread", - "RtlUnicodeStringToAnsiString", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoFreeMdl", - "IoAllocateMdl", - "MmBuildMdlForNonPagedPool", - "ZwCreateKey", - "IoRegisterShutdownNotification", - "MmResetDriverPaging", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "IofCompleteRequest", - "MmPageEntireDriver", - "IoUnregisterShutdownNotification", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "RtlQueryRegistryValues", - "IoCreateDevice", - "IoCreateSymbolicLink", - "KeBugCheckEx", + "FltRegisterFilter", + "FltUnregisterFilter", + "FltStartFiltering", + "FltGetFileNameInformation", + "FltReleaseFileNameInformation", + "FltParseFileNameInformation", + "FltAttachVolume", + "FltAllocateContext", + "FltSetInstanceContext", + "FltDeleteInstanceContext", + "FltGetInstanceContext", + "FltReleaseContext", + "FltEnumerateVolumes", + "FltObjectDereference", + "FltCloseCommunicationPort", + "FltGetRequestorProcessId", + "DbgPrint", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "RtlIntegerToUnicodeString", "RtlAppendUnicodeToString", - "IoReportResourceUsage", - "RtlInitUnicodeString", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "HalTranslateBusAddress", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", - "ValidFrom": "2006-02-01 21:44:28", - "ValidTo": "2016-01-30 21:44:28", - "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", - "ValidFrom": "2006-08-25 14:34:37", - "ValidTo": "2009-08-25 14:34:37", - "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", - "ValidFrom": "2006-02-13 15:40:22", - "ValidTo": "2016-02-11 15:40:22", - "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", - "ValidFrom": "2006-05-23 17:01:15", - "ValidTo": "2016-05-23 17:11:15", - "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "008da900010020ba965fe3dc471ba8", - "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" - } - ] - } - ] - }, - { - "FileName": "SANDRA", - "MD5": "84b17daba8715089542641990c1ea3c2", - "SHA1": "3059bc49e027a79ff61f0147edbc5cd56ad5fc2d", - "SHA256": "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b", - "Authentihash": { - "MD5": "22eb1c16aae2709fa26bb9da73ab3df8", - "SHA1": "deec6cefac2084349127f29ac7ccf26b24458d89", - "SHA256": "18dfe852fade6625862cc963922c1f2389a296af96df11eb7b62bbeddd61e18a" - }, - "Description": "Sandra Device Driver (Win64 x64)(Unicode)", - "Company": "SiSoftware", - "InternalName": "SANDRA", - "OriginalFilename": "SANDRA", - "FileVersion": "10.5.1.1 built by: WinDDK", - "Product": "SiSoftware Sandra", - "ProductVersion": "10.5.1.1", - "Copyright": "Copyright © SiSoftware Ltd 1995-2006. All rights reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwSetValueKey", - "NtQueryInformationProcess", - "ZwClose", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoQueryDeviceDescription", - "ZwSetInformationThread", - "RtlUnicodeStringToAnsiString", + "KeInitializeEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", + "IoFreeIrp", "IoFreeMdl", - "ZwCreateKey", + "IoGetDeviceObjectPointer", + "ObfReferenceObject", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoGetDeviceAttachmentBaseRef", + "IoGetStackLimits", + "FsRtlIsNameInExpression", + "strncpy", + "wcsncpy", + "wcsstr", + "RtlInitUnicodeString", + "RtlGetVersion", + "MmGetSystemRoutineAddress", + "MmIsDriverVerifying", + "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", - "IoRegisterShutdownNotification", - "MmResetDriverPaging", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "IofCompleteRequest", - "MmPageEntireDriver", - "IoUnregisterShutdownNotification", - "IoDeleteSymbolicLink", "IoDeleteDevice", - "RtlQueryRegistryValues", - "KeBugCheckEx", - "RtlAppendUnicodeToString", - "IoReportResourceUsage", - "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ObCloseHandle", + "PsGetCurrentProcessId", + "IoCreateFileSpecifyDeviceObjectHint", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "IoFileObjectType", + "PsProcessType", + "MmHighestUserAddress", + "RtlInt64ToUnicodeString", + "RtlCompareUnicodeString", + "RtlAppendUnicodeStringToString", + "ObQueryNameString", + "ZwQueryObject", + "ZwOpenDirectoryObject", + "_vsnwprintf", + "ObOpenObjectByName", + "ZwQueryDirectoryObject", + "ZwQueryInformationProcess", + "ZwQueryInformationThread", + "IoDriverObjectType", + "_stricmp", + "RtlFreeUnicodeString", + "KeInitializeMutex", + "ExSystemTimeToLocalTime", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessCreateTimeQuadPart", + "ZwOpenProcess", + "RtlConvertSidToUnicodeString", + "PsReferencePrimaryToken", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ZwQueryInformationToken", + "PsGetProcessImageFileName", + "PsGetProcessSectionBaseAddress", + "ZwQuerySystemInformation", + "PsGetProcessId", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalMemoryRanges", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "HalTranslateBusAddress", - "KeStallExecutionProcessor" + "KeDelayExecutionThread", + "ProbeForRead", + "KeBugCheckEx" ], "Signatures": [ { @@ -35781,263 +21841,410 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", - "ValidFrom": "2006-02-01 21:44:28", - "ValidTo": "2016-01-30 21:44:28", - "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", - "ValidFrom": "2006-08-25 14:34:37", - "ValidTo": "2009-08-25 14:34:37", - "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", - "ValidFrom": "2006-02-13 15:40:22", - "ValidTo": "2016-02-11 15:40:22", - "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:25:28", + "ValidTo": "2021-12-02 22:25:28", + "Signature": "3a8e15af3660c47a1def4303906af38b6ca69186409b4f44ebe8106ece701f6e00e734fe1d0bb290d1496c3f17859e1f9ff1f31080dd8bfd2bb5013956c2f49ffe73916654f04c35b9df2fb27c55a71df3d8e1f25185d398abed244b42e27741c0b1c953c139c011b801f00e80ea992005a1305dd65bcb2032790b0d87636b75d2fb8f431546cd906ab0a55083a26d2649d822871b6aacd1b4d8c74ea2366903eeb318e7826db64e3a858d6377cf2f9a628f21d6ef65279603c18d25d365dd370cef1a45527deec589a331a221c909a8b0d2010d078970678c648d62168056e3b775233eac20e50cc039a85900749f627a419e8959fcf21efc89da76426107e43261ccdcaebad659b89abfdd5d1a78e9d438868b9ff58cac5176bddff8c8dd11008ed72ed249bb7d78af559b04561e6b44aae7846b103d2db8c0e31a5f661851f97acba0757b474c1caa49cf8eed86de15a4118743a418b6b415e7770265801ba51061b5d32125ed5ba1e27fe83ac795f9cc868949b14d59eb4f596763da9102f9e6ae8fe92de61d68af67a906e0be424f5c81dcecd4d190953a66384c3b5fe33f7b402a0934c2befd4a51b2f2850ef05e156fc4e1460eab2f67e3cbc999db761f57970ccafbc49040e999965f5306c1f5c90ce172d889a3aa63ec502a60020b2a7b4fff562b9dc5c50a8e06bc52f04ff0fe535591e2e6b7325239666152819a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", - "ValidFrom": "2006-05-23 17:01:15", - "ValidTo": "2016-05-23 17:11:15", - "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "008da900010020ba965fe3dc471ba8", - "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" + "SerialNumber": "33000000433a68189e33902987000000000043", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "irec.sys" + ], + "yara": false + }, + { + "Id": "4b047bb8-c605-4664-baed-25bb70e864a1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create Black.sys binPath=C:\\windows\\temp\\Black.sys type=kernel && sc.exe start Black.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "Black.sys", + "SHA256": "d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "Black.sys" + ], + "yara": false + }, + { + "Id": "6d21df78-d718-44df-b722-99eec654f5b2", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create MsIo64.sys binPath=C:\\windows\\temp\\MsIo64.sys type=kernel && sc.exe start MsIo64.sys", + "Description": "The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054)", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + " https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/", + "https://packetstormsecurity.com/files/159315/MSI-Ambient-Link-Driver-1.0.0.8-Privilege-Escalation.html", + "https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities", + "https://github.com/Exploitables/CVE-2020-17382", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89.yara" }, { - "FileName": "SANDRA", - "MD5": "e36f6f7401ae11e11f69d744703914db", - "SHA1": "dcdc9b2bc8e79d44846086d0d482cb7c589f09b8", - "SHA256": "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "MsIo64.sys", + "MD5": "dc943bf367ae77016ae399df8e71d38a", + "SHA1": "6b54f8f137778c1391285fee6150dfa58a8120b1", + "SHA256": "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "MICSYS Technology Co., LTd", + "Description": "MICSYS driver", + "Product": "MsIo64 Driver Version 1.1", + "ProductVersion": "1.1 x64", + "FileVersion": "1.1 x64 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "MsIo64.sys", "Authentihash": { - "MD5": "5ef46421c4cda0345e6d732ae4be93d5", - "SHA1": "c021fb8f391cdedb6f152a8eb839464c3770bf5d", - "SHA256": "9ce44d1643bc4d87e5029a4927613035bbd96b4e45a2400aed987396115791f7" + "MD5": "9bb721ac0afc94a499a238ae32418d51", + "SHA1": "04a903f13528536f1d0b1751886754d9aa5cdafa", + "SHA256": "5bf00eff58e5bbe4cf578ec37b9e13c8fa74511fb2644352fcc091347153a709" }, - "Description": "Sandra Device Driver (Win64 x64)(Unicode)", - "Company": "SiSoftware", - "InternalName": "SANDRA", - "OriginalFilename": "SANDRA", - "FileVersion": "10.3.1.1 built by: WinDDK", - "Product": "SiSoftware Sandra", - "ProductVersion": "10.3.1.1", - "Copyright": "Copyright © SiSoftware Ltd 1995-2005. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "MsIo64.sys", + "Copyright": "Copyright (c) 2019 MICSYS", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwSetValueKey", - "ZwCreateKey", - "RtlAppendUnicodeToString", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoQueryDeviceDescription", - "ZwSetInformationThread", - "RtlUnicodeStringToAnsiString", - "__C_specific_handler", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "IoFreeMdl", - "NtQueryInformationProcess", - "IoReportResourceUsage", - "IofCompleteRequest", - "KeReleaseSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "MmResetDriverPaging", - "MmPageEntireDriver", - "IoDeleteDevice", + "RtlInitUnicodeString", + "DbgPrint", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "IoDeleteSymbolicLink", - "IoUnregisterShutdownNotification", - "RtlQueryRegistryValues", - "IoRegisterShutdownNotification", + "ZwUnmapViewOfSection", + "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", - "ZwClose", - "MmUnmapLockedPages", - "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "HalTranslateBusAddress", - "KeStallExecutionProcessor" + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA", - "ValidFrom": "2003-08-06 00:00:00", - "ValidTo": "2013-08-05 23:59:59", - "Signature": "76b29cee139f1bf62d349294457334dc8e6b2e5cfc4c7d89ebc368f1d7990f2e1d17c8b5168bbecd8a0506f219493a035b05c9208e6d52e17681a0c3658a2267e41c53533746bfbcd72feb7b9ed014456c402108e25d757666301ef4df828a2fbdf3a20cbf1ddb9f14a29a72374db07748e84a3f09ce55192cefe60724e1afec", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=SiSoftware LTD, O=SiSoftware LTD, OU=Secure Application Development, C=UK, ST=London, L=London", - "ValidFrom": "2004-09-23 16:28:04", - "ValidTo": "2005-09-23 16:28:04", - "Signature": "2623e3d4f0ca2111695ee2c1493671d554de79106efd8d98928e0890eb65e7da15d2f4c8f739e5fd1ce3e2205327c540b29ad0a901b605a623b2de380e382e4b75b9b41c5b4deb75c974d02c1911fb58851e75b6fc20bb947fca991fc050dee03a914b69345c77aeba2fa02e1b22cd2b75ad2593d9f5caa24550a02db6a3506d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "3ea278", - "Issuer": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA" + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "MsIo64.sys" + ], + "yara": true + }, + { + "Id": "a261cd64-0d04-4bf5-ad73-f3bb96bf83cf", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create PCHunter.sys binPath=C:\\windows\\temp\\PCHunter.sys type=kernel && sc.exe start PCHunter.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa.yara" }, { - "FileName": "SANDRA", - "MD5": "1610342659cb8eb4a0361dbc047a2221", - "SHA1": "8d0f33d073720597164f7321603578cd13346d1f", - "SHA256": "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "PCHunter.sys", + "MD5": "c2c1b8c00b99e913d992a870ed478a24", + "SHA1": "a64354aac2d68b4fa74b5829a9d42d90d83b040c", + "SHA256": "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "一普明为(北京)信息技术有限公司", + "Description": "Epoolsoft Windows Information View Tools", + "Product": "PCHunter", + "ProductVersion": "1.0.0.4", + "FileVersion": "1.0.0.4", + "MachineType": "AMD64", + "OriginalFilename": "PCHunter.sys", "Authentihash": { - "MD5": "04ef6182073a4cbc8a606a4480093e0c", - "SHA1": "3c722e2822e0af72d3f868fffb8e5b884e502254", - "SHA256": "68dca726b16c56c70259c8f936ec20adb9ecb8c3cc73985083f41358c83935f4" + "MD5": "9655d43fd874e7a6720b36e7fd9fa6b7", + "SHA1": "a14261c290339995b7430495f2dfdd1da64dcfc5", + "SHA256": "c2d209ed240027608003f8d32b621f8baaf5601aaf348e64269e4457a594c7c3" }, - "Description": "Sandra Device Driver (Win32 x86)(Unicode)", - "Company": "SiSoftware", - "InternalName": "SANDRA", - "OriginalFilename": "SANDRA", - "FileVersion": "10.7.1.1 built by: WinDDK", - "Product": "SiSoftware Sandra", - "ProductVersion": "10.7.1.1", - "Copyright": "Copyright © SiSoftware Ltd 1995-2007. All rights reserved.", - "MachineType": "I386", + "InternalName": "PCHunter.sys", + "Copyright": "(C) 2013-2016 Epoolsoft Corporation. All Rights Reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "READ_REGISTER_USHORT", - "READ_REGISTER_ULONG", - "IoQueryDeviceDescription", - "ZwSetInformationThread", - "RtlUnicodeStringToAnsiString", - "MmMapLockedPagesSpecifyCache", + "ZwCreateKey", + "RtlInitUnicodeString", + "ZwSetValueKey", + "ExGetPreviousMode", + "PsGetCurrentProcessId", + "KeInitializeEvent", + "ExFreePoolWithTag", + "ZwQuerySymbolicLinkObject", + "SeCreateAccessState", + "KeSetEvent", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "IoCreateFile", "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", + "ZwOpenSymbolicLinkObject", "IoFreeMdl", - "MmUnmapLockedPages", - "IoReportResourceUsage", - "READ_REGISTER_UCHAR", - "MmResetDriverPaging", - "MmPageEntireDriver", - "IoDeleteDevice", + "IoFileObjectType", + "ExAllocatePool", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "IoFreeIrp", + "MmProbeAndLockPages", + "ZwClose", + "MmUnlockPages", + "ObOpenObjectByPointer", + "IoAllocateMdl", + "MmSectionObjectType", + "_wcsicmp", + "NtDeviceIoControlFile", + "NtFsControlFile", + "swprintf", + "MmGetSystemRoutineAddress", + "ExAllocatePoolWithTag", + "ObQueryNameString", + "KeBugCheckEx", + "PsLookupThreadByThreadId", "IoDeleteSymbolicLink", - "IoUnregisterShutdownNotification", - "RtlQueryRegistryValues", - "IoRegisterShutdownNotification", + "IoDeleteDevice", + "wcsncat", + "KeDelayExecutionThread", + "wcsrchr", + "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "WRITE_REGISTER_ULONG", - "WRITE_REGISTER_USHORT", - "WRITE_REGISTER_UCHAR", - "memset", - "MmUnmapIoSpace", - "MmMapIoSpace", - "RtlAppendUnicodeToString", - "ZwCreateKey", - "ZwSetValueKey", - "NtQueryInformationProcess", - "ZwClose", - "IofCompleteRequest", - "RtlInitUnicodeString", - "KfReleaseSpinLock", - "HalGetInterruptVector", - "KeStallExecutionProcessor", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalTranslateBusAddress", - "KfAcquireSpinLock" + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "KeStackAttachProcess", + "ObfDereferenceObject", + "MmIsAddressValid", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "ProbeForRead", + "IoGetCurrentProcess", + "MmUserProbeAddress", + "ProbeForWrite", + "NtBuildNumber", + "IoAllocateIrp", + "MmSystemRangeStart", + "__C_specific_handler", + "FltReleaseFileNameInformation", + "FltClose", + "FltStartFiltering", + "FltParseFileNameInformation", + "FltCreateFile", + "FltRegisterFilter", + "FltUnregisterFilter", + "FltGetFileNameInformation" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", - "ValidFrom": "2006-02-01 21:44:28", - "ValidTo": "2016-01-30 21:44:28", - "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", + "Subject": "C=CN, ST=?????????, L=?????????, O=????????????(??????)????????????????????????, CN=????????????(??????)????????????????????????", + "ValidFrom": "2015-10-16 04:47:28", + "ValidTo": "2016-11-16 04:47:28", + "Signature": "c87f8ed5e0c37da04f8f7b193aae1974b8712e6d9740a8dc55058a576301c1783919200b621b7d674954efe2689ee641cdd2609541eea9a633277af5e3ac84fc33b681d3737d54bd45bf9405947dbfe89338577c841b148dd745c742f19775cdb6f1f456500b439b79e350b41987c671ebd6bf05eb6832fb8bde7e4aaa42d7e26d8080b41cd6181f9a0ac62bce4cb9103907f279d6c18237b4744a745bcfa118f90bd2fa3f4eed5b059faffef0f8ae7c023f2e9e8788cd071b6ceb949a00b078591988a8ab7792cb11a545c7bb079687d2defdb88a6615e0d3204c29dae9a6f19fbb3ae4c3d338522648cb1bd5399f55fa7bd01ee9041330eb6a57edcd0fc455", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", - "ValidFrom": "2006-08-25 14:34:37", - "ValidTo": "2009-08-25 14:34:37", - "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", + "Subject": "C=CN, O=WoSign CA Limited, CN=WoSign Time Stamping Signer", + "ValidFrom": "2009-08-08 01:00:05", + "ValidTo": "2024-08-08 01:00:05", + "Signature": "7c982fbbc3d2aec22a8fa69776568632c4cd36688becd7801a3179b05e56b969ebb90b32a98326dc775d7a56b246a07d15d66df9acf835737836026022201cef188f7e66b24fe771935a2be6e58d3d5d2e274b46cb1d04f30b8c3f13a80dd4cde828e82a9c55c8e3ff9da922496ee8e7889237578060441827435818046d86c065470557555091e67350ee3f10a98f052fda6811536e1fad98f3763e85d057a3cfe4c11a4c6406a644ab4e1ee24bd5a46d71f86bcb6613a6471f212aa1ae4c89a47d2877174f888db1d15db1c4935abf22926cab678268edd721cb63bc93c4178e871925ad1754b479d2a59373bc7cbbe4800f8fccaa0ad0e49375aa6ccf497d75ec82285c73f042bf9ea6132ede6cee8003a6ee8836a01bb282e83dbba61ad511ae0a0b62d651369723175226edf1c5b62175391507e042f12a89047766ad1404d2c7d47c4f6cdd4edced8ea9f68617e7e15966bbd07ad09442ebafc154cae21aa4a9b6a5d481ca1526fa6fb4df7810048c4818bc2859669ab818f1d95e5b82fffe11d7d40436309f511d3cc86440757cd83583efb1e528760a053de9b81e70503a60e2a50188889c04cc6af21585d10cb74a6d934e82ca29e9750b42e43a4724086d805ce66a672cb61308c94fd86653b9b67fe2ea39956f71779603afb9e3cce3a1b9f101c66ebefc975cb2d1f17bfb33c665eae618f9ab3a271a2d206be6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", - "ValidFrom": "2006-02-13 15:40:22", - "ValidTo": "2016-02-11 15:40:22", - "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", + "Subject": "C=CN, O=WoSign CA Limited, CN=WoSign Class 3 Code Signing CA", + "ValidFrom": "2009-08-08 01:00:05", + "ValidTo": "2024-08-08 01:00:05", + "Signature": "0e93a5712562a282627ab579eae1eaaccaa58bc7a14cdcccae1ce9ea2e88e251e5812276e9f6e06641c974e4de667ef9529912fdc59e6a85a45dc554f2221fbc786120c0fe1c1b24ff01e3dcad1379cbcc3daef43f6e35cacf5dc6053e431ea78d03dd6eabcd5c6ab8155085dab896530f557d19d9a374681a84d0c25809d6dd6ae785a5d4ac415edefda6ab798e24abed396f8f5f71990274fc427e3202202932c29006c27ed0ab065017c3acfba6b96bbeeebea41e188002ed449da2c6544dabe1b698197ee1b4ba7c2c3c4719cb4af76362665e5709a86c1eb84dec5394d781ff0c0bef080215aed8d49f5c3987d7246684a0d038904a4e994d936076f51ae28e465f5b1297b466d77c4f421623e80aed86460f6d9ae47baf37dcf380544b3b22dd902c07bdc097f2c3ec7f7cfbbe4699366e48c781e5f28c020dc07c3fc5439b700281f5b0aa7f0554c0c2309cc5c257f519b190bcd99dd62608d60c0eb268d091e3e73e274837475ed351b50e5959c9baa7cb846e0384cfec50bbeecd756d7c3a9b9afb151890b1c4a3e19819770896fcd548c455f7d3ac2058ff47c3d4fc7bae641855ab472d84e42453b000f47873cbcca622202e7ff5454d0a49aa6bae6e6624e2c40a7ea42b908e90621cf58bf14528f7614acbb48c48839ece01f3a584f4d26afd3a2568f208c5cf1c8d27c036db17136cc1da214035f866b32327", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", - "ValidFrom": "2006-05-23 17:01:15", - "ValidTo": "2016-05-23 17:11:15", - "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "Subject": "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign", + "ValidFrom": "2015-04-29 17:12:11", + "ValidTo": "2025-04-29 17:12:11", + "Signature": "0c9e907a381c3c94a5f76fb3989e6f52f9cac16e59ac5e76a96251971b98be114a421c5aec81972fd19436b91ea63e2a6ca219d2124b3924e36986125a2af5d8ca331725a69d3c8ba9beba6b956e04603ff9a84d77e874aa7b6776991b797f1f64dd62858ea09559332ff81c87f0f7f3060cd13c3e9b4f1b5b4a99dd8c62f1308ef8a4900f64c303f84ec232e2c18b71977d49aebdf6770e470bf36f182318e0a03071a49afd47ee0cf36e466274504a08bae15862143d40b6744d21c347520780632a4af199e5e71e7f20d87d04e34e528e712e08ab6ec4223c0d6b6d90f3b4d861c675c0ca26d5f01d9ced505558654ef637108d212938c3dfdb98b6a76663e65675bb166a4cbc9d516745008564555fbbcbff213c0833b59c8455e22497e5deefd15336710e7be432c58da0c54d976e7ff2c7e8c951ca325114d63771667ef0668107d84c50ee0497dc93916d1fb794c7cf710e011d66b4f64cce75a74ca754ffc83bea3711b414f1a609455b28ce7ebc5074ed934fbbcd48fe378a59a72b97a097eb4c59e0907698397d4b38125aa22c00def8f3f2f7ef3a05040a905c87d47accb70917a6d557c03a8f28b70782d7add8df43a7238c95be42e923abc9c7f033a890947f80cbe75f66a342592fa4776fee2956da0a091f16f0699018c41284bfa0b6e608ce46b893168fb7e04ecb38c25d2f1078fdbe0c41825b47049f64", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", + "ValidFrom": "2011-04-15 20:13:19", + "ValidTo": "2021-04-15 20:23:19", + "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign", + "ValidFrom": "2006-09-17 22:46:36", + "ValidTo": "2019-12-31 23:59:59", + "Signature": "b66df870fbe20d4c98b3074915f504c46ccacaf568a008fe126d9c0406c9ad9a91523e78c45cee9f541deee3f15e30c949e139e0a69d366c57fae6344f55e887a82cdd05f1581291e8cace28788fdf078501a5dc459605d480b22b059acb9aa58be03a67e67347be4afd27b188efe6cacf8d0e269ffa5f5778ad6dfeae9b3508b1c3bac1004a4b7d14bdf7f1d35518acd03370886dc4097114a62b4f8881e70b0037a9157d7ed701963f2faf7b62ae0a4abf4b392e35108bfe0439e43c3a0c0956403ab5f4c2680cb5f952cdee9df898fc78e758478f1c73586933abffdddf8e24017798193ab06679bce108a30e4fc104b3f301c8ebd3591c35d2931e7065827fdbcffbc8991260c3446f3a804bd7be21aa147a64cbdd3743455b322e45f0d9591f6b18f07ce9553619615fb57df18dbd88e4754b98dd27b0e484442a6184570582111faa3558f3200eaf59effa5572720d26d09b5349acce372e6561fff6ec1beaf6f1a6d3d1b57bbe35f422c1bc8d01bd685e830d2fecd6da630c27d1543ee4a8d3ce4b32b89194fffb5b492d7518a8ba719a3baed9c0a94f8791ed8b7b6b20988939834f80c469cc17c9c84ebee4a9a5817670060432cd8365f4bc7d3e13bcd2e86f63aab53bda8d863282789dd9ccffbf576474ed283d446215614bf794b00d2a671cf0cb9ba592bff8415ac13d60ed9fbbb86d9bcea96a163f7eea06f1", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", + "ValidFrom": "2006-09-17 19:46:36", + "ValidTo": "2036-09-17 19:46:36", + "Signature": "166c99f4660c34f5d0855e7d0aecda104e381c5edfa625054b9132c1e83bf13ddd44095b07498a29cb6602b7b19af72598093c8e1be1dd36872b4bbb68d339663da026c7f239911d51ab827b7ed5ce5ae4e2035770699708f95e58a60adf8c069a451616380a5e57f662c77a0205e6bc1eb5f29ef4a92983f8b214e36e288744c3901ade38a93cac434d6445cedd28a95cf2737b04f817e8abb1f32e5c646e73313a12b8bcb311e47d8f81519a3b8d89f44d93667b3c03edd39a1d9af36550f5a0d0759f2faff0ea824398f8699c8979c4438e4672e3643612aff7251e388990777ec36b6ab9c3cb444bac78908be7c72c1e4b1144c8345227cd0a5d9f85c189d51a78f295105332dd80846675d9b56828fb612ebe84a838c0991286a51e6764ad062e2fa97085c7960f7c8965f58e43540eabdda580399460c034c996702ca312f51f487bbd1c7e6bb79d90f4223baef8fc2acafa8252a0efaf4b5593ebc1b5f0228bac344e262204a1872c754ab7e57d13d7b80c64c036d2c92f86128c2309c11b823b7349a36a578794e5d678c5994363e34de0772de165997269041a4709e60f015624fb1fbf0e79a9582eb9c409017e95ba6d00063eb2ea4a1039d8d02bf5bfec75bf9702c5091b08dc5537e281fb3784436220cae7564b65eafe6cc1249324a134eb05ff9a22ae9b7d3ff165510aa6306ab3f4881c800dfc728ae8835e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "008da900010020ba965fe3dc471ba8", - "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" + "SerialNumber": "5c5d0a336ba298b9695d2cfa5a181510", + "Issuer": "C=CN, O=WoSign CA Limited, CN=WoSign Class 3 Code Signing CA" } ] } @@ -36045,173 +22252,167 @@ } ], "Tags": [ - "SANDRA" - ] + "PCHunter.sys" + ], + "yara": true }, { - "Id": "fe2f68e1-e459-4802-9a9a-23bb3c2fd331", + "Id": "127cde1d-905e-4c67-a2c3-04ea4deaea7d", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-02-28", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create kEvP64.sys binPath=C:\\windows\\temp\\kEvP64.sys type=kernel && sc.exe start kEvP64.sys", - "Description": "", + "Command": "sc.exe create wantd_6.sys binPath=C:\\windows\\temp\\wantd_6.sys type=kernel && sc.exe start wantd_6.sys", + "Description": "Driver used in the Daxin malware campaign.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "kEvP64.sys", - "MD5": "20125794b807116617d43f02b616e092", - "SHA1": "f3db629cfe37a73144d5258e64d9dd8b38084cf4", - "SHA256": "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c", - "Signature": [ - "北京华林保软件技术有限公司", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "PowerTool", - "Description": "PowerTool", - "Product": "PowerTool", - "ProductVersion": "1.0.1.0", - "FileVersion": "1.0.1.0 built by: WinDDK", + "Filename": "wantd_6.sys", + "MD5": "4b058945c9f2b8d8ebc485add1101ba5", + "SHA1": "37e6450c7cd6999d080da94b867ba23faa8c32fe", + "SHA256": "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e", + "Signature": "The digital signature of the object did not verify.", + "Date": "8:23 PM 2/28/2022", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "WAN Transport Driver", + "Product": "Microsoft Windows Operating System", + "ProductVersion": "6.1.7600.1172", + "FileVersion": "6.1.7600.1172", "MachineType": "AMD64", - "OriginalFilename": "kEvP64.sys", + "OriginalFilename": "wantd.sys", "Authentihash": { - "MD5": "89184d56336f62fecc67f644b1ec4219", - "SHA1": "cd773a4b5aef78bda651069b9304e4d5e2033cb9", - "SHA256": "c7ba2720675aada538c47fa9e8950a81b6df23f63fa181680e6232651abffbef" + "MD5": "3bfdb46b5ad5fa267b992a2350a6518a", + "SHA1": "cb65c6f9f411892d13ffe8ba1cb5e9c4be2c0a25", + "SHA256": "bd243e33fa80f4bd6010c23ecdf94b6008fee30df248255dcfe014c91f2ce2af" }, - "InternalName": "kEvP64.sys", - "Copyright": "PowerTool", + "InternalName": "wantd.sys", + "Copyright": "Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "FLTMGR.SYS" + "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ProbeForRead", - "KeClearEvent", - "PsProcessType", - "IoReuseIrp", - "ObRegisterCallbacks", - "IoBuildDeviceIoControlRequest", + "wcsncmp", + "IoAllocateMdl", + "_stricmp", + "sprintf", + "RtlLengthRequiredSid", + "_strnicmp", + "ExAllocatePoolWithTag", + "vsprintf", "IoDeleteSymbolicLink", "ExFreePoolWithTag", "RtlAnsiStringToUnicodeString", - "ObUnRegisterCallbacks", - "PsGetProcessImageFileName", - "PsRemoveCreateThreadNotifyRoutine", + "NtWriteFile", + "RtlCreateAcl", "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", + "NtQuerySystemInformation", "_wcsnicmp", - "SeCreateAccessState", + "ZwReadFile", + "RtlSetDaclSecurityDescriptor", "KeInitializeApc", - "IoGetRelatedDeviceObject", - "RtlInitUnicodeString", "IoDeleteDevice", - "KeSetEvent", - "ExGetPreviousMode", - "ProbeForWrite", - "IoGetFileObjectGenericMapping", - "swprintf", - "ObCreateObject", - "ObGetFilterVersion", + "NtFsControlFile", + "KeInsertQueueApc", "MmGetSystemRoutineAddress", "IoCreateFile", - "KeInitializeEvent", - "RtlInitAnsiString", - "RtlUnicodeStringToAnsiString", - "RtlGetVersion", + "atoi", + "_snprintf", "ZwQuerySystemInformation", - "ExReleaseRundownProtection", - "PsSetCreateProcessNotifyRoutine", - "MmUnmapIoSpace", - "RtlEqualUnicodeString", - "MmBuildMdlForNonPagedPool", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "KeUnstackDetachProcess", - "ExInitializeRundownProtection", - "ZwOpenDirectoryObject", - "IoVolumeDeviceToDosName", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ExEnumHandleTable", - "ObQueryNameString", - "ExAllocatePoolWithTag", - "IoDriverObjectType", + "KeReleaseSpinLock", + "RtlAddAccessAllowedAce", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "ZwOpenFile", "ZwCreateFile", - "wcsstr", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "IoStopTimer", - "ExAllocatePool", - "IoUnregisterShutdownNotification", - "IoGetCurrentProcess", - "MmMapIoSpace", - "NtClose", - "ZwClose", - "IofCompleteRequest", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "ZwFreeVirtualMemory", + "KeQueryTimeIncrement", "ObReferenceObjectByHandle", "KeWaitForSingleObject", - "ZwQueryDirectoryObject", - "PsRemoveLoadImageNotifyRoutine", - "IoFreeIrp", - "MmProbeAndLockPages", + "KeAttachProcess", + "PsGetVersion", "PsThreadType", "RtlCompareUnicodeString", - "IoAllocateIrp", - "ObSetHandleAttributes", - "MmUnlockPages", + "ZwOpenProcess", "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "MmIsAddressValid", "ObfDereferenceObject", - "ObReferenceObjectByName", "IoCreateDevice", "ZwTerminateProcess", - "RtlAssert", - "KeCancelTimer", - "CmUnRegisterCallback", - "ObOpenObjectByPointer", - "DbgPrint", - "KeStackAttachProcess", - "PsGetProcessWow64Process", - "IoAllocateMdl", - "IofCallDriver", - "KeBugCheckEx", - "IoThreadToProcess", - "ExAcquireRundownProtection", - "sprintf", - "PsGetProcessPeb", - "ExWaitForRundownProtectionRelease", - "_wcsicmp", - "_stricmp", - "IoFileObjectType", - "__C_specific_handler", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "HalGetBusDataByOffset", - "FltUnregisterFilter", - "FltEnumerateFilters", - "FltObjectDereference", - "FltRegisterFilter" + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", + "ZwWriteFile", + "NtReadFile", + "PsLookupThreadByThreadId", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "KeDelayExecutionThread", + "MmUserProbeAddress", + "MmBuildMdlForNonPagedPool", + "memchr", + "ZwWaitForSingleObject", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisMIndicateStatus", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" ], "Signatures": [ { @@ -36219,24 +22420,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=???????????????????????????????????????, OU=RD, CN=???????????????????????????????????????", - "ValidFrom": "2015-07-27 00:00:00", - "ValidTo": "2016-08-25 23:59:59", - "Signature": "cb382c80e762f190213e6d4d24123b8e2851f2775f1df964e29655c927f1395c81bd01aa4106ceba3895b1db2744a41d4b0bc9b4305f7f5826764c038808d14dd7d3429ffbf6cbac8462d86c176c36ca145a8b9298eed05a55f84731eff3f5e98f6d4d0d7bda39e2a1e8854362dff3bd1b9be33f4f34f97e1e74354f5afd2689260230c61481f8cc6bbba9659f47dd114e9991e9c0d9cb91453001dd604edd328454ecb389c37ebbfb4ed2477a9abbca65723363ffd0814ddff8248ff33129df16bcd5a47c4140d1ff4d245c2b3f2cbf39ca68fcba6377cfb455d3a564ebe8af38855b4482176763e1d9a63777a1112972edf7f0b7ebaecde68653b23acd229d", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -36256,7 +22443,7 @@ ], "Signer": [ { - "SerialNumber": "195c5f9885214bfb4f88dd2ad1f0be8c", + "SerialNumber": "387c9476e28320264594846317d46540", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -36265,26 +22452,27 @@ } ], "Tags": [ - "kEvP64.sys" - ] + "wantd_6.sys" + ], + "yara": true }, { - "Id": "84ccb68d-ce34-4aa2-98d5-7f473c2e1b07", + "Id": "99668140-a8f6-48f8-86d1-cf3bf693600c", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create SysInfo.sys binPath=C:\\windows\\temp\\SysInfo.sys type=kernel && sc.exe start SysInfo.sys", + "Command": "sc.exe create ProtectS.sys binPath=C:\\windows\\temp\\ProtectS.sys type=kernel && sc.exe start ProtectS.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -36293,16 +22481,23 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "SysInfo.sys", - "MD5": "5228b7a738dc90a06ae4f4a7412cb1e9", - "SHA1": "f0c463d29a5914b01e4607889094f1b7d95e7aaf", - "SHA256": "7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb", - "Signature": [ - "Noriyuki MIYAZAKI", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], + "Filename": "ProtectS.sys", + "SHA256": "9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ProtectS.sys", + "SHA256": "4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe", + "Signature": [], "Date": "", "Publisher": "", "Company": "", @@ -36310,38 +22505,133 @@ "Product": "", "ProductVersion": "", "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "ProtectS.sys" + ], + "yara": false + }, + { + "Id": "87752fb8-e9f6-4235-91e2-c4343677d817", + "Author": "Michael Haag", + "Created": "2023-05-22", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create mimidrv.sys binPath=C:\\windows\\temp\\mimidrv.sys type=kernel && sc.exe start mimidrv.sys", + "Description": "Mimidrv is a signed Windows Driver Model WDM kernel mode software driver meant to be used with the standard Mimikatz executable.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951", + "https://github.com/hfiref0x/KDU", + "https://posts.specterops.io/mimidrv-in-depth-4d273d19e148", + "https://github.com/gentilkiwi/mimikatz" + ], + "Acknowledgement": { + "Person": "hfiref0x", + "Handle": "hfiref0x" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "mimidrv.sys", + "MD5": "29e03f4811b64969e48a99300978f58c", + "SHA1": "a8ddb7565b61bc021cd2543a137e00627f999dcc", + "SHA256": "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "gentilkiwi (Benjamin DELPY)", + "Description": "mimidrv for Windows (mimikatz)", + "Product": "mimidrv (mimikatz)", + "ProductVersion": "2.2.0.0", + "FileVersion": "2.2.0.0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "mimidrv.sys", "Authentihash": { - "MD5": "0f56e9fddae9389425d93099ad609867", - "SHA1": "ca88f321631c1552e3e0bcd1f26ad3435cc9f1ae", - "SHA256": "a82d08ef67bdfccf0a2cf6d507c9fbb6ac42bd74bf2ade46ec07fe253deb6573" + "MD5": "45fc2828291ee88335899461a2e7d8b7", + "SHA1": "0e732d18a7d880f0505433a0da0e100da0e1c3a3", + "SHA256": "77586c3968ec72ad19fa7098c9da27b0677e45220812eaab197075f4175e8cc6" }, - "InternalName": "", - "Copyright": "", + "InternalName": "mimidrv", + "Copyright": "Copyright (c) 2007 - 2019 gentilkiwi (Benjamin DELPY)", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "__C_specific_handler", - "MmUnmapIoSpace", - "MmMapIoSpace", - "IoDisconnectInterrupt", - "IoConnectInterrupt", - "IoCreateDevice", - "KeInsertQueueDpc", - "ZwClose", - "IoDeleteSymbolicLink", + "KeBugCheck", "IofCompleteRequest", - "KeInitializeDpc", "IoCreateSymbolicLink", - "KeClearEvent", + "IoCreateDevice", + "PsProcessType", + "PsGetProcessImageFileName", + "PsLookupProcessByProcessId", + "PsReferencePrimaryToken", + "ZwOpenProcessTokenEx", + "IoGetCurrentProcess", + "ZwSetInformationProcess", + "ZwClose", + "ZwDuplicateToken", + "PsInitialSystemProcess", + "_vsnwprintf", + "ObfDereferenceObject", + "ObOpenObjectByPointer", + "PsGetProcessId", + "PsDereferencePrimaryToken", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "IoFreeMdl", + "MmProbeAndLockPages", + "MmUnlockPages", + "IoAllocateMdl", + "ZwUnloadKey", + "IoEnumerateRegisteredFiltersList", + "KeBugCheckEx", + "MmGetSystemRoutineAddress", "IoDeleteDevice", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "RtlInitUnicodeString", + "NtBuildNumber", + "RtlCompareMemory", + "IoDeleteSymbolicLink", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "RtlUnwindEx", + "FltGetFilterInformation", + "FltEnumerateInstances", + "FltEnumerateFilters", + "FltObjectDereference", + "FltGetVolumeFromInstance" ], "Signatures": [ { @@ -36349,38 +22639,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", - "ValidFrom": "2007-09-24 10:50:55", - "ValidTo": "2008-09-24 10:50:55", - "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", - "ValidFrom": "2003-12-16 13:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", - "ValidFrom": "2007-02-05 09:00:00", - "ValidTo": "2014-01-27 09:00:00", - "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=FR, CN=Benjamin Delpy", + "ValidFrom": "2011-06-28 09:46:16", + "ValidTo": "2014-06-28 09:46:16", + "Signature": "7fb3e0f79a942f494fd6e5cd42f04eea33420dc8c6285b79807d4e8cd45ec65fa9a5abcf516482827302f51cc924e484461c67d6b3338ebbaf39129dda0b6d617a25bad53f7ed4af3c934bed8d683091e72b93668d6623670d9cc6d8f4999e896ec6c707d5acaddcae899be3ae42945efbd9e60a36bfb49e6fef09179f02c5c49059c159c2ccaf2e9e171dcd0476dfbffbb7f3a4d59a36ef9e7931aaab9c9821527e6081c2a57ce78863caaf81cb50537956191320b48053552b3ee2bc64878ae903105a8a4d4a85bf235040d02215601143aa9a304eeb5058354f9195069ceb08cdf1f07ec0575b64b0d1840947df070c3c65571226da895da14ac6ae5bd3b8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -36393,8 +22662,8 @@ ], "Signer": [ { - "SerialNumber": "01000000000115372421a8", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "112169417a1c3ef46a301f99385f50680fa0", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -36402,237 +22671,418 @@ } ], "Tags": [ - "SysInfo.sys" - ] + "mimidrv.sys" + ], + "yara": true }, { - "Id": "618fbf89-f4e3-4b2a-a4b4-cc4bf7c180e0", - "Author": "Michael Haag", - "Created": "2023-03-04", + "Id": "16d8962b-cf96-432f-8a43-d41f06828f56", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create POORTRY2.sys binPath=C:\\windows\\temp\\POORTRY2.sys type=kernel && sc.exe start POORTRY2.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create cpuz.sys binPath=C:\\windows\\temp\\cpuz.sys type=kernel && sc.exe start cpuz.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "POORTRY2.sys", - "MD5": "b164daf106566f444dfb280d743bc2f7", - "SHA1": "7e836dadc2e149a0b758c7e22c989cbfcce18684", - "SHA256": "9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "a89ca92145fc330adced0dd005421183", + "SHA1": "e33eac9d3b9b5c0db3db096332f059bf315a2343", + "SHA256": "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f", "Authentihash": { - "MD5": "ffbbaeada1f7507faca4ef59c6e3e577", - "SHA1": "56f9aa37f099409170b4656079edbf52e464b700", - "SHA256": "29bf8618816bce5fa2845409d98b7b96915e0763bb04719535ca885e4713cfaf" + "MD5": "d9d45430dc3fb1c7154c109f9d85d70e", + "SHA1": "4f52e85725556496f9102bba0fdf9d13f721c675", + "SHA256": "90f5962e6b2342eae05dc8f4c34d5291742537248587ccf6ac298691806a4517" }, - "InternalName": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlTimeToTimeFields", + "IofCompleteRequest", + "ExFreePool", "ExAllocatePoolWithTag", - "ZwCreateKey", - "ExFreePoolWithTag", - "NtQuerySystemInformation", - "ZwReadFile", - "RtlInitUnicodeString", - "IoCreateFile", - "RtlUnicodeStringToAnsiString", - "_wcslwr", - "IoFileObjectType", - "ZwCreateFile", - "wcsstr", - "ZwQueryValueKey", - "ExAllocatePool", - "PsTerminateSystemThread", - "ZwClose", - "RtlFreeAnsiString", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "_vsnprintf", - "KeBugCheck", - "DbgPrint", - "PsGetCurrentProcessId", - "memmove", - "ZwAllocateVirtualMemory", - "atoi", - "_strlwr", - "NtQueryInformationProcess", - "DbgBreakPoint", - "ZwOpenProcess", - "KeServiceDescriptorTable", - "strrchr", - "ObQueryNameString", - "NtOpenThread", - "NtClose", - "NtOpenProcess", - "ExSystemTimeToLocalTime", "RtlFreeUnicodeString", - "KeQuerySystemTime", - "RtlInitAnsiString", - "MmGetSystemRoutineAddress", - "RtlAnsiStringToUnicodeString", - "sprintf", - "swprintf_s", "ObfDereferenceObject", - "KeSetEvent", - "KeWaitForSingleObject", - "ObReferenceObjectByHandle", - "PsCreateSystemThread", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "DbgPrint", + "RtlUnwind", + "KeTickCount", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", "KeInitializeEvent", - "PsSetCreateProcessNotifyRoutineEx", - "_except_handler3", - "memcpy", - "memset", - "FltStartFiltering", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor", - "FltCloseCommunicationPort", - "FltUnregisterFilter", - "FltFreeSecurityDescriptor", - "FltCreateCommunicationPort", - "FltCloseClientPort" + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlInitAnsiString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "POORTRY2.sys" - ] - }, - { - "Id": "137daca4-0d7b-48aa-8574-f7eb6ad02526", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create speedfan.sys binPath=C:\\windows\\temp\\speedfan.sys type=kernel && sc.exe start speedfan.sys", - "Description": "speedfan.sys is a vulnerable driver. CVE-2007-5633.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "speedfan.sys", - "MD5": "5f9785e7535f8f602cb294a54962c9e7", - "SHA1": "bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b", - "SHA256": "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c", - "Signature": [ - "Sokno S.R.L.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Windows (R) Server 2003 DDK provider", - "Description": "SpeedFan Device Driver", - "Product": "Windows (R) Server 2003 DDK driver", - "ProductVersion": "5.2.3790.0", - "FileVersion": "5.2.3790.0 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "speedfan.sys", + "FileName": "cpuz.sys", + "MD5": "26ce59f9fc8639fd7fed53ce3b785015", + "SHA1": "2bf6b88b84d27cdf0699d6d18b08a1b36310cdd1", + "SHA256": "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b", "Authentihash": { - "MD5": "af368f76c059d1e07aa884e86d29bbab", - "SHA1": "9c08d169b0f59a411c5b51f481622bc78bdf9c84", - "SHA256": "641490e28b2a1ee223238f5d969b5abf60a1089afe597c4251b285449e6b3b04" + "MD5": "0fef96c1d46145af32eb6993faa6e496", + "SHA1": "4d26356a4a48d492b00845a7ac1bb27a92f95871", + "SHA256": "0aa61910c3ceb765441c35925a50983b2571ac22da510f1495cf82f078b535b6" }, - "InternalName": "speedfan.sys", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IofCompleteRequest", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", + "ObfDereferenceObject", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", "MmUnmapIoSpace", + "RtlInitAnsiString", "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", "IoCreateSymbolicLink", - "PsGetVersion", "IoCreateDevice", - "RtlUnwindEx", - "KeBugCheckEx" + "RtlUnwind", + "KeTickCount", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -36641,349 +23091,223 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.", - "ValidFrom": "2007-02-07 00:00:00", - "ValidTo": "2008-02-07 23:59:59", - "Signature": "b572f3fe7b0c6aa1ee05ba9510b50345f5ccb72b55b1354fa3e0a5aaf8006302089153d52ebf69112781c7674e84d1646d4d08a04d554aa4428f801f4b4e6f467a35e2b464bb0878e7ca33d346f252d3f77a412ccb6d36fbd0c4d53cb14830362f8646cca976eb8ee66e6659d833a49643b947fe797d205ab717517d6af336669f6c1af45198d7ca0d621f0909098543353bcc39c256131db08f9abfe37f840636f8385e5ece017eff20e74d6363223dfc9948b66959ab5604a9d04ef2a459c03dd2cc4ac19bb1bf7b44b8bf1af9b5c996fd26e0e1b017a224c727a5986557397ceb4684353c85dabeaf102a15c45133baacff9eaa967342dda58442c0fe7a52", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7b12cd12b82d7758c4d7c3e398845b3c", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "speedfan.sys" - ] - }, - { - "Id": "2c3884d3-9e4f-4519-b18b-0969612621bc", - "Author": "Nasreddine Bencherchali", - "Created": "2023-04-15", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create LgCoreTemp.sys binPath=C:\\windows\\temp\\LgCoreTemp.sys type=kernel && sc.exe start LgCoreTemp.sys", - "Description": "", - "Usecase": "Denial of Service", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/logitech_v.9.02.65_DoS" - ], - "Acknowledgement": { - "Person": "Paolo Stagno", - "Handle": "Void_Sec" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "LgCoreTemp.sys", - "MD5": "2d7f1c02b94d6f0f3e10107e5ea8e141", - "SHA1": "471ca4b5bb5fe68543264dd52acb99fddd7b3c6d", - "SHA256": "93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131", - "Signature": "N/A", - "Date": "N/A", - "Publisher": "N/A", - "Company": "Logitech", - "Description": "CPU Core Temperature Monitor", - "Product": "LgCoreTemp", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", - "MachineType": "AMD64", - "OriginalFilename": "LgCoreTemp.sys", + "FileName": "cpuz.sys", + "MD5": "75dbd5db9892d7451d0429bec1aabe1a", + "SHA1": "c05df2e56e05b97e3ca8c6a61865cae722ed3066", + "SHA256": "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758", "Authentihash": { - "MD5": "a4c810e750095e71c0288c1ce6669115", - "SHA1": "e05304325b24fc9f76c106de27ffbef2d7eb3315", - "SHA256": "7f0eef1ed4c1278372348cb52e27dc3aa2f51a8b6a62db39d2af75031e55a8db" + "MD5": "dfb8cce9246e17f356504802d14d019d", + "SHA1": "189bedcea5ec5bfc724ff44b4b44958dc450c7db", + "SHA256": "4b5aecfecf26145aadd23f96a1cdfae0bca4e53af215d4bd77bba5dcc5a4479b" }, - "InternalName": "LgCoreTemp.sys", - "Copyright": "Copyright © Logitech, Inc", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "KeSetSystemAffinityThread", - "IoDeleteDevice", + "IofCallDriver", + "KeBugCheckEx", "IoDeleteSymbolicLink", - "__C_specific_handler", - "KeRevertToUserAffinityThread", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Newark, O=Logitech, CN=Logitech", - "ValidFrom": "2015-04-16 00:00:00", - "ValidTo": "2017-06-14 23:59:59", - "Signature": "8b12188765bda73964384c2644835bbd9b46b11b98230aca9ae6d31a2288244f75d3c6d06fae2ef7625676d2a3a0b4c2e978302d461ba5e165ec71a0a7a25c2c99972c0e8bb0194efab03034f581974934fcf3e2536a264de077493370531dd394429d692ca13a84d69d0aaf561d561f73c87b9f6fded706a759d2a1095789596a295795b686c90674ea1a3b582e32e5f5d0a08c685639ee5e9d8381ec102352a6bb4774fd8af770d88bc14abba20c5bcfe543ac7d71937873dbc033e68f81a1220571b348ac80c9b3ce8036252a6d5b4ebcfb381e540d0c4f7eaa4e1978056e261997a70a7b063ff7b3902985db8063e45664f59e7b5a583448883873b7de53", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6f20ba7d552fb9c436caf4cc7cbea4b3", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "LgCoreTemp.sys" - ] - }, - { - "Id": "4b047bb8-c605-4664-baed-25bb70e864a1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create Black.sys binPath=C:\\windows\\temp\\Black.sys type=kernel && sc.exe start Black.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Black.sys", - "SHA256": "d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "Black.sys" - ] - }, - { - "Id": "a7775cbe-624b-4b04-b74f-969f77c2ac02", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create viragt64.sys binPath=C:\\windows\\temp\\viragt64.sys type=kernel && sc.exe start viragt64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "viragt64.sys", - "MD5": "43830326cd5fae66f5508e27cbec39a0", - "SHA1": "05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d", - "SHA256": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495", - "Signature": [ - "TG Soft S.a.s. Di Tonello Gianfranco e C.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "TG Soft S.a.s.", - "Description": "VirIT Agent System", - "Product": "VirIT Agent System", - "ProductVersion": "1, 0, 0, 11", - "FileVersion": "1, 0, 0, 11", - "MachineType": "AMD64", - "OriginalFilename": "viragt64.sys", + "FileName": "cpuz.sys", + "MD5": "fe820a5f99b092c3660762c6fc6c64e0", + "SHA1": "fad8e308f6d2e6a9cfaf9e6189335126a3c69acb", + "SHA256": "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961", "Authentihash": { - "MD5": "68a2f77cfa5aec4556b4276852be637f", - "SHA1": "0188096c79f0cdde9233e52d4117c0f53e667e3d", - "SHA256": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78" + "MD5": "97861c7d308c22f4db08d08ce912fced", + "SHA1": "368c63d2f393ef65f8107d175174e9eaa13d993e", + "SHA256": "3966d4b1e4f5442b8507f91b6dbde3523657b47fd2945d990249605727d231ec" }, - "InternalName": "viragt.sys", - "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2016 - www.tgsoft.it", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2012 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "mbstowcs", - "ExAllocatePoolWithTag", - "KeSetTargetProcessorDpc", - "ZwCreateKey", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "KeInitializeMutex", "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "strstr", "RtlInitUnicodeString", "IoDeleteDevice", + "KeInitializeEvent", "RtlInitAnsiString", - "ZwSetValueKey", - "_strupr", - "KeInitializeDpc", - "ZwQuerySystemInformation", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "ZwSetInformationFile", - "KeReleaseMutex", - "KeDelayExecutionThread", - "ZwCreateFile", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "ExSystemTimeToLocalTime", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "KeInsertQueueDpc", - "ZwEnumerateValueKey", - "ZwClose", - "sprintf", - "ObReferenceObjectByHandle", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", "KeWaitForSingleObject", - "RtlTimeToTimeFields", - "MmProbeAndLockPages", - "ZwOpenProcess", - "MmUnlockPages", + "PsGetVersion", "IoCreateSymbolicLink", "MmIsAddressValid", "ObfDereferenceObject", "IoCreateDevice", - "ZwTerminateProcess", - "KeNumberProcessors", - "ZwQueryInformationFile", - "MmIsNonPagedSystemAddressValid", - "ZwWriteFile", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "IoAllocateMdl", - "ZwOpenKey", - "ObOpenObjectByName", - "swprintf", - "RtlUnicodeStringToAnsiString", - "ZwOpenDirectoryObject", - "IoFileObjectType", - "IoDriverObjectType", - "ZwQueryDirectoryObject", - "wcstombs", - "KeQueryActiveProcessors", + "IofCallDriver", "KeBugCheckEx", - "IofCompleteRequest", - "ExQueueWorkItem", - "__C_specific_handler", - "__chkstk", - "KeStallExecutionProcessor" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -37001,10 +23325,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2016-01-20 00:00:00", - "ValidTo": "2019-03-11 23:59:59", - "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -37017,123 +23341,69 @@ ], "Signer": [ { - "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "viragt64.sys" - ] - }, - { - "Id": "855ade1f-8a9e-4c9d-ab8e-d7e409609852", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create elbycdio.sys binPath=C:\\windows\\temp\\elbycdio.sys type=kernel && sc.exe start elbycdio.sys", - "Description": "elbycdio.sys is a vulnerable driver. CVE-2009-0824.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - " https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "elbycdio.sys", - "MD5": "ae5eb2759305402821aeddc52ba9a6d6", - "SHA1": "3599ea2ac1fa78f423423a4cf90106ea0938dde8", - "SHA256": "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b", - "Signature": [ - "Elaborate Bytes AG", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "Elaborate Bytes AG", - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "FileVersion": "6, 0, 2, 0", - "MachineType": "I386", - "OriginalFilename": "ElbyCDIO.sys", + "FileName": "cpuz.sys", + "MD5": "262969a3fab32b9e17e63e2d17a57744", + "SHA1": "363b907c3b4f37968e9c8e1b7eeca5a5c5d530f8", + "SHA256": "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512", "Authentihash": { - "MD5": "1e7d48bdea295db001ff57b6d05d99a2", - "SHA1": "95a797b14c5718495e847f1aa7a5b554d1855893", - "SHA256": "45b7ec74cc78651975d01d88308f3231df4c96036d6c2273d79f53abdfc8888c" + "MD5": "7c8e917e5adba8b20bea898d4b966c6c", + "SHA1": "570496ebc3c4010b48c3703652fdfcb60352798b", + "SHA256": "98c86fcf018822289340d248f5e2896c41ad0f284febb741b945312ff40bdfa3" }, - "InternalName": "ElbyCDIO", - "Copyright": "Copyright (C) 2000 - 2009 Elaborate Bytes AG", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwCreateFile", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwOpenFile", - "ZwClose", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "KeWaitForSingleObject", - "ZwSetInformationThread", - "KeSetEvent", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "PsCreateSystemThread", + "IoDeleteDevice", "KeInitializeEvent", - "KeReleaseMutex", - "ZwReadFile", - "IofCompleteRequest", - "KeInitializeMutex", - "ExAllocatePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", "RtlInitAnsiString", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "_except_handler3", - "ProbeForRead", - "ProbeForWrite", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "KeTickCount", + "IofCallDriver", "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", - "PsGetCurrentProcessId", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -37151,123 +23421,92 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2008-12-23 13:26:11", - "ValidTo": "2011-12-23 13:26:11", - "Signature": "5a634dbf49c9d1dbe5ed4b484689b4f95ee13686141c393683a1decdc986cf94613342607a120df492112daaa92fd772bbbcb1c0f14cec7c0c20304c92d62508859c387138f2d145dbcc54c561f1b9dd73d3686ae3859ea986e4f539db7495a64b551b60d6f976ae6075ca3f6dbe1187b875ee267784b5baefaa850078595fb8b1c8944c9c3da355a802ebc52eacb9bdffdd57b0aae5f49c02c5ae6505b7ca1afb2b29e39374eab8bf1e643c3e1c8240dc113ceb078c70a401e92d0610538eaed48e291cad84635d6100930c8e7b9801323490e4f3e58d9f9fea04843f06633f8b8a8774d2b679be008d1d92bb31815f8f01c5e08144ed9574a605b245de2ba7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011e643e96d0", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "elbycdio.sys" - ] - }, - { - "Id": "61514cbd-6f34-4a3e-a022-9ecbccc16feb", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create atillk64.sys binPath=C:\\windows\\temp\\atillk64.sys type=kernel && sc.exe start atillk64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "atillk64.sys", - "MD5": "62f02339fe267dc7438f603bfb5431a1", - "SHA1": "c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65", - "SHA256": "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a", - "Signature": [ - "ATI Technologies, Inc", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "\"ATI Technologies, Inc\"", - "Company": "ATI Technologies Inc.", - "Description": "ATI Diagnostics Hardware Abstraction Sys", - "Product": "ATI Diagnostics", - "ProductVersion": "5.11.9.0", - "FileVersion": "5.11.9.0", - "MachineType": "AMD64", - "OriginalFilename": "atillk64.sys", + "FileName": "cpuz.sys", + "MD5": "17719a7f571d4cd08223f0b30f71b8b8", + "SHA1": "f9c916d163b85057414300ca214ebdf751172ecf", + "SHA256": "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c", "Authentihash": { - "MD5": "281880f5f33d1aab062ceccd237ef992", - "SHA1": "e8e533d9e8df018648ccbafbd6081507f5c0f41a", - "SHA256": "126719d008d106b7100ae47ed47666c1334701bd7ddb32d5b8e84048f258700f" + "MD5": "93bf28533aa6e63dc8b80b998b0814af", + "SHA1": "413ed5609215f4a6cee3b7b357eb594902a817f5", + "SHA256": "1399e65aa55c898a6cd5fb32d4b19f5bbaf69c56c1383963c99b7a0804eb0203" }, - "InternalName": "atillk64.sys", - "Copyright": "Copyright (C) ATI Technologies Inc., 2003", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmMapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", - "RtlInitUnicodeString", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "IoAllocateMdl", + "IofCallDriver", "KeBugCheckEx", - "MmMapLockedPages", - "IoCreateSymbolicLink", "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", "HalSetBusDataByOffset", + "KeStallExecutionProcessor", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -37292,10 +23531,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", - "ValidFrom": "2009-02-25 00:00:00", - "ValidTo": "2012-03-20 23:59:59", - "Signature": "bbdc0c5def48ac9f4caa68f9b953d41f106bb5ac9446556fbb0779155b8fabc4c397e761dd06f401011be515c165515f7354104dae09adbd7579b82fa6125260f512a15c0540e95316a57f0d86b43322179756662043fb85c116beb763e9a1ebfec5df2927c81023b109ca9ce8826da3b45390bee26170a231ef0a73b1db7695ee43f8c329c7db23a28514665bfe290db7df6e4bb301a5edfa8c0aa3f11f2e76130684a5e0d56935c9d623ba5a466c3f3f9add1f3b0c209d1cf336fd37e201848dc574e3c0c8c77b3483700b4ddd587b4d342983d50824d50adc13e91725536b2185e973b8464de2b695bc70390bac1cba88de5a2c81e2847d84d8c81a46fc59", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -37308,293 +23547,289 @@ ], "Signer": [ { - "SerialNumber": "3de959ef88a52c10bc8511ef057c233f", + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "atillk64.sys" - ] - }, - { - "Id": "f93e88c2-d0e8-4347-869f-efa568955e9d", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create WYProxy64.sys binPath=C:\\windows\\temp\\WYProxy64.sys type=kernel && sc.exe start WYProxy64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "WYProxy64.sys", - "SHA256": "fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "WYProxy64.sys" - ] - }, - { - "Id": "cfdc5cb4-be5c-4dcc-a883-825fa72115b4", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create PanMonFlt.sys binPath=C:\\windows\\temp\\PanMonFlt.sys type=kernel && sc.exe start PanMonFlt.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "FileName": "cpuz.sys", + "MD5": "21be10f66bb65c1d406407faa0b9ba95", + "SHA1": "86e59b17272a3e7d9976c980ded939bf8bf75069", + "SHA256": "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22", + "Authentihash": { + "MD5": "9328ac41d0afb80914780b9474c0bca0", + "SHA1": "e8f4f4e2a672d845d897f36646d8339597135050", + "SHA256": "c0ed71b491aec860932fe92e5527ef444d537b396186ac839d5ed0884cfcaf0c" + }, + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, { - "Filename": "PanMonFlt.sys", - "MD5": "2850608430dd089f24386f3336c84729", - "SHA1": "a6816949cd469b6e5c35858d19273936fab1bef6", - "SHA256": "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7", - "Signature": [ - "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", - "Description": "PanCafe Manager File Monitor", - "Product": "PanCafe Manager", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "I386", - "OriginalFilename": "PanMonFlt.sys", + "FileName": "cpuz.sys", + "MD5": "4885e1bf1971c8fa9e7686fd5199f500", + "SHA1": "388068adc9ec46a0bbc8173bcb0d5f9cf8af6ea5", + "SHA256": "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43", "Authentihash": { - "MD5": "850ca45e16991f9560f708bf7a186754", - "SHA1": "800256c84e09de2c001868c0ec35211f6e9ad92a", - "SHA256": "348679f0f44eb5a50601c48728a5afd2b4312c95eeb7179ce57d447c0d30f873" + "MD5": "92c5a8d936bb2ef7802aaa15c877e866", + "SHA1": "340024982f9ad5c2722bab8cddec9d32f0efdc7c", + "SHA256": "313a69d8eea6a933cffac0fa67d46ad9aef0815bb579fce7623d9be825888e30" }, - "InternalName": "PanMonFlt.sys", - "Copyright": "Copyright (c) 2012-2014 Pan Yazılım Bilisim Teknolojileri Tic. Ltd. Sti.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2013 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExfInterlockedInsertTailList", - "RtlEqualUnicodeString", - "KeTickCount", - "ExfInterlockedRemoveHeadList", - "IoVolumeDeviceToDosName", - "RtlAppendUnicodeStringToString", - "DbgPrint", - "RtlAppendUnicodeToString", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "RtlCopyUnicodeString", - "memset", - "memcpy", - "ExAllocatePoolWithTag", - "PsGetCurrentThreadId", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ExFreePoolWithTag", - "IoQueryFileDosDeviceName", - "RtlUnwind", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "FltUnregisterFilter", - "FltQueryInformationFile", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor", - "FltCreateCommunicationPort", - "FltFreeSecurityDescriptor", - "FltStartFiltering", - "FltGetStreamHandleContext", - "FltSetInformationFile", - "FltDeleteContext", - "FltAllocateContext", - "FltSetStreamHandleContext", - "FltReleaseContext", - "FltIsDirectory", - "FltParseFileName", - "FltSendMessage", - "FltCloseClientPort", - "FltCloseCommunicationPort" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "ValidFrom": "2014-04-15 15:12:40", - "ValidTo": "2015-04-15 10:41:35", - "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121506480253469e07e54ee8612041fbb92", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "PanMonFlt.sys" - ] - }, - { - "Id": "48bc2815-85ec-4436-a51a-69810c8cb171", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create driver7-x64.sys binPath=C:\\windows\\temp\\driver7-x64.sys type=kernel && sc.exe start driver7-x64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "driver7-x64.sys", - "MD5": "715f8efab1d1c660e4188055c4b28eed", - "SHA1": "7ba19a701c8af76988006d616a5f77484c13cb0a", - "SHA256": "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "ASUStek", - "Description": "The driver for the ECtool driver-based tools", - "Product": "EC tool", - "ProductVersion": "2.5", - "FileVersion": "2.5.0.2", - "MachineType": "AMD64", - "OriginalFilename": "Driver7", + "FileName": "cpuz.sys", + "MD5": "ab4ee84e09b09012ac86d3a875af9d43", + "SHA1": "3c81cdfd99d91c7c9de7921607be12233ed0dfd8", + "SHA256": "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486", "Authentihash": { - "MD5": "7f66b6e24dc4f3af2f19ad9a95b1e9fa", - "SHA1": "5ad545cf58d644be2fc3382881cc07f0f7edfeba", - "SHA256": "d8f7ddf5de213c6dc0356dc83b6307ec596e66c33c3cdd826a612c12004ba9dc" + "MD5": "654f9a768f518e632c99309bd4c1145b", + "SHA1": "a5f086835d7c2883ad8d985772d02a9a8815bcbb", + "SHA256": "d4e93f592a8342b0eb582d24a114348ce40ecb3c1e7b238d731b02e17d5aae7d" }, - "InternalName": "Driver7.sys", - "Copyright": "Copyright ", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2012 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "IoWMIQueryAllData", - "ZwMapViewOfSection", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "IoWMIOpenBlock", - "MmGetPhysicalAddress", - "ZwUnmapViewOfSection", - "ZwClose", - "ExAllocatePoolWithTag", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "RtlAssert", - "ZwOpenSection", - "IoDeleteSymbolicLink", "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "IofCompleteRequest", - "DbgPrint", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -37626,10 +23861,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -37642,137 +23877,72 @@ ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "driver7-x64.sys" - ] - }, - { - "Id": "1ed9d02f-17cf-43dd-9645-a54452468a5e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create WinIo64C.sys binPath=C:\\windows\\temp\\WinIo64C.sys type=kernel && sc.exe start WinIo64C.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WinIo64C.sys", - "SHA1": "b242b0332b9c9e8e17ec27ef10d75503d20d97b6", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" }, { - "Filename": "WinIo64C.sys", - "SHA1": "a65fabaf64aa1934314aae23f25cdf215cbaa4b6", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "WinIo64C.sys" - ] - }, - { - "Id": "2651f5c4-d9e1-4b06-92be-e9e7313f87c4", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create asio.sys binPath=C:\\windows\\temp\\asio.sys type=kernel && sc.exe start asio.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "asio.sys", - "MD5": "bedc99bbcedaf89e2ee1aa574c5a2fa4", - "SHA1": "160a237295a9e5cbb64ca686a84e47553a14f71d", - "SHA256": "0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6", + "FileName": "cpuz.sys", + "MD5": "743c403d20a89db5ed84c874768b7119", + "SHA1": "dc8fa4648c674e3a7148dd8e8c35f668a3701a52", + "SHA256": "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e", "Authentihash": { - "MD5": "7bb2dcc29ba50372d08fea800c190f09", - "SHA1": "e5c090903a20744ba3583a8ea684d035e8cecc34", - "SHA256": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3" + "MD5": "4c2f42ab19a70ee6a2cb936329b34aff", + "SHA1": "742a9fc918c7bb2b1707412c703d7b7674ed1094", + "SHA256": "fd8d61102719afb0b8a230d9e8c372af3396bec4a6d72aada42a1f1d36187751" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwClose", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", + "ObfDereferenceObject", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "MmMapIoSpace", + "ProbeForWrite", "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest", - "KeDelayExecutionThread", - "HalTranslateBusAddress" + "KeTickCount", + "KeBugCheckEx", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "RtlInitAnsiString", + "KeWaitForSingleObject", + "RtlUnwind", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -37780,83 +23950,99 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2014-12-19 19:27:34", - "ValidTo": "2016-03-19 19:27:34", - "Signature": "9c8895d0b78e2fb9a8fff5d730270c52de3a7ead8c7e649a21d81298c0a56bed1fb109217ae8b55a5c3a4334ee73203e5d44c03ef843ef2b93621369e7079513d72985c1143d04b5f342dc3a92f554bd1a8a58943c177dda5dd7c3e5280891583cd251dac090051e36faa455e751498657c06ff9f886e6d431b498fce1ea596e21d8bc45c8ad97e2376158c2d18a1f1daaa694fd736ab959c8980358f5f83ccf340fc6594ddeb60587c567e7167ea1129a81f536222046cdde2706e30d6f2fb3b9984bace9f40afe2473a4b4ee4e1fb799259ba41101e08b546d55b55ecd52f10296d5ad0dadeba22cf7c250d5f029457c15f95dee91af4ee7ee0ed6f67ff4fc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000001dc31a761624754f8000000000001d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO32.sys", - "MD5": "2ca1044a04cb2f0ce5bd0a5832981e04", - "SHA1": "8b86c99328e4eb542663164685c6926e7e54ac20", - "SHA256": "1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a", + "FileName": "cpuz.sys", + "MD5": "e0bfbdf3793ea2742c03f5a82cb305a5", + "SHA1": "a6a71fb4f91080aff2a3a42811b4bd86fb22168d", + "SHA256": "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e", "Authentihash": { - "MD5": "3824dd56459d29ffc5d4bb51d7123778", - "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", - "SHA256": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9" + "MD5": "a85d9912baf9994b0fabf924f6a66e9b", + "SHA1": "04defcae6548e92ea76bd7069a672a7e1067b995", + "SHA256": "d1c71a98e10105faa0814fec3544474d86ae0e8f88efd77798a716adad3994a2" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", + "Description": "CPUID Driver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "WRITE_REGISTER_ULONG", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "ZwUnmapViewOfSection", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", "IoCreateDevice", - "KeTickCount", - "WRITE_REGISTER_USHORT", - "WRITE_REGISTER_UCHAR", - "READ_REGISTER_ULONG", - "READ_REGISTER_USHORT", - "READ_REGISTER_UCHAR", - "KeQuerySystemTime", - "MmGetPhysicalAddress", - "KeDelayExecutionThread", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "HalTranslateBusAddress", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG" + "IofCallDriver", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "IoDeleteDevice", + "ProbeForWrite", + "MmMapIoSpace", + "KeInitializeEvent", + "RtlInitAnsiString", + "IofCompleteRequest", + "KeWaitForSingleObject", + "KeBugCheckEx", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "PsGetVersion", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -37864,47 +24050,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2014-12-19 19:27:34", - "ValidTo": "2016-03-19 19:27:34", - "Signature": "9c8895d0b78e2fb9a8fff5d730270c52de3a7ead8c7e649a21d81298c0a56bed1fb109217ae8b55a5c3a4334ee73203e5d44c03ef843ef2b93621369e7079513d72985c1143d04b5f342dc3a92f554bd1a8a58943c177dda5dd7c3e5280891583cd251dac090051e36faa455e751498657c06ff9f886e6d431b498fce1ea596e21d8bc45c8ad97e2376158c2d18a1f1daaa694fd736ab959c8980358f5f83ccf340fc6594ddeb60587c567e7167ea1129a81f536222046cdde2706e30d6f2fb3b9984bace9f40afe2473a4b4ee4e1fb799259ba41101e08b546d55b55ecd52f10296d5ad0dadeba22cf7c250d5f029457c15f95dee91af4ee7ee0ed6f67ff4fc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000001dc31a761624754f8000000000001d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "40f39a98fb513411dacdfc5b2d972206", - "SHA1": "fe02ae340dc7fe08e4ad26dab9de418924e21603", - "SHA256": "26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40", + "FileName": "cpuz.sys", + "MD5": "22ca5fe8fb0e5e22e6fb0848108c03f4", + "SHA1": "bec66e0a4842048c25732f7ea2bbe989ea400abf", + "SHA256": "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3", "Authentihash": { - "MD5": "8c33214968ec9043fa1c6abf1911e06d", - "SHA1": "3075f1fc419a62544b291d02e9067783cb0fd1f3", - "SHA256": "5aa7a47c7abaf13453b8ab309ef16bdd80ceaf7407e67fa27932d4591f025d67" + "MD5": "b1113bc5a8f67468ae6e0183c60be10a", + "SHA1": "bbea7d9b8672ca30c6a8f49e913f110720d4753c", + "SHA256": "55e3b977402be076bfafe332a3fb29ddb6b02edf932d02e963df09adbe89eb91" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2017 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -37912,34 +24119,33 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -37947,109 +24153,102 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "19f32bf24b725f103f49dc3fa2f4f0bd", - "SHA1": "e40ea8d498328b90c4afbb0bb0e8b91b826f688e", - "SHA256": "2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396", + "FileName": "cpuz.sys", + "MD5": "3ab94fba7196e84a97e83b15f7bcb270", + "SHA1": "bea745b598dd957924d3465ebc04c5b830d5724f", + "SHA256": "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf", "Authentihash": { - "MD5": "cf61dd8f9a187de6219f930866defcbd", - "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", - "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" + "MD5": "96c15399e89e9bca402ed660f90e1b98", + "SHA1": "1b4335f92c6137f56c8f98e5b79fc7af67af2a24", + "SHA256": "55a69f740a77fc07073c3d077d029dfb2dbe4b673171167e7310bd857eb55982" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2013 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetEvent", - "KeDelayExecutionThread", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "RtlGetVersion", - "IoIs32bitProcess", - "ObReferenceObjectByHandle", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "MmUnmapIoSpace", + "RtlInitAnsiString", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlUnwind", + "KeTickCount", "KeBugCheckEx", - "DbgPrint", - "RtlCopyUnicodeString", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "HalSetBusDataByOffset", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", "HalGetBusDataByOffset", - "HalTranslateBusAddress" + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -38057,83 +24256,110 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2021-10-22 00:00:00", - "ValidTo": "2024-10-22 23:59:59", - "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "asio.sys", - "MD5": "bfe96411cf67edb3cee2b9894b910cd5", - "SHA1": "67dfd415c729705396ce54166bd70faf09ac7f10", - "SHA256": "48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9", + "FileName": "cpuz.sys", + "MD5": "e323413de3caec7f7730b43c551f26a0", + "SHA1": "f3c20ce4282587c920e9ff5da2150fac7858172e", + "SHA256": "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26", "Authentihash": { - "MD5": "3824dd56459d29ffc5d4bb51d7123778", - "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", - "SHA256": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9" + "MD5": "972f2ce8097eda301f27a53fcf2b9865", + "SHA1": "aba5185a6ebdb040c5e4b8b8eaa44382eb705aec", + "SHA256": "157ae92541eda2f5035435c63e1654adfa45c06e37b05cbb60d76a63daa93f04" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "WRITE_REGISTER_ULONG", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "ZwUnmapViewOfSection", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "MmMapIoSpace", + "ExFreePoolWithTag", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "KeTickCount", - "WRITE_REGISTER_USHORT", - "WRITE_REGISTER_UCHAR", - "READ_REGISTER_ULONG", - "READ_REGISTER_USHORT", - "READ_REGISTER_UCHAR", - "KeQuerySystemTime", - "MmGetPhysicalAddress", - "KeDelayExecutionThread", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "HalTranslateBusAddress", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG" + "DbgPrintEx", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38141,17 +24367,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -38169,10 +24395,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -38185,7 +24411,7 @@ ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -38193,23 +24419,23 @@ ] }, { - "FileName": "asio.sys", - "MD5": "ea14899d1bfba397bc731770765768d1", - "SHA1": "c775ca665ed4858acc3f7e75e025cbbda1f8c687", - "SHA256": "506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28", + "FileName": "cpuz.sys", + "MD5": "c9c25778efe890baa4087e32937016a0", + "SHA1": "f4728f490d741b04b611164a7d997e34458e3a5e", + "SHA256": "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668", "Authentihash": { - "MD5": "9fd03554246c6c74c232919c680d7be8", - "SHA1": "b25550309c902a21b03367ae27694c5a29b891b5", - "SHA256": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614" + "MD5": "ccc4847b99e359c72448de9f9f0981f1", + "SHA1": "9e771be7100b166ba79aeeea58aa3dee44c09d6b", + "SHA256": "6b9090296a10225be115810e29e8ada4f70e4d4a8f88b385ccd9a8a6d2eb6778" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -38217,22 +24443,30 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "ZwClose", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", "IoCreateDevice", + "IofCallDriver", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "IoDeleteDevice", + "ProbeForWrite", + "MmMapIoSpace", + "KeInitializeEvent", + "RtlInitAnsiString", "IofCompleteRequest", - "KeDelayExecutionThread", - "HalTranslateBusAddress" + "KeWaitForSingleObject", + "KeBugCheckEx", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "PsGetVersion", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38240,89 +24474,108 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", - "ValidFrom": "2011-09-02 00:00:00", - "ValidTo": "2014-09-01 23:59:59", - "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "43bb437d609866286dd839e1d00309f5", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO2.sys", - "MD5": "09672532194b4bff5e0f7a7d782c7bf2", - "SHA1": "aa2ea973bb248b18973e57339307cfb8d309f687", - "SHA256": "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a", + "FileName": "cpuz.sys", + "MD5": "2f8653034a35526df88ea0c62b035a42", + "SHA1": "68ca9c27131aa35c7f433dc914da74f4b3d8793f", + "SHA256": "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036", "Authentihash": { - "MD5": "9387de920b7da0bd65f15323feed6a18", - "SHA1": "92fee95e32a727d135f1f46ca98c201fffbf6950", - "SHA256": "9c7ad854f6670452d7da064d4b429eb90c42155b6f7eaa52ee471d9ee8b61e6f" + "MD5": "a5f87835956f86d2acccd4c8012a4fcd", + "SHA1": "2e37b05cd1bafe18e0a1a33560b0ec5aa99b0192", + "SHA256": "e650b4e4b5a95cba582b9749cac4c40e67e854d78eb8494f46f6d11f1fcea4d6" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoIs32bitProcess", - "RtlCopyUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "RtlCompareUnicodeString", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "__C_specific_handler", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "MmUnmapIoSpace", + "MmMapIoSpace", + "ProbeForWrite", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlUnwind", + "KeTickCount", "KeBugCheckEx", - "ObReferenceObjectByHandle", "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "RtlInitAnsiString", + "KeWaitForSingleObject", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -38330,103 +24583,99 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "ba23266992ad964eff6d358d946b76bd", - "SHA1": "d1670bd08cfd376fc2b70c6193f3099078f1d72f", - "SHA256": "71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d", + "FileName": "cpuz.sys", + "MD5": "e747f164fc89566f934f9ec5627cd8c3", + "SHA1": "a958734d25865cbc6bcbc11090ab9d6b72799143", + "SHA256": "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02", "Authentihash": { - "MD5": "ace2d8ea30005bce12b1421f431bc39c", - "SHA1": "f084b6ba134b23e06f5867e650ba4eb9d1007231", - "SHA256": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61" + "MD5": "b98238e731280f6d726e61b0016cb877", + "SHA1": "820a00a0e0fc628d06ac1f779eb9e88d613d8934", + "SHA256": "b46fb3ed5a7a84ef594ab0b76f384aa2dca0614574478fb98308806612609465" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2017 CPUID", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "IoCreateDevice", + "KeTickCount", "KeBugCheckEx", - "IoIs32bitProcess", + "IofCompleteRequest", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ProbeForWrite", + "IoDeleteDevice", "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "RtlUnwindEx", + "RtlPcToFileHeader", + "READ_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "READ_PORT_UCHAR", + "HalCallPal", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -38434,68 +24683,61 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO2.sys", - "MD5": "f4e1997192d5a95a38965c9e15c687fc", - "SHA1": "d3b23a0b70d6d279abd8db109f08a8b0721ce327", - "SHA256": "72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de", + "FileName": "cpuz.sys", + "MD5": "c08063f052308b6f5882482615387f30", + "SHA1": "252157ab2e33eed7aa112d1c93c720cadcee31ae", + "SHA256": "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba", "Authentihash": { - "MD5": "00222ac0100839199b77ebb2c911eda5", - "SHA1": "bb4bff7156e15818a9e6344bad411587f3dcc0a1", - "SHA256": "0e955e57f078a2c0de7d113e85859bb3e0fcac772a5a1b9b9709a90a86ef4cd5" + "MD5": "a28d6b501a18377685e448a214f370a6", + "SHA1": "732fdb7d346543552b44e6d127fa907df7ef8d81", + "SHA256": "942a7b2ebca0edeff5803c8f899ee455c0ec279542c41d2db2664d58c1025c86" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -38503,35 +24745,33 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", + "MmIsAddressValid", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "RtlCompareUnicodeString", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "__C_specific_handler", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38539,109 +24779,98 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO3_64.sys", - "MD5": "07efb8259b42975d502a058db8a3fd21", - "SHA1": "9f22ebcd2915471e7526f30aa53c24b557a689f5", - "SHA256": "7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8", + "FileName": "cpuz.sys", + "MD5": "549e5148be5e7be17f9d416d8a0e333e", + "SHA1": "6d9e22a275a5477ea446e6c56ee45671fbcbb5f6", + "SHA256": "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c", "Authentihash": { - "MD5": "9a476899b3d01439880bcc7ae9991d47", - "SHA1": "ac07c5670916f6c3949a49036460ac08ec43a582", - "SHA256": "54231728c29f2d2003ec575729760369bb72be7b656b52b4f02ec198f4ee4dfd" + "MD5": "00556fc028ef505e2a528e054c435923", + "SHA1": "f645fd2deb256b7e3b8dcb7213c4fb61f2e209ec", + "SHA256": "c2159219e9986ab9e07e00a87fb83835230a2b99174e7f9b94096046c2dace55" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetEvent", - "KeDelayExecutionThread", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", + "PsGetVersion", "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "RtlGetVersion", - "IoIs32bitProcess", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "KeBugCheckEx", - "DbgPrint", - "RtlCopyUnicodeString", - "IoDeleteSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "IofCompleteRequest", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ProbeForWrite", + "IoDeleteDevice", "RtlInitUnicodeString", - "HalSetBusDataByOffset", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "READ_PORT_USHORT", + "WRITE_PORT_ULONG", "HalGetBusDataByOffset", - "HalTranslateBusAddress" + "HalSetBusDataByOffset", + "READ_PORT_UCHAR", + "HalCallPal", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -38649,47 +24878,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2021-10-22 00:00:00", - "ValidTo": "2024-10-22 23:59:59", - "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "1414629b1ee93d2652ff49b2eb829940", - "SHA1": "df58f9b193c6916aaec7606c0de5eba70c8ec665", - "SHA256": "7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7", + "FileName": "cpuz.sys", + "MD5": "d0c2caa17c7b6d2200e1b5aa9d07135e", + "SHA1": "bad84fca57ab0ef0af9230a93e0cc3d149f9ccd0", + "SHA256": "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe", "Authentihash": { - "MD5": "cf61dd8f9a187de6219f930866defcbd", - "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", - "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" + "MD5": "1a595aaefa6bd782d63e97de4fcec464", + "SHA1": "eae1ab9e3aac1a4de139993b7e63542befccf0df", + "SHA256": "6045d564286f00fc1efedd25ffd22ecb7eaf2b3a6c778e392319380c77e45658" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -38697,40 +24947,34 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetEvent", - "KeDelayExecutionThread", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "MmMapIoSpace", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "RtlGetVersion", - "IoIs32bitProcess", - "ObReferenceObjectByHandle", + "MmIsAddressValid", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "KeBugCheckEx", + "IoCreateDevice", "DbgPrint", - "RtlCopyUnicodeString", + "IofCallDriver", + "KeBugCheckEx", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "RtlUnwindEx", "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "HalTranslateBusAddress" + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38738,47 +24982,75 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2021-10-22 00:00:00", - "ValidTo": "2024-10-22 23:59:59", - "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "67e03f83c503c3f11843942df32efe5a", - "SHA1": "b0c7ec472abf544c5524b644a7114cba0505951e", - "SHA256": "7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456", + "FileName": "cpuz.sys", + "MD5": "f310b453ac562f2c53d30aa6e35506bb", + "SHA1": "eb44a05f8bba3d15e38454bd92999a856e6574eb", + "SHA256": "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0", "Authentihash": { - "MD5": "a41fc38c2ffe9e5097c8d781a89bbbe9", - "SHA1": "a248637b54b10942743e0caf8698ce8b84559f79", - "SHA256": "9512115b60e67fa268a7463119add2404150842bb3dffa41124b12dd9cb580a2" + "MD5": "423e8ee5a464bc64032924ee428b40af", + "SHA1": "37552fe06a39175032793e6317d124008a892f18", + "SHA256": "abf635a246752555868f203a565ead519c9ada06ea007545a47bf352678c342a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -38786,34 +25058,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38821,68 +25091,61 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO64.sys", - "MD5": "85b756463ab0c000f816260d49923cde", - "SHA1": "de0c16e3812924212f04e15caa09763ae4770403", - "SHA256": "841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b", + "FileName": "cpuz.sys", + "MD5": "aa69b4255e786d968adbd75ba5cf3e93", + "SHA1": "af5f642b105d86f82ba6d5e7a55d6404bfb50875", + "SHA256": "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289", "Authentihash": { - "MD5": "e0f8fb00de2a72c7808c94223cea5145", - "SHA1": "cbe317096adb8eba45f7e8b22830257ff8625514", - "SHA256": "e304e5d70d3f986f623fad7f4355d5218d8c1681e423b02db0946cbe1503eb76" + "MD5": "2d28bedef20cc63f0ae1b726a5cb34e0", + "SHA1": "92524be5b5320c3e08d880ecbcd36a9c8037a921", + "SHA256": "47c9323ae818bd2a3b55fc04abd984bd940cd4e27b6d4af311edcb66988ce941" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -38890,21 +25153,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "DbgPrint", + "ProbeForWrite", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "IoDeleteSymbolicLink", - "KeDelayExecutionThread", - "HalTranslateBusAddress" + "IofCallDriver", + "KeBugCheckEx", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -38912,17 +25186,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -38932,24 +25206,24 @@ "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2006-06-27 00:00:00", - "ValidTo": "2007-07-16 23:59:59", - "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "284649f592786c4851c1138e364185ae", + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] @@ -38957,58 +25231,64 @@ ] }, { - "FileName": "AsIO3_64.sys", - "MD5": "598f8fb2317350e5f90b7bd16baf5738", - "SHA1": "a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae", - "SHA256": "910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135", + "FileName": "cpuz.sys", + "MD5": "3411fdf098aa20193eee5ffa36ba43b2", + "SHA1": "ad05bff5fe45df9e08252717fc2bc2af57bf026f", + "SHA256": "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc", "Authentihash": { - "MD5": "ace2d8ea30005bce12b1421f431bc39c", - "SHA1": "f084b6ba134b23e06f5867e650ba4eb9d1007231", - "SHA256": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61" + "MD5": "41fd82e071d4afdfd8a895d0ab4fb568", + "SHA1": "b72edd113acbd4bb98374b80c1d238eb1e348f15", + "SHA256": "3b2a3b74127c7ecf095e0fe5a65af31b9701d2ba6dc2a4d87882de65d84842c0" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "MmUnmapIoSpace", + "RtlInitAnsiString", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", "KeBugCheckEx", - "IoIs32bitProcess", "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "RtlUnwind", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -39016,102 +25296,99 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "asio.sys", - "MD5": "2b4e66fac6503494a2c6f32bb6ab3826", - "SHA1": "ed219d966a6e74275895cc0b975b79397760ea9f", - "SHA256": "923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782", + "FileName": "cpuz.sys", + "MD5": "f60a9b88c6ff07d4990d8653d0025683", + "SHA1": "0cc60a56e245e70f664906b7b67dfe1b4a08a5b7", + "SHA256": "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63", "Authentihash": { - "MD5": "1b20fb8ed378500e83656fd527ac48c4", - "SHA1": "e471ba6d1327d1026eb2c6a905e2bad3952dabbd", - "SHA256": "ed302ea33feb557b879f64c4b7835947a9ca31054573e1487f5bbc38449753ff" + "MD5": "a3d5faa9e1a6f47f8e0a23ef837afe38", + "SHA1": "bb21b535fa0adaef1a9a29759e0d2b2a5faf1965", + "SHA256": "5e9099b95b2074fecc6efa6d59552651b1e082aaa3612889f417064d378a797f" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "READ_REGISTER_UCHAR", - "READ_REGISTER_USHORT", - "READ_REGISTER_ULONG", - "WRITE_REGISTER_UCHAR", - "KeQuerySystemTime", - "KeDelayExecutionThread", - "IofCompleteRequest", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "DbgPrint", - "ZwUnmapViewOfSection", + "PsGetVersion", "IoCreateSymbolicLink", - "RtlInitUnicodeString", "IoCreateDevice", - "WRITE_REGISTER_USHORT", + "KeTickCount", + "KeBugCheckEx", + "IofCompleteRequest", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ProbeForWrite", "IoDeleteDevice", - "WRITE_REGISTER_ULONG", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "RtlUnwindEx", + "RtlPcToFileHeader", + "READ_PORT_USHORT", "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "HalTranslateBusAddress", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", "READ_PORT_UCHAR", - "READ_PORT_USHORT" + "HalCallPal", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -39119,24 +25396,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -39147,76 +25424,77 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2007-07-03 00:00:00", - "ValidTo": "2008-07-26 23:59:59", - "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO2.sys", - "MD5": "79329e2917623181888605bc5b302711", - "SHA1": "844d2345bde50bf8ee7e86117cf7b8c6e6f00be4", - "SHA256": "a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6", + "FileName": "cpuz.sys", + "MD5": "c046ca4da48db1524ddf3a49a8d02b65", + "SHA1": "5635bb2478929010693bc3b23f8b7fe5fdbc3aed", + "SHA256": "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c", "Authentihash": { - "MD5": "220f8ab33b94d37e06e465825c05a867", - "SHA1": "06dd63bd069498a712cdfe3d9ac27bfbf5d661f5", - "SHA256": "7ebc5906d7fd9c606dc6ef9b49f3e57b63af838f5807fcdcdd5ff47b5b05e39c" + "MD5": "49da5e87cba74d3bd91bd589e49b0d1a", + "SHA1": "e79179e0a586067e9d9654c2a8dfd45963ddcac3", + "SHA256": "36729c2c714e05ebf9bc7262bc7f0d5d25d9dc9c8e0c4fdce27143bbdd9d9aa7" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2015 CPUID", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", + "PsGetVersion", "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "IofCompleteRequest", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ProbeForWrite", "IoDeleteDevice", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", "__C_specific_handler", - "RtlCompareUnicodeString", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "READ_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "READ_PORT_UCHAR", + "HalCallPal", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -39224,109 +25502,102 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "1ce19950e23c975f677b80ff59d04fae", - "SHA1": "4f30f64b5dfcdc889f4a5e25b039c93dd8551c71", - "SHA256": "b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df", + "FileName": "cpuz.sys", + "MD5": "0283b43c6bc965175a1c92b255d39556", + "SHA1": "8325e8d7fd2edc126dcf1089dee8da64e79fb12e", + "SHA256": "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1", "Authentihash": { - "MD5": "cf61dd8f9a187de6219f930866defcbd", - "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", - "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" + "MD5": "b978a03408c0e9ea44ffdeecc35ab83e", + "SHA1": "fed654a9c5f2bf2a1ad9a2e94da162633fb468c5", + "SHA256": "72f9cb24cfa641876f34967b96244259f95987ef24d1d729c0e483b3eb9a2740" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetEvent", - "KeDelayExecutionThread", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "RtlGetVersion", - "IoIs32bitProcess", - "ObReferenceObjectByHandle", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "MmIsAddressValid", + "IoGetDeviceObjectPointer", + "MmUnmapIoSpace", + "RtlInitAnsiString", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlUnwind", + "KeTickCount", "KeBugCheckEx", - "DbgPrint", - "RtlCopyUnicodeString", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "HalSetBusDataByOffset", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", "HalGetBusDataByOffset", - "HalTranslateBusAddress" + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { @@ -39334,47 +25605,75 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2021-10-22 00:00:00", - "ValidTo": "2024-10-22 23:59:59", - "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO3.sys", - "MD5": "370a4ca29a7cf1d6bc0744afc12b236c", - "SHA1": "cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c", - "SHA256": "c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646", + "FileName": "cpuz.sys", + "MD5": "4a85754636c694572ca9f440d254f5ce", + "SHA1": "dd55015f5406f0051853fd7cca3ab0406b5a2d52", + "SHA256": "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b", "Authentihash": { - "MD5": "2f131a8ffb55f70edd90f4cda9e4f84e", - "SHA1": "4bfc51e23494f7eaf27560f92cd6fbced2ffa4f6", - "SHA256": "9b1af050481bda270a08ae873224a142c8b2119eeda59d3a04b1f6d66715a8c8" + "MD5": "3a19663e83c3569a86812ef915de52bc", + "SHA1": "cd9a022e078eaa2364155e00942edbecb85619b0", + "SHA256": "8d3ed9427dcc4f79be3585d41ab9c0bb447d6a0258dd919c4d49e02dedbaa47b" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -39382,34 +25681,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "MmMapIoSpace", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", + "MmIsAddressValid", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "__C_specific_handler", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -39417,68 +25714,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "asio.sys", - "MD5": "68726474c69b738eac3a62e06b33addc", - "SHA1": "8453fc3198349cf0561c87efc329c81e7240c3da", - "SHA256": "c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2", + "FileName": "cpuz.sys", + "MD5": "8741e6df191c805028b92cec44b1ba88", + "SHA1": "ba0938512d7abab23a72279b914d0ea0fb46e498", + "SHA256": "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775", "Authentihash": { - "MD5": "9f79edf758e219929902ec7564e0f435", - "SHA1": "c92148d0666f2235500805975be79738b84e48c2", - "SHA256": "19c74ea0e0baf04820e5642bd2fa224158801ed966be1041539e3c55bd65c471" + "MD5": "a67c91579145d058cf7cd3f8f60bf613", + "SHA1": "cb981516b9979025669c080a74c9308dca04963a", + "SHA256": "02fcbc5372c9bf31903376bde11d558ab7c7f13bde005120e24bdb1aef5d0134" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -39486,20 +25783,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "ZwClose", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", "IoDeleteSymbolicLink", - "KeDelayExecutionThread", - "HalTranslateBusAddress" + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -39507,24 +25816,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -39535,40 +25844,47 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2008-07-22 00:00:00", - "ValidTo": "2009-07-31 23:59:59", - "Signature": "89ad20860cc0358a80a8a1a898ed70bff3f31496402a4cc453d2f0e46ad52635e6c42d305874ddb46fc271e5721ae1253f16050842c579562bdd0c470db15d1fdc1429d585118c27862594e46cbb8dd8f42379f0d3f074498e03d8242fb7c2917be7fee09fbb2b35ac52950881082e51171f6fec7b998b0e257bf42d33745ed6c673c23fed0a6d6d69024458b30244d8c58a1c92fba89e0d709264793ceeb8f69a39d0b1b6011855035003ce50e3ee3c7a59d394e589126e2ab96c3b243b0abbc1e485ce9ae9e70da5ba5d925cacbc054d78bd4fb82686509b0803e8526c5ab202d8307b9701b983e424919eeb1485981a5cff8f307c551266a89d499badb24e", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "37ed9092bdd1dccf58d2afa47f961448", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "AsIO3_64.sys", - "MD5": "d5556c54c474cf0bff25804bfbe788d3", - "SHA1": "c71597c89bd8e937886e3390bc8ac4f17cdeae7c", - "SHA256": "fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91", + "FileName": "cpuz.sys", + "MD5": "bf581e9eb91bace0b02a2c5a54bf1419", + "SHA1": "13df48ab4cd412651b2604829ce9b61d39a791bb", + "SHA256": "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2", "Authentihash": { - "MD5": "d9af966d89c5f045997042d35b9a7b91", - "SHA1": "b6f1e92a8452c2aec22aaa7657e92d2aa48b3055", - "SHA256": "26b8e689a13d3434951559cff24fcfe55edeb7b78c7cc16db1a273c90aa694c1" + "MD5": "b2c31454c057d73fb6d240356a32f8f1", + "SHA1": "f965db8fa1ef4ce0a738aad55d82c0cf63a47915", + "SHA256": "16398965e9cea179b2e5ca884e3af032dece08d4ef33bdd83234ee441d71a5fa" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2015 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -39576,40 +25892,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetEvent", - "KeDelayExecutionThread", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", "IofCompleteRequest", - "IoCreateDevice", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "RtlGetVersion", - "IoIs32bitProcess", - "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", - "DbgPrint", - "RtlCopyUnicodeString", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "HalTranslateBusAddress" + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -39617,108 +25925,91 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2021-10-22 00:00:00", - "ValidTo": "2024-10-22 23:59:59", - "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "asio.sys" - ] - }, - { - "Id": "b51656eb-c7b6-43ae-95df-e96ebd326044", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create segwindrvx64.sys binPath=C:\\windows\\temp\\segwindrvx64.sys type=kernel && sc.exe start segwindrvx64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "segwindrvx64.sys", - "MD5": "bdc3b6b83dde7111d5d6b9a2aadf233f", - "SHA1": "2ade3347df84d6707f39d9b821890440bcfdb5e9", - "SHA256": "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2", + "FileName": "cpuz.sys", + "MD5": "94ccef76fda12ab0b8270f9b2980552b", + "SHA1": "e4cbb48aa1aff6cf4ea94ef3b7afb6c245ac47e8", + "SHA256": "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126", "Authentihash": { - "MD5": "9eea185193b6357a2bd97455572b650c", - "SHA1": "4ac29762ab2ad025a13a1e8cf7af9b7f4c875aac", - "SHA256": "ca213b79336c69128620bc39e6d987c1e605299fb6525344ba1b08b7829197c7" + "MD5": "ac9131c2fc8e77ef414ad451d35e4d1e", + "SHA1": "7b63ad1179825964aae9d1486fefed1b8f26a8a8", + "SHA256": "1a8a5aebf83d1fa6daf74e48fc600e22b8fdceafb5dd7c7e14db2aa2a28e8c24" }, - "Description": "SEG Windows Driver x64", - "Company": "Insyde Software Corp.", - "InternalName": "segwindrvx64.sys", - "OriginalFilename": "segwindrvx64.sys", - "FileVersion": "100, 0, 7, 0", - "Product": "SEG Windows Driver x64", - "ProductVersion": "100, 0, 7, 0", - "Copyright": "Copyright (c) 2012 - 2014, Insyde Software Corp. All Rights Reserved.", + "Description": "CPUID Driver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", + "KeWaitForSingleObject", + "PsGetVersion", "MmUnmapIoSpace", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemorySpecifyCache", + "IoBuildDeviceIoControlRequest", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IofCompleteRequest", - "MmGetPhysicalAddress", - "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "IofCallDriver", + "IoGetDeviceObjectPointer", "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", + "IoDeleteDevice", + "MmMapIoSpace", + "KeBugCheckEx", "RtlInitAnsiString", - "RtlFreeAnsiString", - "ExAllocatePool", - "RtlCopyString", - "RtlEqualString", - "RtlCompareMemory", "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "KeBugCheckEx" + "KeInitializeEvent", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -39726,24 +26017,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2007-02-08 00:00:00", + "ValidTo": "2009-02-07 23:59:59", + "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -39752,133 +26050,86 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Insyde Software Corp., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Insyde Software Corp.", - "ValidFrom": "2012-12-28 00:00:00", - "ValidTo": "2016-01-27 23:59:59", - "Signature": "19cf4cfe8a901a2d50614d496664fcdaaa80098ec50cec3e3f56a3d08a399d96d13046789c8281a1a9bf1054c79351f73e091664da593dcd39ec4ad7077513b01270666042cb743d4cd2387b61067384d5ed20ee0773e7e61fc1a8a750c3882c6e64ad0f8819b91c19c50708510467ee34ac845fb0a68259e90c7dbef65dcc4b75c72fde8d954ef37d53bba6f00a40e1c85deeb81531772b07232f8e8fe791eac42ab152b5e970c008f14bdec7a7e1ac114bae73ae1ba4f3a525a169f37de670a9447f65653426abb77c6a8b7f91c2d5428a63059129ba94818d3f6cceac0e0790ddb23d56f598e0a9083fc8b92a3b100c0dc1729290ba44fb1538ac4cedf926", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0355af7ef9418e476d877eecd9f9e9e2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "segwindrvx64.sys" - ] - }, - { - "Id": "010870ad-c19b-498a-9018-70dc0c7ac3bd", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsUpIO.sys binPath=C:\\windows\\temp\\AsUpIO.sys type=kernel && sc.exe start AsUpIO.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "AsUpIO.sys", - "MD5": "6d4159694e1754f262e326b52a3b305a", - "SHA1": "d5fd9fe10405c4f90235e583526164cd0902ed86", - "SHA256": "b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "9b157f1261a8a42e4ef5ec23dd4cda9e", + "SHA1": "99bd8c1f5eeedd9f6a9252df5dbd0e42ef5999a4", + "SHA256": "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88", "Authentihash": { - "MD5": "3e6db96f242c0c3115075add7d7847a0", - "SHA1": "c5da546e0af6119f033a5d4ed79e7f5d90c004ff", - "SHA256": "70870e20f563899e4f05be2d0049cb495552b409ca7f4729a335bcbfffc3f47c" + "MD5": "99cba45243e4a9e5999224b5719ccc2d", + "SHA1": "43ffee630881d6ae82640c59c674e9ee57cb5eac", + "SHA256": "94f39e23194d01698b2d8e7bb1c212bf192e81df59766d4adf5f7e33bbe13181" }, - "InternalName": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2015 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", + "IofCompleteRequest", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", + "ObfDereferenceObject", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "MmUnmapIoSpace", + "MmMapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest", - "KeDelayExecutionThread", - "HalTranslateBusAddress" + "RtlUnwind", + "KeTickCount", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlInitAnsiString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "KeStallExecutionProcessor", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "READ_PORT_UCHAR" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -39889,405 +26140,231 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "AsUpIO.sys" - ] - }, - { - "Id": "1c7631f0-f92f-4be5-8ba7-3eefb0601d45", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create LHA.sys binPath=C:\\windows\\temp\\LHA.sys type=kernel && sc.exe start LHA.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "LHA.sys", - "MD5": "748cf64b95ca83abc35762ad2c25458f", - "SHA1": "fcd615df88645d1f57ff5702bd6758b77efea6d0", - "SHA256": "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "LG Electronics Inc.", - "Description": "LHA", - "Product": "Microsoft® Windows® Operating System", - "ProductVersion": "6.1.7600.16385", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "LHA.sys", + "FileName": "cpuz.sys", + "MD5": "5212e0957468d3f94d90fa7a0f06b58f", + "SHA1": "ad1616ea6dc17c91d983e829aa8a6706e81a3d27", + "SHA256": "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad", "Authentihash": { - "MD5": "8a3fb969d6edfb9a860e13a556a9d64f", - "SHA1": "d9cf173dd75bf410c2f7f35247cd4db186af9a41", - "SHA256": "fe14940b5d3068b7ceffd28a529196811f1d0e175522f4dfab26573e7aca0bb4" + "MD5": "9b4bb5dc9df3edd0d7d859629c80c2dc", + "SHA1": "706789b1bf76e4d337957a36d60b96b7743f9f62", + "SHA256": "eb6807c46e2d4808f07cca9242e7a59393fdab6ccf4da1aec124ef2a34398d43" }, - "InternalName": "LHA.sys", - "Copyright": "ultrabios@hotmail.com", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "IoFreeWorkItem", - "KeReleaseSpinLock", + "KeInitializeEvent", + "RtlInitAnsiString", "MmUnmapIoSpace", - "MmFreeNonCachedMemory", - "MmGetPhysicalAddress", - "IoAllocateWorkItem", - "MmMapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "KeAcquireSpinLockRaiseToDpc", - "ExUnregisterCallback", - "PoRegisterPowerSettingCallback", - "ExRegisterCallback", + "MmIsAddressValid", "ObfDereferenceObject", - "IoQueueWorkItem", - "ExCreateCallback", - "DbgPrint", - "IoWMIQueryAllData", - "MmGetSystemRoutineAddress", + "IoCreateDevice", + "IofCallDriver", "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", "ExAllocatePoolWithTag", - "MmAllocateNonCachedMemory", - "IoCreateDevice", - "ZwClose", - "ObOpenObjectByPointer", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor" + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-09-06 21:30:32", - "ValidTo": "2019-09-06 21:30:32", - "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000253a2738690a3451c1000000000025", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "LHA.sys" - ] - }, - { - "Id": "81a73e57-2e92-4d21-97d3-1c21eb4c3aea", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create LenovoDiagnosticsDriver.sys binPath=C:\\windows\\temp\\LenovoDiagnosticsDriver.sys type=kernel && sc.exe start LenovoDiagnosticsDriver.sys", - "Description": "The aforementioned driver has been identified as vulnerable to CVE-2022-3699", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://nephosec.com/cve-2022-3699-lenovo-diagnostics-driver-eop-arbitrary-r-w/", - "https://github.com/alfarom256/CVE-2022-3699", - "https://support.lenovo.com/us/en/product_security/LEN-94532" - ], - "Acknowledgement": { - "Person": "Mike Alfaro", - "Handle": "alfarom256" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "LenovoDiagnosticsDriver.sys", - "MD5": "b941c8364308990ee4cc6eadf7214e0f", - "SHA1": "b89a8eef5aeae806af5ba212a8068845cafdab6f", - "SHA256": "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe", - "Signature": [ - "Lenovo", - "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "DigiCert Trusted Root G4" - ], - "Date": "", - "Publisher": "", - "Company": "Lenovo Group Limited (R)", - "Description": "Lenovo Diagnostics Driver for Windows 10 and later.", - "Product": "Lenovo Diagnostics", - "ProductVersion": "1.0.4.0", - "FileVersion": "1.0.4.0", - "MachineType": "AMD64", - "OriginalFilename": "LenovoDiagnosticsDriver.sys", + "FileName": "cpuz.sys", + "MD5": "56b54823a79a53747cbe11f8c4db7b1e", + "SHA1": "1d9fd846e12104ae31fd6f6040b93fc689abf047", + "SHA256": "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c", "Authentihash": { - "MD5": "56b6144e389ce3b1e2a0a96a954aa7d8", - "SHA1": "6d9543725aca0c9c8f403425952692ccc1d2d7f2", - "SHA256": "34e6a56c60746c51034b45a7b2a36617205b598d0bbcc695f92404605a0975d5" + "MD5": "c8b8d6e4b9b4f42714f3abfb66880ccf", + "SHA1": "5848f7c4dadcb1ea16f4d9e533a84a6d6f522f8b", + "SHA256": "057e45b47fe0ca96fe3741058bc4365c9a866dff925cab8cfea4c161b990e8e2" }, - "InternalName": "LenovoDiagnosticsDriver.sys", - "Copyright": "© 2021 Lenovo Group Limited. All rights reserved.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapIoSpace", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "MmGetSystemRoutineAddress", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "MmMapIoSpace", "ExFreePoolWithTag", - "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", - "ObOpenObjectByPointer", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", + "DbgPrint", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", "ExAllocatePoolWithTag", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "RtlGetOwnerSecurityDescriptor", - "DbgPrintEx", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=North Carolina, L=Morrisville, O=Lenovo, OU=G14, CN=Lenovo", - "ValidFrom": "2021-11-22 00:00:00", - "ValidTo": "2022-03-30 23:59:59", - "Signature": "640fc986f34aa41e35444a37b92461d4eed33b163b6e4f883d188628bbb07ee70df9a8839fdc34ff36d4622cef4a664c73711efaf6b03c7e5c83138199cdc1a7defb5a39cfe365578d2f7af63f2ceb9e745be37e3c2b8612419f7dd1b37232c42e8d63ed1cdab404a0033145c0590be269777ec6c3234a3ba42a3b225a168485eedd9dc9df15978a9aa884f5ff3fb2514cce184fec8c026426ffd20510a00ef203f521b75b994ab7fb14aec2610d7f873d20cd76e608157421a4ca786e0f2e202dda5ecc96680d2d7a4e43031538752be859691b1935de593356fa32fd1f631fed6c5aa475d92c60ff1047ace01d023642c96813e70f5f496942560e9f09b1a79ab47808dacfe1fd36cc957ef31536287b77f7d602b0dbf015e5f8a30299470569757f72bea7a1ee115f7d34cc29bc5d0f8d0080633370dcf5bce318d117831c8501e56f4aac5feace080c836f864b0c8e5a11178bd3b3c244915eeced7db59c6eb299163f566099e33ff606f45ed608dedbb055e19474b82b31269a61221b875eb36e16738c75190f5a14d0c3bfc7d3fff27d4313e9d3852db215295205f1fb3bb8b9d51f70b5222dddd7398deb6a947065d1b2ecd4eb91d84957b71728d2bbec08c0aec19a8fbb0aea3f7be228dfd87a1ead0d674205d1f9bce65b380395059b4d56c46b470a71562eb5aa2e163e7985e134d54b60e865df4d2229ab35efe7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { - "SerialNumber": "01d4b02045832881e2d7530641135991", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" - } - ] - } - ] - } - ], - "Tags": [ - "LenovoDiagnosticsDriver.sys" - ] - }, - { - "Id": "0fc0563c-de9f-41d8-806a-748e04d57365", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create gftkyj64.sys binPath=C:\\windows\\temp\\gftkyj64.sys type=kernel && sc.exe start gftkyj64.sys", - "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "gftkyj64.sys", - "MD5": "04a88f5974caa621cee18f34300fc08a", - "SHA1": "a804ebec7e341b4d98d9e94f6e4860a55ea1638d", - "SHA256": "9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c", - "Signature": [ - "北京东方海达网络科技有限责任公司", - "Sectigo Public Code Signing CA R36", - "Sectigo Public Code Signing Root R46", - "Sectigo (AAA)" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "4252d83e18ad41f0cea7ac168218d95b", - "SHA1": "cf9cb05c9b725efca68c4b7d6f53c8e233217ac4", - "SHA256": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "rand", - "srand", - "RtlInitUnicodeString", - "RtlGetVersion", - "KeDelayExecutionThread", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExSystemTimeToLocalTime", - "MmGetSystemRoutineAddress", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoGetCurrentProcess", - "ObReferenceObjectByHandleWithTag", - "ObfDereferenceObject", - "ObfDereferenceObjectWithTag", - "MmIsAddressValid", - "PsGetProcessExitStatus", - "PsIsThreadTerminating", - "PsLookupProcessByProcessId", - "PsLookupThreadByThreadId", - "PsGetThreadProcess", - "PsIsSystemThread", - "ObOpenObjectByPointerWithTag", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { - "Subject": "C=CN, ST=guangdong, L=zhuhai, O=Zhuhai liancheng Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Zhuhai liancheng Technology Co., Ltd.", - "ValidFrom": "2013-02-04 00:00:00", - "ValidTo": "2014-02-04 23:59:59", - "Signature": "6eb0af9de955b9bd1bda967942685c5b630bf60dd0be149178bce893c7c32039076006dd75f9655b497470e44e7954cd89fe4ee04a580992f0ee9268e8129afcf0b58519158d6864e56caa6e78d66b0278a86083b751cf8a030ba0139969509259e5d1ea91dc593e1d093fb5e4ebabe1a38359d920acb85f9c02f6939096522b010158d086bc5ff52bbe2be1ab364ca496ed5a3ac72531274daf4e808d483686118d6132d2b98018074a0e989eed4f43fe28298363e05e9c3cace4a954525ac021e0b10445e09a3528eff35b525e7cca44332744aa81b41dd4244ec54da168b2f1026a23ca9b9929199f037689956b69c21ca77e6605483439670dcf9baf2991", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -40300,733 +26377,432 @@ ], "Signer": [ { - "SerialNumber": "627dfdf73a1455de5143a270799e6b7b", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "gftkyj64.sys" - ] - }, - { - "Id": "4e5064b4-48d3-418c-a7a8-f0dc7ac0a176", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create MsIo32.sys binPath=C:\\windows\\temp\\MsIo32.sys type=kernel && sc.exe start MsIo32.sys", - "Description": "The MsIo64.sys and MsIo32.sys drivers in Patriot Viper RGB before 1.1 allow local users (including low integrity processes) to read and write to arbitrary memory locations, and consequently gain NT AUTHORITY\\SYSTEM privileges, by mapping \\Device\\PhysicalMemory into the calling process via ZwOpenSection and ZwMapViewOfSection.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845", - "http://blog.rewolf.pl/blog/?p=1630", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "MsIo32.sys", - "MD5": "d9e7e5bcc5b01915dbcef7762a7fc329", - "SHA1": "e6305dddd06490d7f87e3b06d09e9d4c1c643af0", - "SHA256": "525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd", - "Signature": [ - "MICSYS Technology Co., Ltd.", - "Symantec Class 3 Extended Validation Code Signing CA - G2", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "29872c7376c42e2a64fa838dad98aa11", + "SHA1": "8ec28d7da81cf202f03761842738d740c0bb2fed", + "SHA256": "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4", "Authentihash": { - "MD5": "6491c34f274a0ed6258fadca85bd69fb", - "SHA1": "7e732acb7cfad9ba043a9350cdeff25d742becb8", - "SHA256": "7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027" + "MD5": "3c2269699f0187275c2b144f9b60d5e6", + "SHA1": "69aabc267344bd9f98bd2fddc7213de735ba79d7", + "SHA256": "2fb8f2a0a32f2e73921a16a7836ff14122da45582aae742e6afd4d7ca15b3da3" }, - "InternalName": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2016 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoCreateDevice", "ObfDereferenceObject", - "IoDeleteDevice", - "HalTranslateBusAddress" + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Taiwan, ??=New Taipei City, ??=Private Organization, serialNumber=84948057, C=TW, ST=Taiwan, L=New Taipei City, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", - "ValidFrom": "2017-09-14 00:00:00", - "ValidTo": "2018-09-14 23:59:59", - "Signature": "a088ab497bb3998b21a495dc947134af2f4fef067e37e6438b4f52f7773769bf583eaad5bf427552ca96f2dae2a60791066346a80c59c22fb22a98c6260fdccac7ed90a0148ce9dad3eebf008f1e3c206f952eea6748b256984b851e809d49c0923cb7224b48c96a83387aebbc70d44d19b1f865e59239b959dd2ecc6746062f1d9dd5ef426ed347184c9aad9d196279ca6e774e0d09b3f270fbe037e554c69c85d0a7d06b81047b0677e33011600c4dc4c08ff159f4ac344f96589cae7aec5166bc7a626b4d6fccbc07505872f781f9a2e4a0a0d5b1539790287a114be16b1c2a1648fbeeb9d95beb171ab1c4007c5c23f044c782cdfbb1703a13ee833197ba", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "48e28f46a3e4ac760dfa9a58fa6c6363", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "MsIo32.sys" - ] - }, - { - "Id": "2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create mhyprot3.sys binPath=C:\\windows\\temp\\mhyprot3.sys type=kernel && sc.exe start mhyprot3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "mhyprot3.sys", - "MD5": "5cc5c26fc99175997d84fe95c61ab2c2", - "SHA1": "a197a02025946aca96d6e74746f84774df31249e", - "SHA256": "475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a", - "Signature": [ - "miHoYo Co.,Ltd.", - "DigiCert SHA2 Assured ID Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "557fd33ee99db6fe263cfcb82b7866b3", + "SHA1": "0a6e0f9f3d7179a99345d40e409895c12919195b", + "SHA256": "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399", "Authentihash": { - "MD5": "7ce959fb5b40f1ba40bcac22c8d95c75", - "SHA1": "82fe9b69f358ef5851eeaa26a9a03f2e1b231358", - "SHA256": "aac86a3143de3e18dea6eab813b285da0718e9fb6bc0bbb46c6e7638476061d8" + "MD5": "b8844b695f5170c70ac66f95324f836a", + "SHA1": "195024cc4a4adea16e6c2df8f2f8489a28f36beb", + "SHA256": "66cc007348a41fb33fab59f5ea265006534ba82db4eb7327039cbe2b4ce7e077" }, - "InternalName": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2012 CPUID", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExReleaseFastMutex", - "ObfDereferenceObject", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "RtlInitUnicodeString", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExInitializeResourceLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "IofCompleteRequest", - "IoCreateDevice", + "PsGetVersion", "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "IofCompleteRequest", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ProbeForWrite", "IoDeleteDevice", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "ObReferenceObjectByHandle", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "MmIsAddressValid", - "PsGetCurrentProcessId", - "MmCopyVirtualMemory", - "vsprintf_s", - "swprintf_s", - "ExEventObjectType", - "_wcsicmp", - "RtlInitString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ObReferenceObjectByName", - "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "ExAcquireFastMutex", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ZwQueryObject", - "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "MmProbeAndLockPages", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "KeClearEvent", - "MmMapLockedPages", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "RtlUpcaseUnicodeChar", - "DbgPrint", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "PsGetProcessId", - "IoThreadToProcess", - "strcmp", - "PsProcessType", - "PsThreadType", - "RtlEqualUnicodeString", - "RtlGetVersion", - "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "PsAcquireProcessExitSynchronization", - "PsReleaseProcessExitSynchronization", - "_snprintf", - "ZwCreateFile", - "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "RtlCopyUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePool", - "KeInitializeEvent", - "MmGetSystemRoutineAddress", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "RtlUnwindEx", + "RtlPcToFileHeader", + "READ_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "READ_PORT_UCHAR", + "HalCallPal", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_USHORT", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-04 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "6a8b477edd819b3441be8cab0c2a07d82780ad3a65ff8064c039d44788740835910a4fa5e612987547bdc39e5d61b3204a3463be9dcb5ed1ad060c89943f8471c2960f8a80faae2b2731d5a37434e47f7eeffd43d8493ad2774e3550deb0e741389d22fe70f59e343a38ed2bb62163100055042797203364fcf94121ea5be8f8a20f85b7bc2b52efd87c1b4048c154c7c5a3a40d597c4cb99780f4378d25bff9ad5a1bc5e1f0bb57249efd238973b27f3a4ca6cffa37da752eba7734e3cee24036584b4317ef7ed61e486d8a7959275d2fa28cac8980333a5e2bf5ab6e7de2adcfe2f880972405fb10dad5a67a344e97d6da961c4fd0a1ad8299fbefdc5ebe10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "053ad4f9ee8438ef1662ab8d599213ba", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "mhyprot3.sys" - ] - }, - { - "Id": "205721b7-b83b-414a-b4b5-8bacb4a37777", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create elrawdsk.sys binPath=C:\\windows\\temp\\elrawdsk.sys type=kernel && sc.exe start elrawdsk.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://securelist.com/shamoon-the-wiper-further-details-part-ii/57784/", - "https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Shamoon.yar", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "elrawdsk.sys", - "MD5": "1493d342e7a36553c56b2adea150949e", - "SHA1": "ce549714a11bd43b52be709581c6e144957136ec", - "SHA256": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6", - "Signature": [ - "EldoS Corporation", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "EldoS Corporation", - "Description": "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later.", - "Product": "RawDisk", - "ProductVersion": "2, 1, 27, 0", - "FileVersion": "2, 1, 27, 106", - "MachineType": "I386", - "OriginalFilename": "elrawdsk.sys", + "FileName": "cpuz.sys", + "MD5": "c516acb873c7f8c24a0431df8287756e", + "SHA1": "f6f7b5776001149496092a95fb10218dea5d6a6b", + "SHA256": "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa", "Authentihash": { - "MD5": "20f14b58e9548b6ea99b35006f631197", - "SHA1": "174bd2e0965b996cff4a26ac511e551788fbc894", - "SHA256": "98a55dc61046f4509d2465cbc373a9391c07125e5f4a242d2f475f14f32e5430" + "MD5": "a14a1ba39405f52d67d289b65f0c7eb9", + "SHA1": "11172e3f08444d643f277be83aaabe9f2aea74ca", + "SHA256": "3ce4a30668938fb7785c9958772e3c171af320ecfea8fc298160e80fbf80fb73" }, - "InternalName": "elrawdsk.sys", - "Copyright": "Copyright (C) 2007-2011, EldoS Corporation ", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2017 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnlockPages", - "KeSetEvent", - "IoDeleteDevice", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "RtlPrefixUnicodeString", - "FsRtlIsNtstatusExpected", - "MmProbeAndLockPages", - "ExRaiseStatus", - "IoAllocateMdl", - "MmMapLockedPagesSpecifyCache", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", + "IoDeleteDevice", "KeInitializeEvent", - "ExAllocatePoolWithTag", - "memcpy", - "ZwClose", - "ObfDereferenceObject", - "ObQueryNameString", - "ObReferenceObjectByHandle", - "IoFileObjectType", - "ZwOpenFile", - "RtlAppendUnicodeStringToString", - "KeUnstackDetachProcess", - "MmSystemRangeStart", - "KeStackAttachProcess", - "ZwQueryInformationProcess", - "ObOpenObjectByPointer", - "PsLookupProcessByProcessId", - "IoBuildAsynchronousFsdRequest", - "IoBuildSynchronousFsdRequest", - "IoFreeMdl", - "PsGetCurrentProcessId", - "KeQuerySystemTime", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "KeWaitForSingleObject", "PsGetVersion", - "MmGetSystemRoutineAddress", "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", - "ObfReferenceObject", - "IoGetAttachedDevice", - "memset", - "KeLeaveCriticalRegion", - "ExReleaseFastMutexUnsafe", - "IoGetRelatedDeviceObject", - "ExAcquireFastMutexUnsafe", - "KeEnterCriticalRegion", - "KeGetCurrentThread", - "ZwCreateFile", - "IoAllocateIrp", - "IoReuseIrp", - "KeResetEvent", - "CcPurgeCacheSection", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "CcFlushCache", - "_allrem", - "RtlCompareMemory", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeTickCount", - "ExFreePoolWithTag", - "IoFreeIrp", - "RtlCompareUnicodeString", - "IofCompleteRequest", - "RtlUnwind", + "IofCallDriver", "KeBugCheckEx", - "KeGetCurrentIrql" + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=VG, O=EldoS Corporation, CN=EldoS Corporation, emailAddress=info@eldos.com", - "ValidFrom": "2010-01-11 14:19:26", - "ValidTo": "2013-01-11 14:19:23", - "Signature": "02e496d4ad814ccf3a1e36f654112f8d27e3f3d9f1a76d22a2d90a15831a2721855c856b0d4b0da22f4e7a457089388ae61fbf0c016ded274f670b0f8a87ebc99dc124971ed3238238af3eaa8b408829e24fb20741c463d2bcff0695b323a7fb8653e02a3617823b33edbed0bae42aa0a3b986c97ef215d05658743164fd3b9758d3d6c52d06f644b15f9429be0d070fcc8390cc800d2a25fc0847389839edf162d11715a2d9d75e48553f76a06256a43e29635f8ef9a9051afb7b4fbf7b3ce6bb6318b37ce0339a84aec6d190ae791a1c91337cf31562728b9ca303e2d36e3cc6a0d1b9e4ae5f01b9b87ca4b6e739e8c47240513767ca0ffd538f7f657166b6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 13:00:00", - "ValidTo": "2017-01-27 12:00:00", - "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 10:00:00", - "ValidTo": "2017-01-27 10:00:00", - "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "010000000001261dec28f7", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "elrawdsk.sys", - "MD5": "76c643ab29d497317085e5db8c799960", - "SHA1": "1292c7dd60214d96a71e7705e519006b9de7968f", - "SHA256": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", - "Signature": [ - "EldoS Corporation", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "EldoS Corporation", - "Description": "RawDisk Driver. Allows write access to files and raw disk sectors for user mode applications in Windows 2000 and later.", - "Product": "RawDisk", - "ProductVersion": "2, 1, 27, 0", - "FileVersion": "2, 1, 27, 106", - "MachineType": "AMD64", - "OriginalFilename": "elrawdsk.sys", + "FileName": "cpuz.sys", + "MD5": "641243746597fbd650e5000d95811ea3", + "SHA1": "da42cefde56d673850f5ef69e7934d39a6de3025", + "SHA256": "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e", "Authentihash": { - "MD5": "c1afcba807a13aa25a0b363a22c760d6", - "SHA1": "8422fb53e48b27a42cc7595ca7c7ae0597168db6", - "SHA256": "29a2ae6439381ea2aa3116df7025cbb5c6c7c07cc8d19508e6021e4d6177a565" + "MD5": "560b782df855c5ea30b76ee4a9930d28", + "SHA1": "6423659ab76fad7627fd7fb16f05a40b8df8da4d", + "SHA256": "62daa7ab93684d935cdada8af43cba552d7692cb992411d27ba1ee50a9fb1883" }, - "InternalName": "elrawdsk.sys", - "Copyright": "Copyright (C) 2007-2011, EldoS Corporation ", + "Description": "CPUID Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "6.1.7600.16385", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmSystemRangeStart", - "ExAllocatePoolWithTag", - "ExRaiseStatus", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "PsLookupProcessByProcessId", - "IoBuildSynchronousFsdRequest", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", "IoDeleteDevice", - "KeSetEvent", - "MmGetSystemRoutineAddress", + "ProbeForWrite", "KeInitializeEvent", - "RtlUnicodeStringToAnsiString", - "IoFreeMdl", - "KeUnstackDetachProcess", - "MmMapLockedPagesSpecifyCache", - "IoBuildAsynchronousFsdRequest", - "RtlPrefixUnicodeString", - "ZwClose", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", "IofCompleteRequest", - "ObReferenceObjectByHandle", "KeWaitForSingleObject", - "IoFreeIrp", - "RtlFreeAnsiString", - "MmProbeAndLockPages", "PsGetVersion", - "RtlCompareUnicodeString", - "MmUnlockPages", - "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "PsGetCurrentProcessId", + "MmIsAddressValid", "ObfDereferenceObject", "IoCreateDevice", - "ZwOpenFile", - "FsRtlIsNtstatusExpected", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "IoAllocateMdl", "IofCallDriver", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "IoGetAttachedDevice", - "IoGetRelatedDeviceObject", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "ObfReferenceObject", - "ExAcquireResourceExclusiveLite", - "IoReuseIrp", - "KeResetEvent", - "CcPurgeCacheSection", - "CcFlushCache", - "ZwCreateFile", - "ExReleaseResourceLite", - "IoAllocateIrp", - "RtlCompareMemory", - "MmUnmapIoSpace", - "MmMapIoSpace", "KeBugCheckEx", - "__C_specific_handler" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=VG, O=EldoS Corporation, CN=EldoS Corporation, emailAddress=info@eldos.com", - "ValidFrom": "2010-01-11 14:19:26", - "ValidTo": "2013-01-11 14:19:23", - "Signature": "02e496d4ad814ccf3a1e36f654112f8d27e3f3d9f1a76d22a2d90a15831a2721855c856b0d4b0da22f4e7a457089388ae61fbf0c016ded274f670b0f8a87ebc99dc124971ed3238238af3eaa8b408829e24fb20741c463d2bcff0695b323a7fb8653e02a3617823b33edbed0bae42aa0a3b986c97ef215d05658743164fd3b9758d3d6c52d06f644b15f9429be0d070fcc8390cc800d2a25fc0847389839edf162d11715a2d9d75e48553f76a06256a43e29635f8ef9a9051afb7b4fbf7b3ce6bb6318b37ce0339a84aec6d190ae791a1c91337cf31562728b9ca303e2d36e3cc6a0d1b9e4ae5f01b9b87ca4b6e739e8c47240513767ca0ffd538f7f657166b6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 13:00:00", - "ValidTo": "2017-01-27 12:00:00", - "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 10:00:00", - "ValidTo": "2017-01-27 10:00:00", - "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "010000000001261dec28f7", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "elrawdsk.sys" - ] - }, - { - "Id": "c98af16e-197f-4e66-bf94-14646bde32dd", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create CupFixerx64.sys binPath=C:\\windows\\temp\\CupFixerx64.sys type=kernel && sc.exe start CupFixerx64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "CupFixerx64.sys", - "MD5": "2b3e0db4f00d4b3d0b4d178234b02e72", - "SHA1": "622e7bffda8c80997e149ac11492625572e386e0", - "SHA256": "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9", + "FileName": "cpuz.sys", + "MD5": "a453083b8f4ca7cb60cac327e97edbe2", + "SHA1": "53f7fc4feb66af748f2ab295394bf4de62ae9fcc", + "SHA256": "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26", "Authentihash": { - "MD5": "94821717c66d8a47853a8db22f0616bb", - "SHA1": "550937d17cfe9662abc8bd45f6bb58e159fc505a", - "SHA256": "8aba8df5a1aa3f14551047c8c9dea2b2d5867f2ad4dec89b53530c96a13c84db" + "MD5": "b3bf90b99dec81a927b9fa8467d20e11", + "SHA1": "0632e0c8fdb6e629fd2efa5ccdf4a8415131bc58", + "SHA256": "536333c1fb9066a12c7791b740fcf637f6f86b45bd57baf0f27ae33c3b6c6cf1" }, - "Description": "Sincey Cup Fixer", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "CupFixerx64.sys", - "OriginalFilename": "CupFixerx64.sys", - "FileVersion": "32.0.10011.13337", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "32.0.10011.13337", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2013 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -41034,36 +26810,33 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetPhysicalAddress", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeLowerIrql", - "MmBuildMdlForNonPagedPool", - "MmMapIoSpace", + "KeInitializeEvent", + "RtlInitAnsiString", "MmUnmapIoSpace", - "ObReferenceObjectByHandle", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "KeWaitForSingleObject", "PsGetVersion", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "KfRaiseIrql", - "RtlCompareMemory", - "HalTranslateBusAddress" + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -41071,24 +26844,38 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", - "ValidFrom": "2022-08-01 00:00:00", - "ValidTo": "2031-11-09 23:59:59", - "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Shanghai, L=Shanghai, O=Xinyi Electronic Technology (Shanghai) Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Xinyi Electronic Technology (Shanghai) Co., Ltd.", - "ValidFrom": "2013-11-22 00:00:00", - "ValidTo": "2014-11-22 23:59:59", - "Signature": "3a212fdcabe8c8b07e1d177f63c312e4be61e21145297d1d61a3ca8f55136d41e917ee24c4969e00f822639f568f05a422c538446d7388f5e6d7f68ef986bd7368d689396aed497a7e95a94a7d51c04353647961e720f246abc6adc059dc57b19a70abc65f974aecf2da3385d7dc5cf13564e7352c5ae293b7d37569fec77d6e7344b784db2d453b675bd5420daad30dc2caa0e0b1cf532d6f98012b0f45ce89031e6decf7a6a865ae87a2d5ac8233c2c097d8d6b700257c58a54c7c8eb309e04b43c88851f67a06f487ae2fe8c6e11ae77b3af81a40e6df4b8dd554edd2c8f3fb7338b7e03c3f50526add42ebab380a4ed5aba26336b7a97200ce9124417efd", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -41097,162 +26884,70 @@ "ValidTo": "2020-02-07 23:59:59", "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", - "ValidFrom": "2022-03-23 00:00:00", - "ValidTo": "2037-03-22 23:59:59", - "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", - "ValidFrom": "2022-09-21 00:00:00", - "ValidTo": "2033-11-21 23:59:59", - "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "484b80a0e26c94f777323859a79adec5", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "CupFixerx64.sys" - ] - }, - { - "Id": "cacc48e6-6ed8-431c-abee-88ee6c2dc3c1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create nt2.sys binPath=C:\\windows\\temp \\n \\n \\n t2.sys type=kernel && sc.exe start nt2.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "nt2.sys", - "SHA256": "cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "nt2.sys" - ] - }, - { - "Id": "d0048840-970f-4ad5-9a07-1d39469d721f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create asmmap64.sys binPath=C:\\windows\\temp\\asmmap64.sys type=kernel && sc.exe start asmmap64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "asmmap64.sys", - "MD5": "4c016fd76ed5c05e84ca8cab77993961", - "SHA1": "00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b", - "SHA256": "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "ASUS", - "Description": "Memory mapping Driver", - "Product": "ATK Generic Function Service", - "ProductVersion": "1, 0, 9, 0", - "FileVersion": "1, 0, 9, 1", - "MachineType": "AMD64", - "OriginalFilename": "asmmap.sys", + } + ] + } + ] + }, + { + "FileName": "cpuz.sys", + "MD5": "07493c774aa406478005e8fe52c788b2", + "SHA1": "34a07ae39b232cc3dbbe657b34660e692ff2043a", + "SHA256": "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98", "Authentihash": { - "MD5": "882ef4da71bcb67204bdec731afe1c94", - "SHA1": "734f215383ef61350c2da97dea53589ede21a3d2", - "SHA256": "ab300e7e0d5d540900dbe11495b8d6788039d1cffb22e2dc2304b730a71eec97" + "MD5": "63e4ba0a05ddac75e9f2b90c28291331", + "SHA1": "34c6aeb2bc32ff8da525641af75ff600e7249252", + "SHA256": "653601cf8c3c2c4b778f9025d4e964c887966cc3216bb35a73a3ae75477b4476" }, - "InternalName": "asmmap.sys", - "Copyright": "Copyright (C) 2009", + "Description": "CPUID Driver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPages", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmGetPhysicalAddress", - "ZwUnmapViewOfSection", + "KeWaitForSingleObject", + "PsGetVersion", + "MmUnmapIoSpace", + "IoBuildDeviceIoControlRequest", "IoDeleteSymbolicLink", - "IofCompleteRequest", - "ObReferenceObjectByHandle", "IoCreateSymbolicLink", - "IoCreateDevice", - "ZwOpenSection", - "DbgPrint", - "IoAllocateMdl", - "MmAllocateContiguousMemory", + "MmIsAddressValid", + "ObfDereferenceObject", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "RtlFreeUnicodeString", + "IofCallDriver", + "IoGetDeviceObjectPointer", + "RtlInitUnicodeString", + "IoDeleteDevice", + "ProbeForWrite", + "MmMapIoSpace", "KeBugCheckEx", - "ZwClose", - "MmUnmapLockedPages", - "__C_specific_handler", - "HalTranslateBusAddress" + "RtlInitAnsiString", + "IoCreateDevice", + "KeInitializeEvent", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -41276,129 +26971,93 @@ "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2007-02-08 00:00:00", + "ValidTo": "2009-02-07 23:59:59", + "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2008-07-22 00:00:00", - "ValidTo": "2009-07-31 23:59:59", - "Signature": "89ad20860cc0358a80a8a1a898ed70bff3f31496402a4cc453d2f0e46ad52635e6c42d305874ddb46fc271e5721ae1253f16050842c579562bdd0c470db15d1fdc1429d585118c27862594e46cbb8dd8f42379f0d3f074498e03d8242fb7c2917be7fee09fbb2b35ac52950881082e51171f6fec7b998b0e257bf42d33745ed6c673c23fed0a6d6d69024458b30244d8c58a1c92fba89e0d709264793ceeb8f69a39d0b1b6011855035003ce50e3ee3c7a59d394e589126e2ab96c3b243b0abbc1e485ce9ae9e70da5ba5d925cacbc054d78bd4fb82686509b0803e8526c5ab202d8307b9701b983e424919eeb1485981a5cff8f307c551266a89d499badb24e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "37ed9092bdd1dccf58d2afa47f961448", + "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "asmmap64.sys" - ] - }, - { - "Id": "dfce8b0f-d857-4808-80ef-61273c7a4183", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Dh_Kernel_10.sys binPath=C:\\windows\\temp\\Dh_Kernel_10.sys type=kernel && sc.exe start Dh_Kernel_10.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "Dh_Kernel_10.sys", - "MD5": "51207adb8dab983332d6b22c29fe8129", - "SHA1": "ddbe809b731a0962e404a045ab9e65a0b64917ad", - "SHA256": "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3", - "Signature": [ - "YY Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "YY Inc.", - "Company": "YY Inc.", - "Description": "dianhu", - "Product": "dianhu", - "ProductVersion": "1.0.99", - "FileVersion": "1.0.99", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "e425c66663c96d5a9f030b0ad4d219a8", + "SHA1": "bd87aecc0ac1d1c2ab72be1090d39fab657f7cc6", + "SHA256": "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578", "Authentihash": { - "MD5": "df4f1e566667e15b3d81c5c3e50e97ca", - "SHA1": "b92959042d232605abba254bc0368b87ec047079", - "SHA256": "c786f3ca229da18b2806af4d57ecad603859ee548549b19f71a623f477fc740e" + "MD5": "a10d1df81f81710baf68826e4c32befa", + "SHA1": "ecbde8d7d911f64666f89356ce6194d92741bdc4", + "SHA256": "cd7754a6ec6bf19724fb266ec4f1d02607e9b310791d8725d7db5ac84d5430e2" }, - "InternalName": "", - "Copyright": "Copyright © 2007-2017 YY Inc. All rights reserved.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2014 CPUID", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePool", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ProbeForRead", - "MmProbeAndLockPages", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "MmUnmapLockedPages", - "MmCreateMdl", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeInitializeSpinLock", + "ExFreePool", + "ExAllocatePoolWithTag", + "RtlFreeUnicodeString", "ObfDereferenceObject", "MmIsAddressValid", - "KeAttachProcess", - "KeDetachProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsLookupProcessByProcessId", - "PsGetProcessSectionBaseAddress", - "__C_specific_handler", - "RtlCopyUnicodeString", - "DbgPrintEx", - "MmGetSystemRoutineAddress", + "IoGetDeviceObjectPointer", + "MmUnmapIoSpace", + "RtlInitAnsiString", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlUnwind", + "KeTickCount", + "KeBugCheckEx", "RtlInitUnicodeString", - "IoFreeMdl", - "_stricmp", - "WdfVersionBindClass", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionUnbindClass" + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "PsGetVersion", + "KeInitializeEvent", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "KeWaitForSingleObject", + "RtlAnsiStringToUnicodeString", + "IoCancelIrp", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "READ_PORT_UCHAR" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -41416,17 +27075,24 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Guangdong, L=Guangzhou, O=YY Inc., OU=PM, CN=YY Inc.", - "ValidFrom": "2015-07-17 00:00:00", - "ValidTo": "2018-10-15 23:59:59", - "Signature": "d4ce401727e18291036ff6c80bbc6345f4a165c55b6068af11d818772ceb6767e1d9b1b825acfe295bea0c2c2394dd1c04df89e70de7f9deae21ea00853299fc7b22a8e2d20558247695d870fead281c48d6ad4b2075958924d3436d456c6d649b4fd4098c23154a83c40c39273ddcf400a547c68da9db339fe845205865f78d32933bb6a161539c4c07c972411907ece60770fdcc02a683d8f46980e5432c1af11cc684a9a681311ca440b068ce32a0cb2e446aade3829376fc6407d11c8d4f7ad253f45e95673a272aac9f1a1ad9156f9059f34dc444860e40e33847b0d629fe8097f9e82371973e7236de9a5b4bad1840b7961b81f9b7fcb6510e180a5a18", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -41439,434 +27105,289 @@ ], "Signer": [ { - "SerialNumber": "53603f0f228be591521b9822ca852ad4", + "SerialNumber": "53c8b54713882d4d5439511804935e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "Dh_Kernel_10.sys" - ] - }, - { - "Id": "17cf4fac-88f1-467d-9f62-481d33accc5b", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create otipcibus.sys binPath=C:\\windows\\temp\\otipcibus.sys type=kernel && sc.exe start otipcibus.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "otipcibus.sys", - "MD5": "d5a642329cce4df94b8dc1ba9660ae34", - "SHA1": "ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308", - "SHA256": "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80", - "Signature": [ - "Ours Technology Inc.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "OTi", - "Description": "Hardware Access Driver", - "Product": "Kernel Mode Driver To Access Physical Memory And Ports", - "ProductVersion": "1.1000.0.1", - "FileVersion": "1.1000.0.1", - "MachineType": "AMD64", - "OriginalFilename": "otipcibus64.sys", + "FileName": "cpuz.sys", + "MD5": "ccb09eb78e047c931708149992c2e435", + "SHA1": "ada23b709cb2bef8bedd612dc345db2e2fdbfaca", + "SHA256": "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15", "Authentihash": { - "MD5": "0fc8a346a333624a7b6645da7a1b6b8b", - "SHA1": "fd172c7f8bdc81988fcf1642881078a8ca8415f6", - "SHA256": "1cda1a6e33d14d5dd06344425102bf840f8149e817ecfb01c59a2190d3367024" + "MD5": "e4b3d527845f6574b5959b6381f925f8", + "SHA1": "baf46ac272c1a6d8c32683965b1d849386908079", + "SHA256": "68b0a239031b158e2927bb5dc8844b662cb4616ee8c1363fa729aa8fa0d86cff" }, - "InternalName": "otipcibus64.sys", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePool", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmMapIoSpace", - "MmUnmapIoSpace", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoFreeMdl", + "KeInitializeEvent", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", "IoGetDeviceObjectPointer", - "RtlCopyUnicodeString", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "ExFreePoolWithTag", + "IofCompleteRequest", "KeWaitForSingleObject", - "IoAllocateMdl", - "KeInitializeEvent", - "WdfVersionBindClass", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionUnbindClass" + "PsGetVersion", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Hsingchu Hsien, L=Hsinchu County, O=Ours Technology Inc., CN=Ours Technology Inc.", - "ValidFrom": "2018-07-09 00:00:00", - "ValidTo": "2019-09-05 23:59:59", - "Signature": "157696d20704ca4a7504961b5edd290d72580ee3cf1fb6fff495f95bcb872f1e9f94af12457ea351b1614568e3e459272eca93ba547ffc241728838133fd3331e9093d8a2a05ac50bc5009881466cc8d341a040ac6bdc6c1a88244824d76db728fef05ecb04501018462f10eb1d347355c8e2aa0a9103b4fc92070d675142e04c03bffe65c590ec5e5089346f20706291a97e28e5bd7f821e5797227e2f8f087fd95533db374c5f220129966060e10d8536fc0a91506a4062245d07906f6792ea9b100d6f1c1d9de50c6991076867f9267d74d040524e6b79be78d5c59e1225da69cba23f9b9ef79a94aac0f83985261b7422d7505dea910e7ad4b98403e6dbb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2009-02-02 00:00:00", + "ValidTo": "2012-02-07 23:59:59", + "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3d5fc3a4d1a54cf40abf37864a5effe7", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "otipcibus.sys" - ] - }, - { - "Id": "d05a0a6c-c037-4647-99ac-c41593190223", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create d2.sys binPath=C:\\windows\\temp\\d2.sys type=kernel && sc.exe start d2.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "d2.sys", - "SHA256": "cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "d2.sys" - ] - }, - { - "Id": "7a7630d6-d007-4d84-a17d-81236d9693e1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create d.sys binPath=C:\\windows\\temp\\d.sys type=kernel && sc.exe start d.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "d.sys", - "MD5": "a60c9173563b940203cf4ad38ccf2082", - "SHA1": "a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0", - "SHA256": "c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "cpuz.sys", + "MD5": "43bfc857406191963f4f3d9f1b76a7bf", + "SHA1": "9329a0ce2749a3a6bea2028ce7562d74c417db64", + "SHA256": "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b", "Authentihash": { - "MD5": "19dd018ebddfa9044b05fbb9ddffd7f9", - "SHA1": "80111a99c4f127cca12f1902ca241b3e65f339ff", - "SHA256": "a4ca4a0932afa09e8df3469768f5ac6feaff2b7ae27ac208a218288fc4fbf102" + "MD5": "68fb744e92133e8bb6b59fea9304667c", + "SHA1": "de1a168f24f5da29b9f8bf8333fff57bfa0d21a4", + "SHA256": "d70bfea03deeea92a253f2b4a8b7181a3064f62c5207f94b5f7ce5a9e62ab4cf" }, - "InternalName": "", - "Copyright": "", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2016 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlInitUnicodeString", + "IoDeleteDevice", "KeInitializeEvent", - "ObReferenceObjectByHandle", - "ZwClose", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", + "IoCreateSymbolicLink", "ObfDereferenceObject", - "PsCreateSystemThread", - "IoGetCurrentProcess", - "_stricmp", - "strchr", - "ZwCreateFile", - "RtlInitUnicodeString", - "ZwReadFile", - "ZwQueryInformationFile", - "KeDetachProcess", - "ProbeForRead", - "ZwQueryInformationProcess", - "KeAttachProcess", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ObOpenObjectByName", - "KeServiceDescriptorTable", - "KeAddSystemServiceTable", - "PsGetCurrentProcessId", - "ProbeForWrite", - "wcsstr", - "ObQueryNameString", - "IoFileObjectType", - "SeSinglePrivilegeCheck", - "KeGetPreviousMode", - "KeDelayExecutionThread", - "ZwAllocateVirtualMemory", - "ZwQuerySection", - "ExfInterlockedInsertTailList", + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", "ExFreePoolWithTag", - "sprintf", - "RtlVolumeDeviceToDosName", - "IoGetDeviceObjectPointer", - "MmSectionObjectType", - "strstr", - "_strlwr", - "PsProcessType", - "PsSetCreateProcessNotifyRoutine", - "KeInitializeSpinLock", - "PsThreadType", - "PsTerminateSystemThread", - "vsprintf", - "KeQuerySystemTime", - "ExfInterlockedRemoveHeadList", - "NtBuildNumber", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", "ExAllocatePoolWithTag", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwDeleteKey", - "_except_handler3", - "swprintf", - "_wcsnicmp", - "ZwQuerySystemInformation", - "PsLookupProcessByProcessId", - "wcstombs", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KfAcquireSpinLock", - "KfReleaseSpinLock" + "RtlUnwindEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], - "Signatures": {} - } - ], - "Tags": [ - "d.sys" - ] - }, - { - "Id": "2bea1bca-753c-4f09-bc9f-566ab0193f4a", - "Author": "Michael Haag, rasta-mouse, goosvorbook", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create gdrv.sys binPath=C:\\windows\\temp\\gdrv.sys type=kernel && sc.exe start gdrv.sys", - "Description": "gdrv.sys is vulnerable to multiple CVEs: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321. Read/Write Physical memory, read/write to/from IO ports, exposes ring0 memcpy-like functionality, read and write Machine Specific Registers (MSRs). Affected versions: GIGABYTE APP Center v1.05.21 and previous, AORUS GRAPHICS ENGINE v1.33 and previous, XTREME GAMING ENGINE v1.25 and previous, OC GURU II v2.08", - "Usecase": "Elevate privileges, tamper with PPL or system processes", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/hoangprod/DanSpecial", - "https://github.com/namazso/physmem_drivers", - "https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities", - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://github.com/namazso/physmem_drivers", - "https://github.com/hmnthabit/CVE-2018-19320-LPE" - ], - "Acknowledgement": { - "Person": "MattNotMax", - "Handle": "@mattnotmax" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, { - "Filename": "gdrv.sys", - "MD5": "9ab9f3b75a2eb87fafb1b7361be9dfb3", - "SHA1": "fe10018af723986db50701c8532df5ed98b17c39", - "SHA256": "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427", - "Signature": [ - "Giga-Byte Technology", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "2013-07-03 17:32:00 UTC, 2017-11-30 18:40:00 UTC", - "Publisher": "", - "Company": "Windows (R) Server 2003 DDK provider", - "Description": "GIGABYTE Tools", - "Product": "Windows (R) Server 2003 DDK driver", - "ProductVersion": "5.2.3790.1830", - "FileVersion": "5.2.3790.1830 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "gdrv.sys", + "FileName": "cpuz.sys", + "MD5": "8f5b84350bfc4fe3a65d921b4bd0e737", + "SHA1": "76046978d8e4409e53d8126a8dcfc3bf8602c37f", + "SHA256": "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90", "Authentihash": { - "MD5": "b18b1bff521337695d2d6a0768340252", - "SHA1": "0f5034fcf5b34be22a72d2ecc29e348e93b6f00f", - "SHA256": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb" + "MD5": "76a420a5ac2a6250c57d129de361695a", + "SHA1": "3736434ca3094fed9f1f3378e9fb966a5e9411f1", + "SHA256": "3e423caaff9002b38e1d90005df181aa2b3711ebbf6d1eb83941656ccc313811" }, - "InternalName": "gdrv.sys", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2010 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", + "RtlAnsiStringToUnicodeString", "RtlInitUnicodeString", - "DbgPrint", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", "MmUnmapIoSpace", - "IoFreeMdl", - "MmUnmapLockedPages", - "MmMapIoSpace", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "KeAcquireInStackQueuedSpinLock", - "MmFreeContiguousMemory", "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmGetPhysicalAddress", - "IofCompleteRequest", + "ObfDereferenceObject", + "IoCreateDevice", + "IofCallDriver", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", "ExAllocatePoolWithTag", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ZwUnmapViewOfSection", - "KeReleaseInStackQueuedSpinLock", - "IoDeleteDevice", - "HalTranslateBusAddress" + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -41877,178 +27398,143 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", - "ValidFrom": "2010-08-23 00:00:00", - "ValidTo": "2013-10-17 23:59:59", - "Signature": "a91cbb579fbb2bc2ed2fe0fa0055cc881ce21e175262d28efea8bd12eff1095eb750b2fc7b842c4c739c2e4ef41d1065df039d1d62e0c5db62340fd1989efcc16e97b23caaa71e40dcabaf4aa34dd7d53a3ef5c0f2fec1b964798d2a1c8b11d68ea326495fbede162652faa523ce52ed60ca5227dddeab211b90965b866425adc84465117f3ec040cb005aa590ef69a70db0de17af66f3e52da6b8c93237fc1975e2891c89712971266c80956a21542c71e1962b16655373911c3ea09bd0b26c866eb1a9fe4f1d0f7be30888c529b148990b4f226897e2a4a651c80cc79196f2731949d190c67be01b82362956317bc3487f490b460924ad135d97c6f9526292", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2012-01-06 00:00:00", + "ValidTo": "2015-02-06 23:59:59", + "Signature": "be6fb3b3b33e9108a9a2273d1cf5eb3209a8c3a86ba7d66069393587f6b451b75b327ea15d36b1604aad5509c0ace37fa66e220b35764b9c201169677738c06802d2f798383c256c690898a663b0aeb519491057f9f24149c513abba2a4cab9934a684e5d83a34105fe6681f2b85d5ee06332d1c05c3627758442fd2fc94f5f68bb30f085cb1d31174e1461394aeef7b124291a099654d1103df3deab81e9658b5b5cc817061d688ae39e702f1d0dd420d6de931bed331960e089233b8576482e48d5b769fdfa8df02e1d098912444b324057826e1f72c26f045b2479a9b39eadfd6b2e1bd6db4057ef6b12ca385cad9a7ad82c4414e619f97dfd08a55f59053", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "248472542c24ab8e429229acf121ca26", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "53c8b54713882d4d5439511804935e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "gdrv.sys", - "MD5": "1cff7b947f8c3dea1d34dc791fc78cdc", - "SHA1": "8d59fd14a445c8f3f0f7991fa6cd717d466b3754", - "SHA256": "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339", - "Signature": [ - "GIGA-BYTE TECHNOLOGY CO., LTD.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "2013-07-03 17:32:00 UTC, 2017-11-30 18:40:00 UTC", - "Publisher": "", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "Description": "GIGA-BYTE NonPNP Driver", - "Product": "gdrv64", - "ProductVersion": "17120101", - "FileVersion": "1.0.0.1", - "MachineType": "AMD64", - "OriginalFilename": "gdrv.sys", + "FileName": "cpuz.sys", + "MD5": "ce57844fb185d0cdd9d3ce9e5b6a891d", + "SHA1": "32888d789edc91095da2e0a5d6c564c2aebcee68", + "SHA256": "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe", "Authentihash": { - "MD5": "bf45a5d10968424666abede02113a509", - "SHA1": "5c26f130f6a5ad8bdd2eed29140542dae0885b17", - "SHA256": "34da66774ba09c4a8fc59349401ca1fefaaf4e66a9c620c7782c072a16089ba3" + "MD5": "649db3854efa0c9a10fdcca1bcc5fc0b", + "SHA1": "3c738ea73287a493a2254c6011c35f31569cf2b9", + "SHA256": "472e29b63e1d9d44269a99962b186113586fbd3603eac3a23c520c7ef73a69cf" }, - "InternalName": "gdrv.sys", - "Copyright": "Copyright (C) 2017", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2017 CPUID", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeAcquireInStackQueuedSpinLock", - "KeReleaseInStackQueuedSpinLock", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "MmUnmapLockedPages", - "MmMapIoSpace", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeEvent", + "RtlInitAnsiString", "MmUnmapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", "IofCompleteRequest", - "DbgPrint", + "KeWaitForSingleObject", + "PsGetVersion", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoFreeMdl", - "ObReferenceObjectByHandle", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", + "ObfDereferenceObject", "IoCreateDevice", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IofCallDriver", + "KeBugCheckEx", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=NEW TAIPEI, O=GIGA,BYTE TECHNOLOGY CO., LTD., CN=GIGA,BYTE TECHNOLOGY CO., LTD.", - "ValidFrom": "2016-07-21 00:00:00", - "ValidTo": "2019-09-19 23:59:59", - "Signature": "088e59029abef549a30601c39db2cb687032de13f40c63bd0d88dbe858d6ddddbdc235044f1f31ddf3f6c960583264c9b7306dadb38eb64160a40e804bfee6deac624b7283eba48591daa22ca7523b1518ce792115fbbc4d9c312d824dd0c4566aa985e8a60cb486447fbba0f2c1de3eff0d98cbdeef89653f045203fda3b6a421d08ed13e45616e7c196ed56284b68d16e24e62ba8222fa6b15c7b586132dd3777b42908d930ab082f549516d886449ae87c20bb0c8474777de6c91917d8f173468f72ef3f89898fed2d861c31a8ea2659eabc3cc023e2008fca26f4c1c7d05594faecb6e437d61c11e947f6fdb6cc0db9cdfd6546d5212c94ed8a37fb723e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2ad22e071f61cafe7884bfa43a31b21b", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "gdrv.sys" - ] - }, - { - "Id": "7edb5602-239f-460a-89d6-363ff1059765", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create viragt64.sys binPath=C:\\windows\\temp\\viragt64.sys type=kernel && sc.exe start viragt64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "viragt64.sys", - "MD5": "779af226b7b72ff9d78ce1f03d4a3389", - "SHA1": "9eef72e0c4d5055f6ae5fe49f7f812de29afbf37", - "SHA256": "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506", + "FileName": "cpuz.sys", + "MD5": "8ad9dfc971df71cd43788ade6acf8e7d", + "SHA1": "7241b25c3a3ee9f36b52de3db2fc27db7065af37", + "SHA256": "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c", "Authentihash": { - "MD5": "835b8a268127c12be0ebcdd13eae3f16", - "SHA1": "40082d350533c99578bdabfcaf03afe52c83d4a8", - "SHA256": "5f353fc46843155b6b63e75994f5328b9d4344654d5759a5145cd6e64babe3de" + "MD5": "fa889613bb0522d6e546e8cbd011105a", + "SHA1": "62ee17440edaf819966eb823a26dfd46c24447b4", + "SHA256": "991228f3ea6c1ae8083aa405d1d066e48cd6dbd7d6bc01c81599b2c28f3923f1" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt64.sys", - "FileVersion": "1, 0, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 0, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2012 - www.tgsoft.it", + "Description": "CPUID Driver", + "Company": "CPUID", + "InternalName": "cpuz.sys", + "OriginalFilename": "cpuz.sys", + "FileVersion": "6.1.7600.16385 built by: WinDDK", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "Copyright": "Copyright(C) 2015 CPUID", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -42056,72 +27542,32 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "mbstowcs", - "ExAllocatePoolWithTag", - "KeSetTargetProcessorDpc", - "ZwCreateKey", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "KeInitializeMutex", "RtlAnsiStringToUnicodeString", - "ZwReadFile", "RtlInitUnicodeString", "IoDeleteDevice", + "KeInitializeEvent", "RtlInitAnsiString", - "ZwSetValueKey", - "_strupr", - "KeInitializeDpc", - "ZwQuerySystemInformation", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "ZwSetInformationFile", - "KeReleaseMutex", - "KeDelayExecutionThread", - "ZwCreateFile", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "ExSystemTimeToLocalTime", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "KeInsertQueueDpc", - "ZwEnumerateValueKey", - "ZwClose", - "sprintf", - "ObReferenceObjectByHandle", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ExFreePoolWithTag", + "IofCompleteRequest", "KeWaitForSingleObject", - "RtlTimeToTimeFields", - "MmProbeAndLockPages", - "ZwOpenProcess", - "MmUnlockPages", + "PsGetVersion", "IoCreateSymbolicLink", - "MmIsAddressValid", "ObfDereferenceObject", "IoCreateDevice", - "ZwTerminateProcess", - "wcstombs", - "KeNumberProcessors", - "ZwQueryInformationFile", - "MmIsNonPagedSystemAddressValid", - "ZwWriteFile", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "IoAllocateMdl", - "ZwOpenKey", - "ObOpenObjectByName", - "swprintf", - "RtlUnicodeStringToAnsiString", - "ZwOpenDirectoryObject", - "IoFileObjectType", - "IoDriverObjectType", - "ZwQueryDirectoryObject", - "KeQueryActiveProcessors", + "IofCallDriver", "KeBugCheckEx", - "IofCompleteRequest", - "ExQueueWorkItem", - "__C_specific_handler", - "__chkstk", - "KeStallExecutionProcessor" + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -42129,24 +27575,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -42157,525 +27589,636 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2010-01-15 00:00:00", - "ValidTo": "2013-01-26 23:59:59", - "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "25008956fcdc548a3079b096ef96c928", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "cpuz.sys" + ], + "yara": true + }, + { + "Id": "d5118882-6cdd-4b06-8bf4-e9818f16137e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create nt3.sys binPath=C:\\windows\\temp \\n \\n \\n t3.sys type=kernel && sc.exe start nt3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "nt3.sys", + "SHA256": "7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "nt3.sys" + ], + "yara": false + }, + { + "Id": "cf49f43c-d7b4-4c1a-a40d-1be36ea64bff", + "Author": "Michael Haag", + "Created": "2023-05-22", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create SysDrv3S.sys binPath=C:\\windows\\temp\\SysDrv3S.sys type=kernel && sc.exe start SysDrv3S.sys", + "Description": "Vulnerable driver found in https://github.com/hfiref0x/KDU.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951" + ], + "Acknowledgement": { + "Person": "hfiref0x", + "Handle": "hfiref0x" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b.yara" }, { - "FileName": "viragt.sys", - "MD5": "25ebe6f757129adbe78ec312a5f1800b", - "SHA1": "d17656f11b899d58dca7b6c3dd6eef3d65ae88e2", - "SHA256": "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "SysDrv3S.sys", + "MD5": "31eca8c0b32135850d5a50aee11fec87", + "SHA1": "e1069365cb580e3525090f2fa28efd4127223588", + "SHA256": "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "3S-Smart Software Solutions GmbH", + "Description": "SysDrv3S", + "Product": "SysDrv3S", + "ProductVersion": "3.5.6.0", + "FileVersion": "3,5,6,0", + "MachineType": "AMD64", + "OriginalFilename": "SysDrv3S.sys", "Authentihash": { - "MD5": "78428144608ab49b0508197849200ab0", - "SHA1": "eb528a7bc5b0d9efe5872e16f42420291c6df07f", - "SHA256": "04f771d72a812fe9dd6bced402b36b081c80bd3397fdd66dbaa44906ac088159" + "MD5": "0ef111dc998659cbc37f0d9845cdd2df", + "SHA1": "432b5809d84935d15574de8d64b22e06682ff715", + "SHA256": "97cada65b735f3eece349c7b7021c4469d5a9fb3cf8b5e2ac187006469ffbc98" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1.25.0.0", - "Product": "VirIT Agent System", - "ProductVersion": "1.25.0.0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2010 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "SysDrv3S", + "Copyright": "Copyright © 2006-2014", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusData", "IoDeleteDevice", - "ZwQueryValueKey", - "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", - "PsTerminateSystemThread", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IofCompleteRequest", - "memcpy", "IoCreateSymbolicLink", "IoCreateDevice", - "PsCreateSystemThread", - "KeInitializeMutex", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "RtlUnicodeStringToAnsiString", - "ZwQueryDirectoryObject", - "KeTickCount", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", + "RtlInitUnicodeString", + "DbgPrint", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "RtlAssert", "IoDeleteSymbolicLink", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlQueryRegistryValues", + "RtlWriteRegistryValue", + "ZwCreateFile", + "ZwReadFile", + "ZwWriteFile", "ZwQueryInformationFile", - "RtlUnwind", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KfRaiseIrql" + "KeSetEvent", + "KeWaitForSingleObject", + "IofCallDriver", + "KeInitializeEvent", + "IoGetDeviceProperty", + "__C_specific_handler", + "IoDetachDevice", + "RtlFreeUnicodeString", + "IoAttachDeviceToDeviceStack", + "RtlCopyUnicodeString", + "ExAllocatePool", + "PoCallDriver", + "PoStartNextPowerIrp", + "IoFreeIrp", + "IoAllocateIrp" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2009-11-18 10:00:00", + "ValidTo": "2019-03-18 10:00:00", + "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2010-01-15 00:00:00", - "ValidTo": "2013-01-26 23:59:59", - "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, serialNumber=HRB 6186, ??=DE, ??=Bayern, ??=Kempten (Allgaeu), C=DE, ST=Bayern, L=Kempten (Allg??u), ??=Memminger Str. 151, O=3S,Smart Software Solutions GmbH, CN=3S,Smart Software Solutions GmbH, emailAddress=info@codesys.com", + "ValidFrom": "2019-02-01 15:34:02", + "ValidTo": "2021-02-01 15:34:02", + "Signature": "80dad6d1dcb4d50486f485a5309cfafec484503d27a24a02d63b1343782a476cf76e64e32c7dfc9aca28cbdcc636c4ce4da1da4dd72f613fa54c68489ee8331b4fc66399ea933533a946e4f30f64f2ee09d592c06d1482c128e6d2c8cf0b5321a919bece3e8338c86717291eb589575bd3780e66a24111a1fa3975ffd0df0e779cf4a3ec9ecb06a7a6d89e6467d9104742fe3be7af25d1adf7e3583159a852d82e64b7b4c5f9134dbab58e4d736204e1bfdf0a66121fd9cb0a674ffac58e4de9019444329e5dd5d81770c24fc4529c52f527f473cd2ecb27b97e68b2486db25f8c2c4ced516f0c18cf1cb4b36d09109d88d20ba6b5259f4b6405c5d268718a97", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "25008956fcdc548a3079b096ef96c928", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "60a8b030535055def1677cc6", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" } ] } ] + } + ], + "Tags": [ + "SysDrv3S.sys" + ], + "yara": true + }, + { + "Id": "64f3d4b0-6d2b-4275-b3d4-15d092af4092", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create fiddrv64.sys binPath=C:\\windows\\temp\\fiddrv64.sys type=kernel && sc.exe start fiddrv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "fiddrv64.sys", + "SHA1": "10e15ba8ff8ed926ddd3636cec66a0f08c9860a4", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" }, { - "FileName": "viragt.sys", - "MD5": "650f6531db6fb0ed25d7fc70be35a4da", - "SHA1": "7ee675f0106e36d9159c5507b96c3237fb9348cd", - "SHA256": "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8", + "Filename": "fiddrv64.sys", + "SHA1": "e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "fiddrv64.sys" + ], + "yara": false + }, + { + "Id": "3ab0d182-6365-47a7-89f4-34121e889503", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create HwOs2Ec10x64.sys binPath=C:\\windows\\temp\\HwOs2Ec10x64.sys type=kernel && sc.exe start HwOs2Ec10x64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "HwOs2Ec10x64.sys", + "MD5": "37086ae5244442ba552803984a11d6cb", + "SHA1": "dc0e97adb756c0f30b41840a59b85218cbdd198f", + "SHA256": "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc", + "Signature": [ + "Huawei Technologies Co., Ltd.", + "Symantec Class 3 Extended Validation Code Signing CA - G2", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Huawei", + "Description": "HwOs2Ec", + "Product": "Huawei MateBook", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", + "MachineType": "AMD64", + "OriginalFilename": "HwOs2Ec.sys", "Authentihash": { - "MD5": "fbbb02331ba15c59930554299f14b793", - "SHA1": "2c300726f3806b6d077fe58ae8d2b257d654a700", - "SHA256": "f78e06f649bc0d88770c5465d7792abeb27631ec0ce9a0fa68698b94ebf2cf49" + "MD5": "20be6af18d3b97968b2a8d5a9513caaa", + "SHA1": "b6a4ef3babbd79479723b8586ea0e8c7a33d1661", + "SHA256": "ab494aba56e9ea7b6055ac437f6b678e7239b0fda54bf28019480565a098a6e3" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1, 65, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 65, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2012 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "HwOs2Ec", + "Copyright": "Copyright (C) 2016", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "InitSafeBootMode", + "memcpy_s", + "_wcsnicmp", + "RtlInitUnicodeString", + "RtlEqualUnicodeString", + "RtlCopyUnicodeString", + "RtlAppendUnicodeToString", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "ExAllocatePool", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExInitializeResourceLite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "ExDeleteResourceLite", "MmProbeAndLockPages", "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", + "MmUnmapLockedPages", "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", + "IoFreeMdl", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ZwClose", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenProcess", + "ZwQuerySystemInformation", + "ZwQueryInformationProcess", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "KeInitializeApc", + "ZwOpenThread", "IofCompleteRequest", - "memcpy", - "IoCreateSymbolicLink", - "IoCreateDevice", + "PsGetProcessPeb", + "RtlImageDirectoryEntryToData", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "__C_specific_handler", + "PsProcessType", + "PsThreadType", + "KeLowerIrql", + "KfRaiseIrql", + "MmBuildMdlForNonPagedPool", + "MmMapIoSpace", + "MmUnmapIoSpace", + "MmMapIoSpaceEx", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "PsGetThreadId", + "PsGetThreadProcessId", + "MmGetSystemRoutineAddress", + "RtlGetVersion", + "ZwTerminateProcess", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeWaitForMultipleObjects", + "KeWaitForSingleObject", "PsCreateSystemThread", - "KeInitializeMutex", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "RtlUnicodeStringToAnsiString", - "ZwQueryDirectoryObject", + "PsTerminateSystemThread", + "RtlCompareUnicodeStrings", + "wcscpy_s", + "RtlCompareUnicodeString", + "RtlAppendUnicodeStringToString", + "ZwCreateFile", + "ZwOpenKey", + "ZwQueryValueKey", + "ObOpenObjectByPointer", + "ObQueryNameString", "IoFileObjectType", - "swprintf", + "KeInsertQueueApc", "DbgPrint", - "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", - "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", - "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KeStallExecutionProcessor" + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority", + "ValidFrom": "1995-01-01 08:00:01", + "ValidTo": "1999-12-31 23:59:59", + "Signature": "2dc9e2f6129e5d5667fafa4b9a7edc29565c80140228856e26f3cd58da5080c5f819b3a67ce29d6b5f3b8f2274e61804fc4740d87a3f3066f012a4d1eb1de7b6f498ab5322865158ee230976e41d455c4bff4ce302500113cc41a45297d486d5c4fe8383657deabea2683bc1b12998bfa2a5fc9dd384ee701750f30bfa3cefa9278b91b448c845a0e101424b4476041cc219a28e6b2098c4dd02acb4d2a20e8d5db9368e4a1b5d6c1ae2cb007f10f4b295efe3e8ffa17358a9752ca2499585feccda448ac21244d244c8a5a21fa95a8e56c2c37bcf4260dc821ffbce74067ed6f1ac196a4f745cc51566316cc16271910f595b7d2a821adfb1b4d81d37de0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority", + "ValidFrom": "1997-01-10 07:00:00", + "ValidTo": "2020-12-31 07:00:00", + "Signature": "95e80bc08df3971835edb80124d87711f35c60329f9e0bcb3e0591888fc93ae621f2f057932cb5a047c862effcd7cc3b3b5aa9365469fe246d3fc9ccaade057cdd318d3d9f10706abbfe124f1869c0fcd043e3115a204fea627bafaa19c82b37252dbe65a1128a250f63a3f7541cf921c9d615f352ac6e433207fd8217f8e5676c0d51f6bdf152c7bde7c430fc203109881d95291a4dd51d02a5f180e003b45bf4b1ddc857ee6549c75254b6b4032812ff90d6f0088f7eb897c5ab372ce47ae4a877e376a000d06a3fc1d2368ae04112a8356a1b6adb35e1d41c04e4a84504c85a33386e4d1c0d62b70aa28cd3d5543f46cd1c55a670db123a8793759fa7d2a0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=CN, ??=Guangdong, ??=Shenzhen, ??=Private Organization, serialNumber=914403001922038216, C=CN, ST=guangdong, L=shenzhen, O=Huawei Technologies Co., Ltd., CN=Huawei Technologies Co., Ltd.", + "ValidFrom": "2017-12-14 00:00:00", + "ValidTo": "2019-12-14 23:59:59", + "Signature": "26d8d72aafae208ca75f86e2d634f131cd47c9531f57dd9d0506dd5f6e51df6baea828f02aa0ae534538921a9bc01af8ed084a8a06a5aa16e5def159a2ea17d84a134aa94467d2016797a2f8e49eb90d1de2e4213b6abd8147b4916f95c7b6c7b9c351cc969c00220c188e6a63806623eabd8fe9780141953a49197cfc1fbf5e39ea1c8f3afc3d792a46786202a7a02b9add0f36ed5125015fab8aded58cc2796b3c2d946b09084fe1547718ba315c53bdeb1d1330306113c6aa141494e11cf0ed3193dace62aef90bb5d6cb65aed548c00983eed016729498079e9ac5931bd33607aa1ee3156967b51963557d977fad2c755e34eb26fc4a249f5d24490d8884", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority", + "ValidFrom": "2001-05-09 23:19:22", + "ValidTo": "2021-05-09 23:28:13", + "Signature": "c5114d033a60dd5d5211778fb2bb36c8b205bfb4b7a8d8209d5c1303b61c22fa061335b6c863d49a476f2657d255f104b1265fd6a95068a0bcd2b86eccc3e9acdf19cd78ac5974ac663436c41b3e6c384c330e30120da326fe515300ffaf5a4e840d0f1fe46d052e4e854b8d6c336f54d264abbf50af7d7a39a037ed63030ffc1306ce1636d4543b951b51623ae54d17d40539929a27a85baabdecbbbee3208960716c56b3a513d06d0e237e9503ed683df2d863b86b4db6e830b5e1ca944bf7a2aa5d9930b23da7c2516c28200124272b4b00b79d116b70beb21082bc0c9b68d08d3b2487aa9928729d335f5990bdf5de939e3a625a3439e288551db906b0c1896b2dd769c319123684d0c9a0daff2f6978b2e57adaebd70cc0f7bd6317b8391338a2365b7bf285566a1d6462c138e2aabf5166a294f5129c6622106bf2b730922df229f03d3b144368a2f19c2937cbce3820256d7c67f37e24122403088147eca59e97f518d7cfbbd5ef7696effdcedb569d95a042f99758e1d73122d35f59e63e6e2200ea4384b625dbd9f3085668c0646b1d7cecb693a262576e2ed8e7588fc4314926ddde293587f53071705b143c69bd89127deb2ea3fed87f9e825a520a2bc1432bd930889fc810fb898de6a18575337e6c9edb7313646269a52f7dca966d9ff8044d30923d6e211421c93de0c3fd8a6b9d4afdd1a19d9943773fb0da", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2010-01-15 00:00:00", - "ValidTo": "2013-01-26 23:59:59", - "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root", + "ValidFrom": "2005-11-01 13:46:46", + "ValidTo": "2025-11-01 13:54:03", + "Signature": "6142e8eb18c871dc4619696dea0ecd3867ac3ea707f64d163c9e57fbb8b8a7c78709e66357d03d469050f50599c9ca743afb01ad7a4d6aab84e0405357c89cd5043682b8b71ec68799c2d8c7209ec6f23e55f98f744451dd2bb6d014ddc6ded2c5ff85af17b9a075dac60de24576961acb3e53fbe9345b3203236cbfd87e9a3d850fc8153b9d00564fafddb1251ca0cc29661b47ce7b67ef64ef484792de9d145069b85f82a9f2ad932b53efab623237eabf040b46eb1984a6aa49a06dc1ab2d83416ab4d6437bd23b7a0cd26dd00d20dc5bc229a7f8822422160135d81ad64422dc476756a6682effc9669ffb7fb464c61e6776e0312e3ad9730d6799c8f5611e5dc1a7b88f311f38dfe3b3874c4db3c4f6605cacac0da02c02b9eff0a35d27bd967d0dd0d44006d1a4d6cb6eb3d536fe48c8f23826563a206aa4c30048e71829e7aba3ab7c07a47fa56b4aba023f86975db96e5924e07c8fedefc3cfaaaf15513fdff728785deb4d1f5d34089b343b2aa1c891097d53c1ff7d801fe06b28d4b9dd587421b89f2dbd153a4e454a5cc3ac7c07b2d02115b8cf69da14e42c24fb66e5019e1a66b4c4ad4d2bad6062e4e48fea370dcad836dc7fdb207a33c04ad61f2de085ce2ba192d754532061867c3703038cfc4347e4f8488bac1a42ea98825d6253816b534630b2e785abbc189c86965986b61aaffafd4831245c011cbb1c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "25008956fcdc548a3079b096ef96c928", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "45d8f42e053d18c5e90f3febd6e17ad7", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] - }, + } + ], + "Tags": [ + "HwOs2Ec10x64.sys" + ], + "yara": true + }, + { + "Id": "5261cacf-380c-4573-85ff-a643cbdf009a", + "Author": "Guus Verbeek", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create KApcHelper_x64.sys binPath=C:\\windows\\temp\\KApcHelper_x64.sys type=kernel && sc.exe start KApcHelper_x64.sys", + "Description": "Vulnerable driving using the stolen Nvidia Certificate.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "viragt.sys", - "MD5": "3467b0d996251dc56a72fc51a536dd6b", - "SHA1": "ca33c88cd74e00ece898dca32a24bdfcacc3f756", - "SHA256": "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a", + "Filename": "KApcHelper_x64.sys", + "MD5": "0f16a43f7989034641fd2de3eb268bf1", + "SHA1": "cc65bf60600b64feece5575f21ab89e03a728332", + "SHA256": "d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "e39802ea77fa83f1939a50985f9036c0", - "SHA1": "070c6795aa64c2bce7867e280016fb1d2af86dca", - "SHA256": "ac42c7b1d9feccd48c305698942186d580b7bfd047bb73dbf028f3fed7aa24ad" + "MD5": "adb7de0467bd3f92fce34819ec656658", + "SHA1": "2c1bc3f623fd9bfdf2ecbe5403da1849c85b8433", + "SHA256": "2a30ad675142cf411e7e5f5c53c6423de570a398295b0956130a7a7d77383103" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1, 74, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 74, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2013 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "rand", + "srand", + "wcsstr", "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "strstr", - "KeServiceDescriptorTable", - "KeReleaseMutex", + "RtlGetVersion", "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IofCompleteRequest", - "PsCreateSystemThread", - "memcpy", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeInitializeMutex", - "RtlUnicodeStringToAnsiString", - "IoGetDeviceObjectPointer", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "IoFileObjectType", - "swprintf", - "DbgPrint", - "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", - "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", - "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KeStallExecutionProcessor" + "ExSystemTimeToLocalTime", + "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoGetCurrentProcess", + "ObReferenceObjectByHandleWithTag", + "ObfDereferenceObject", + "ObfDereferenceObjectWithTag", + "MmIsAddressValid", + "PsGetProcessExitStatus", + "PsIsThreadTerminating", + "PsLookupProcessByProcessId", + "PsLookupThreadByThreadId", + "PsGetThreadProcess", + "PsIsSystemThread", + "ObOpenObjectByPointerWithTag", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", + "ValidFrom": "2011-09-02 00:00:00", + "ValidTo": "2014-09-01 23:59:59", + "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2012-12-31 00:00:00", - "ValidTo": "2016-02-29 23:59:59", - "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -42688,297 +28231,303 @@ ], "Signer": [ { - "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", + "SerialNumber": "43bb437d609866286dd839e1d00309f5", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "KApcHelper_x64.sys" + ], + "yara": false + }, + { + "Id": "1c6e1d3b-f825-4065-9e0c-83386883e40f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create rzpnk.sys binPath=C:\\windows\\temp\\rzpnk.sys type=kernel && sc.exe start rzpnk.sys", + "Description": "A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. CVE-2017-9769.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/nomi-sec/PoC-in-GitHub/blob/2a85c15ed806287861a7adec6545c85aec618e3b/2017/CVE-2017-9769.json#L13", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63.yara" }, { - "FileName": "viragt64.sys", - "MD5": "688a10e87af9bcf0e40277d927923a00", - "SHA1": "388819a7048179848425441c60b3a8390ad04a69", - "SHA256": "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "rzpnk.sys", + "MD5": "4cc3ddd5ae268d9a154a426af2c23ef9", + "SHA1": "684786de4b3b3f53816eae9df5f943a22c89601f", + "SHA256": "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63", + "Signature": [ + "Razer USA Ltd.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Razer, Inc.", + "Description": "Razer Overlay Support", + "Product": "Rzpnk", + "ProductVersion": "1.0.12.10155", + "FileVersion": "1.0.12.10155", + "MachineType": "I386", + "OriginalFilename": "Rzpnk.sys", "Authentihash": { - "MD5": "2a499183392f0d3835f957bbe6b538ba", - "SHA1": "f8a9a8d7c704069d4fff9c26740115c1f4ba3499", - "SHA256": "605e0efa14fc8443dc43c2068f17e6f175369909d5f7f1c3730fb5fe062528e6" - }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt64.sys", - "FileVersion": "1, 0, 0, 4", - "Product": "VirIT Agent System", - "ProductVersion": "1, 0, 0, 4", - "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2013 - www.tgsoft.it", - "MachineType": "AMD64", + "MD5": "76934be6e996e801ea4d68c504d427c3", + "SHA1": "b2e03d9e602a6026f45c08b686c6810abd43bfac", + "SHA256": "982ad43111d8b7a7900df652c8873eeb6aa485bb429dee6c2ad44acf598bb5e6" + }, + "InternalName": "Rzpnk", + "Copyright": "Copyright (C) 2010-2017. Razer, Inc.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "mbstowcs", - "ExAllocatePoolWithTag", - "KeSetTargetProcessorDpc", - "ZwCreateKey", - "IoDeleteSymbolicLink", + "IoAcquireCancelSpinLock", + "IoReleaseCancelSpinLock", + "ObReferenceObjectByHandle", "ExFreePoolWithTag", - "KeInitializeMutex", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "strstr", + "ExAllocatePoolWithTag", + "KeAcquireGuardedMutex", + "KeReleaseGuardedMutex", "RtlInitUnicodeString", + "IoCreateDevice", + "IoCreateSymbolicLink", + "PoStartNextPowerIrp", "IoDeleteDevice", - "RtlInitAnsiString", - "ZwSetValueKey", - "_strupr", - "KeInitializeDpc", - "ZwQuerySystemInformation", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "ZwSetInformationFile", - "KeReleaseMutex", - "KeDelayExecutionThread", - "ZwCreateFile", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "ExSystemTimeToLocalTime", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "KeInsertQueueDpc", - "ZwEnumerateValueKey", + "KeInitializeEvent", + "PsSetCreateProcessNotifyRoutine", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "ZwSetEvent", + "_wcslwr", + "wcsstr", "ZwClose", - "sprintf", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlTimeToTimeFields", - "MmProbeAndLockPages", - "ZwOpenProcess", - "MmUnlockPages", - "IoCreateSymbolicLink", - "MmIsAddressValid", - "ObfDereferenceObject", - "IoCreateDevice", - "ZwTerminateProcess", - "KeNumberProcessors", - "ZwQueryInformationFile", - "MmIsNonPagedSystemAddressValid", - "ZwWriteFile", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "IoAllocateMdl", - "ZwOpenKey", - "ObOpenObjectByName", + "KeSetEvent", + "ZwWaitForSingleObject", + "_purecall", + "KeGetCurrentThread", + "_vsnprintf", "swprintf", - "RtlUnicodeStringToAnsiString", - "ZwOpenDirectoryObject", - "IoFileObjectType", - "IoDriverObjectType", - "ZwQueryDirectoryObject", - "wcstombs", - "KeQueryActiveProcessors", + "PsLookupProcessByProcessId", + "PsReferencePrimaryToken", + "SeQueryInformationToken", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlEqualSid", + "PsDereferencePrimaryToken", + "MmGetSystemRoutineAddress", + "MmIsAddressValid", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "wcsrchr", + "ZwOpenProcess", + "PsLookupThreadByThreadId", + "ObOpenObjectByPointer", + "PsThreadType", + "ZwCreateEvent", + "PsGetCurrentProcessId", + "ZwOpenProcessTokenEx", + "ZwQueryInformationToken", + "RtlSubAuthorityCountSid", + "KeTickCount", "KeBugCheckEx", + "ObfDereferenceObject", + "sprintf", "IofCompleteRequest", - "ExQueueWorkItem", - "__C_specific_handler", - "__chkstk", - "KeStallExecutionProcessor" + "memcpy", + "memset", + "RtlUnwind", + "KfAcquireSpinLock", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "KfReleaseSpinLock" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Irvine, O=Razer USA Ltd., CN=Razer USA Ltd.", + "ValidFrom": "2016-02-10 00:00:00", + "ValidTo": "2019-02-07 23:59:59", + "Signature": "06b8b8ab165538f61a5033c866556c0dd5e0f3ccc78633965b7feb8b012f312c40d09a3916370efd6a1747fa6c39c0de0be5226f7de748d11854a396dfcdfb31bdf572c2fa2561204ea01d2a076a197f89b7cb084d4cdd2c788195309cd507be6847667b2c00b74d94f53291c03201e23c363928968cbe4596649a671458d82001d22205c3d4f6beb5405247d9ad1ad832c12a96e7e557426d8fc85b0069b512354557b7e2124305c0171df610bea39f8dabb973e3fec041fbce781db485d88fa826f74f0e0810e62b63615404c2daeaa354fa3c73baafcd5daca7146f3afee8c30cb257f6b25843c5df2317c1d05a619e86e843c081169e0dfd5036cd19f9ef", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2012-12-31 00:00:00", - "ValidTo": "2016-02-29 23:59:59", - "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1834b81889070312b5c4ca72ea419a5e", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] + } + ], + "Tags": [ + "rzpnk.sys" + ], + "yara": true + }, + { + "Id": "31797996-6973-402d-a4a0-d01ce51e02c0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrIbDrv.sys binPath=C:\\windows\\temp\\AsrIbDrv.sys type=kernel && sc.exe start AsrIbDrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a.yara" }, { - "FileName": "viragt.sys", - "MD5": "3d5164e85d740bce0391e2b81d49d308", - "SHA1": "7ce978092fadbef44441a5f8dcb434df2464f193", - "SHA256": "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrIbDrv.sys", + "MD5": "5bab40019419a2713298a5c9173e5d30", + "SHA1": "2d503a2457a787014a1fdd48a2ece2e6cbe98ea7", + "SHA256": "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a", + "Signature": [ + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "ASROCK Incorporation", + "Company": "RW-Everything", + "Description": "RW-Everything Read & Write Driver", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "RwDrv.sys", "Authentihash": { - "MD5": "fca297e7088250ac73298a7d623e1137", - "SHA1": "d1d6535cd02ff50825941130fe992fcdc91c71cd", - "SHA256": "401ed2d2768707b5c47556774c119f989986a9e2fa88e1e2626f14e22b85e66b" + "MD5": "a2bb232491925c750971c731b5fe0769", + "SHA1": "dd71b95f82ae2c31008da781c4de64d6059c5fca", + "SHA256": "b8d748834fb982fa033cd2671843de727999b21fad30979ac4acc4828910ef8b" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1, 60, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 60, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2011 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "RwDrv.sys", + "Copyright": "Copyright (C) 2008 RW-Everything", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", - "IoDeleteDevice", "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", "IofCompleteRequest", - "memcpy", - "IoCreateSymbolicLink", - "IoCreateDevice", - "PsCreateSystemThread", - "KeInitializeMutex", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "RtlUnicodeStringToAnsiString", - "ZwQueryDirectoryObject", - "DbgPrint", - "IoFileObjectType", - "swprintf", "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", + "MmUnlockPages", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -42996,10 +28545,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -43010,388 +28559,338 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2010-01-15 00:00:00", - "ValidTo": "2013-01-26 23:59:59", - "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "25008956fcdc548a3079b096ef96c928", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "AsrIbDrv.sys" + ], + "yara": true + }, + { + "Id": "cce291c8-4534-4362-af45-5f45cd32bd92", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create smep_namco.sys binPath=C:\\windows\\temp\\smep_namco.sys type=kernel && sc.exe start smep_namco.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "viragt.sys", - "MD5": "3ad7b36a584504b3c70b5f552ba33015", - "SHA1": "d363011d6991219d7f152609164aba63c266b740", - "SHA256": "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148", + "Filename": "smep_namco.sys", + "MD5": "02198692732722681f246c1b33f7a9d9", + "SHA1": "f052dc35b74a1a6246842fbb35eb481577537826", + "SHA256": "7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d", + "Signature": [ + "NAMCO BANDAI Online Inc.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "bec44ba7f52a8c4700876db0c566d696", - "SHA1": "3854d0364d7379bcb7d59311823cadc3e34d1612", - "SHA256": "230fe99d425e870cc03383b195d5a8c0ef3d191baaa4104f6f4cdee4960c48fc" + "MD5": "5673638fc95d46f6b323144472c6e608", + "SHA1": "0f780b7ada5dd8464d9f2cc537d973f5ac804e9c", + "SHA256": "7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1, 38, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 38, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2011 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", - "IoDeleteDevice", "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", "IofCompleteRequest", - "memcpy", + "MmGetSystemRoutineAddress", "IoCreateSymbolicLink", "IoCreateDevice", - "PsCreateSystemThread", - "KeInitializeMutex", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "RtlUnicodeStringToAnsiString", - "ZwQueryDirectoryObject", - "DbgPrint", - "IoFileObjectType", - "swprintf", - "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", - "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", - "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KeStallExecutionProcessor" + "IoDeleteDevice" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=JP, ST=Tokyo, L=Shinagawa, O=NAMCO BANDAI Online Inc., CN=NAMCO BANDAI Online Inc.", + "ValidFrom": "2012-08-22 06:31:53", + "ValidTo": "2014-10-21 03:05:04", + "Signature": "a6adc313f1c743fa19363fba06d32bdaf2c528004b8baf033ab77fa6a5a919cd30ebc7936933134553014329292e644225ee7dc0fcaa6fcfdb87e59947955d2acc40e2778598fe763057c821c93f3f2525c81179a4d0cb32d28329cc7f1e245b455ca755c1a8789bb8813da3492c19ce4f6b68d74cb5352deaed4865e1d944e01a6a3b14531a7305e9e385ea681d54062c2c1489384bb6f0917775250471255f5dcdc253fff80becd97053d22e6e8d73f3b2272d0bf0d262f73bb5dccfd48622cdf180eaf4ca77304b943362c759f125a1f56b3c5665f406fa2da81038161073f446d50fb3e8ae46d30f94021c514e6ca52f0d7d4951e2f9e245e4fd966f31f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2010-01-15 00:00:00", - "ValidTo": "2013-01-26 23:59:59", - "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "25008956fcdc548a3079b096ef96c928", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "1121953cf4f12153ed3974a70d218298b988", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] + } + ], + "Tags": [ + "smep_namco.sys" + ], + "yara": false + }, + { + "Id": "c1ece07b-e92a-4050-95ee-90e03aa82120", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create NetProxyDriver.sys binPath=C:\\windows\\temp\\NetProxyDriver.sys type=kernel type=kernel && sc.exe start NetProxyDriver.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "NetProxyDriver.sys", + "SHA256": "8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "NetProxyDriver.sys" + ], + "yara": false + }, + { + "Id": "080ff223-f8e0-49c0-a7b5-e97349cf81a0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create HpPortIox64.sys binPath=C:\\windows\\temp\\HpPortIox64.sys type=kernel && sc.exe start HpPortIox64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5.yara" }, { - "FileName": "viragt.sys", - "MD5": "08e06b839499cb4b752347399db41b57", - "SHA1": "b53c360b35174bd89f97f681bf7c17f40e519eb6", - "SHA256": "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "HpPortIox64.sys", + "MD5": "a641e3dccba765a10718c9cb0da7879e", + "SHA1": "8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f", + "SHA256": "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5", + "Signature": [ + "HP Inc.", + "DigiCert SHA2 Assured ID Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "HP Inc.", + "Description": "HpPortIo", + "Product": "HpPortIo", + "ProductVersion": "1.2.0.9", + "FileVersion": "1.2.0.9", + "MachineType": "AMD64", + "OriginalFilename": "HpPortIox64.sys", "Authentihash": { - "MD5": "d1d42d44e5fcfd9c0a148b0d85f911d0", - "SHA1": "eb2d192b58a979cdb127fb81049ff19b07dbe45e", - "SHA256": "b59ad4a1f71f8379c89fc3bc1d2827b0785bbb0192b43549034f24a133eea3a5" + "MD5": "986877a0cf596be97155e9469f3c4b40", + "SHA1": "98807d9e11bad4feed54d0d2c1abadeb95ca997c", + "SHA256": "35b31c96194d78cbb98b3223bf810f78f53fc0e4601f49169938ca883586e4e9" }, - "Description": "VirIT Agent System", - "Company": "TG Soft S.a.s.", - "InternalName": "viragt.sys", - "OriginalFilename": "viragt.sys", - "FileVersion": "1, 80, 0, 0", - "Product": "VirIT Agent System", - "ProductVersion": "1, 80, 0, 0", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2016 - www.tgsoft.it", - "MachineType": "I386", + "InternalName": "HpPortIox64.sys", + "Copyright": "Copyright (C) 2020-2021 HP Inc. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", + "MmGetSystemRoutineAddress", + "RtlUnicodeStringToAnsiString", + "ExAllocatePool", + "ZwClose", + "RtlAppendUnicodeStringToString", "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", + "RtlCopyUnicodeString", "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", + "ExFreePoolWithTag", + "ZwOpenFile", + "DbgPrint", + "RtlEqualUnicodeString", + "ZwCreateFile", + "KeBugCheckEx", + "RtlVolumeDeviceToDosName", + "ExAllocatePoolWithTag", + "DbgPrintEx", + "IoCreateDevice", + "IoCreateSymbolicLink", + "RtlFreeAnsiString", + "IofCompleteRequest", + "RtlFreeUnicodeString", + "RtlInitString", "IoDeleteDevice", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", "strstr", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IofCompleteRequest", - "PsCreateSystemThread", - "memcpy", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeInitializeMutex", - "RtlUnicodeStringToAnsiString", - "IoGetDeviceObjectPointer", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "IoFileObjectType", - "swprintf", - "DbgPrint", - "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", + "ObfDereferenceObject", + "IoDeleteSymbolicLink", + "ZwReadFile", + "RtlUTF8ToUnicodeN", + "RtlTimeFieldsToTime", + "RtlCharToInteger", "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", - "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KeStallExecutionProcessor" + "RtlAssert", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2016-01-20 00:00:00", - "ValidTo": "2019-03-11 23:59:59", - "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", + "ValidFrom": "2020-05-14 00:00:00", + "ValidTo": "2021-05-19 12:00:00", + "Signature": "f2d1a458df5efa9cd81a8ee531f040d22d4a0ddd4c3ee66272cd114b9f0f399243a7d3c810ada729d8677d7adebfb7f3d8c98160d8ef936a372cf095f8f3407153e4dc4dfe899b9cacd1c3169869da98a3a90a8933c2f04acf67572f25259adb3670b4cfb30c1916f690f4f771bb68bcbcfb6e8a9a8bf4c0948f2397fd570a4281b25978e1da0c01e4460f9d8f4c7df28724d196a256aba21081a3de98aae12cf34ea26eefd79adf1866d2898011da1b626dcb18e384b30edc7ff8703f7bec19b197da6494c435b98a5fad01b9885c3d43726d1d69c55283f950d8e9b267dd4cbd0c8d8879bbb1347025571710a63fed825e67ed93dc0ef58fb8d0ed87f1bd14", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0449edef08b987f05203c4e0f2356499", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" } ] } @@ -43399,195 +28898,269 @@ } ], "Tags": [ - "viragt64.sys" - ] + "HpPortIox64.sys" + ], + "yara": true }, { - "Id": "8d3f27bd-c3fd-48d0-913a-e2caa6fbd025", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "31686f0e-3748-48c2-be09-fc8f3252e780", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create rtkio64.sys binPath=C:\\windows\\temp\\rtkio64.sys type=kernel && sc.exe start rtkio64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create FairplayKD.sys binPath=C:\\windows\\temp\\FairplayKD.sys type=kernel && sc.exe start FairplayKD.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/244386-mta-fairplaykd-driver-reversed-exploited-rpm.html", + "" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "rtkio64.sys", - "MD5": "7aa34cd9ea5649c24a814e292b270b6f", - "SHA1": "b21cba198d721737aabd882ada6c91295a5975ed", - "SHA256": "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761", + "Filename": "FairplayKD.sys", + "MD5": "4e90cd77509738d30d3181a4d0880bfa", + "SHA1": "b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f", + "SHA256": "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5", + "Signature": [ + "Hans Roes", + "Thawte Code Signing CA - G2", + "thawte" + ], + "Date": "", + "Publisher": "", + "Company": "Multi Theft Auto", + "Description": "Multi Theft Auto patch driver", + "Product": "MTA San Andreas", + "ProductVersion": "367.3269.61.64", + "FileVersion": "367.3269.61.64", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "dbcdc8d0f902e064773b158644ee717d", - "SHA1": "7593d46a73ec00e00aef3e9d0031c2b21b74ecfb", - "SHA256": "64d060216cf55210f595609487b708d5e70e0706a8de0827369bf58898205f34" + "MD5": "5fb82230ba512d33a6e3090985a29e49", + "SHA1": "0eaa4cf7d1944f6259dd9941209dec15a4029c4a", + "SHA256": "66d59e646f3965bc5225eca4285ae65f34b8681fb1bee3eaf440f6795b2fa70f" }, - "Description": "Realtek IO Driver", - "Company": "Realtek ", - "InternalName": "rtkio64.sys ", - "OriginalFilename": "rtkio64.sys ", - "FileVersion": "1.006.0118.2017 built by: WinDDK", - "Product": "Realtek IO Driver ", - "ProductVersion": "1.006.0118.2017", - "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "(C) 2003 - 2017 Multi Theft Auto", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapLockedPages", - "ExUnregisterCallback", - "ExAllocatePoolWithTag", - "IoWMIRegistrationControl", - "KeQueryActiveProcessors", - "IoDeleteSymbolicLink", + "PsProcessType", + "RtlAnsiStringToUnicodeString", + "KeUnstackDetachProcess", + "ObReferenceObjectByHandle", + "KeStackAttachProcess", + "RtlInitUnicodeString", + "PsThreadType", + "PsGetThreadProcessId", + "MmGetSystemRoutineAddress", + "_vsnwprintf", + "RtlCompareUnicodeString", + "RtlCompareMemory", + "RtlCopyUnicodeString", + "RtlGetVersion", + "MmUnmapLockedPages", + "ExAllocatePoolWithTag", + "ProbeForRead", + "ExRaiseStatus", "ExFreePoolWithTag", - "IoWMIWriteEvent", - "IoRegisterShutdownNotification", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", + "ProbeForWrite", + "MmHighestUserAddress", "MmMapLockedPagesSpecifyCache", - "ZwQueryValueKey", - "IofCompleteRequest", - "ExRegisterCallback", - "RtlCompareMemory", - "IoCreateSymbolicLink", - "KeSetSystemAffinityThread", + "IoGetCurrentProcess", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmIsAddressValid", "ObfDereferenceObject", - "IoCreateDevice", - "ExCreateCallback", - "IoAllocateMdl", - "ZwOpenKey", "KeBugCheckEx", - "IoFreeMdl", - "_vsnprintf", - "__C_specific_handler", - "KeStallExecutionProcessor" + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2016-06-13 00:00:00", - "ValidTo": "2019-01-24 12:00:00", - "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=BE, ST=Antwerpen, L=Kasterlee, O=No Organization Affiliation, OU=Individual Developer, CN=Hans Roes", + "ValidFrom": "2016-07-06 00:00:00", + "ValidTo": "2018-07-06 23:59:59", + "Signature": "8e7c473dcbc241b3f17748f8144534fd278052b0ce46a6f86849323c04ad1d558a109d51583480f1e9db3a010800c6d930db6f9daad6c80caec40fef353b9c5b6bd7a438c5d5c3c9736d44e98d2ae6eb4aa202aa1af72439d60cab335a5027d1b3203df74c811eaf51aa5bfad4517dee3fd410450fdc4b9c3a8a8f0861a2a39202d8981e2a9bf98b31304fbb05ca33baf0c8140084f26c545ef24b0f1d9572354f552379f7cedd37344f720baaff27b61dfafdfd541b35027402ed88852853d8925eb2b3418ff3f0e6169ed7571d6416ec3f6815b23774be20d80d811f094f82c5a7c909a74c7f187d63780a0738d7f86629adca71c05d31b27f6e217724174e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0320be3eb866526927f999b97b04346e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "371fc099cdb143347b4424e9dc1f3b30", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] + } + ], + "Tags": [ + "FairplayKD.sys" + ], + "yara": true + }, + { + "Id": "e4609b54-cb25-4433-a75a-7a17f43cec00", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create HwRwDrv.sys binPath=C:\\windows\\temp\\HwRwDrv.sys type=kernel && sc.exe start HwRwDrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21.yara" }, { - "FileName": "rtkio.sys", - "MD5": "ffd0c87d9bf894af26823fbde94c71b6", - "SHA1": "eacfc73f5f45f229867ee8b2eb1f9649b5dd422e", - "SHA256": "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "HwRwDrv.sys", + "MD5": "dbc415304403be25ac83047c170b0ec2", + "SHA1": "2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b", + "SHA256": "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21", + "Signature": [ + "Shuttle Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "Shuttle Inc.", + "Company": "Windows® winows 7 driver kits provider", + "Description": "Hardware read & write driver", + "Product": "Hardware read & write driver", + "ProductVersion": "1.0.5.0", + "FileVersion": "1.0.5.0", + "MachineType": "AMD64", + "OriginalFilename": "HwRwDrv.sys", "Authentihash": { - "MD5": "d543d754cbb1d404d62b6c574a1aa3cd", - "SHA1": "daca8d39b72bbe8a5b6d5fa35bbb4ecef198a359", - "SHA256": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b" + "MD5": "62d9c8a109afc08e2858d98df9776850", + "SHA1": "7beb26c59b8d1b9540c6fae7c05c2b1cc2537e54", + "SHA256": "d852810a7319e3249077a1b9f1317f6f4157a19bb99b90063d118c30c2c84ac2" }, - "Description": "Realtek IODriver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "rtkio.sys", - "OriginalFilename": "rtkio.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "I386", + "InternalName": "HwRwDrv.sys", + "Copyright": "Copyright© Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetSystemAffinityThread", - "KeQueryActiveProcessors", - "ExAllocatePool", - "DbgPrint", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", + "MmUnmapIoSpace", "MmMapIoSpace", - "IoCreateSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "IoCreateDevice", - "KeTickCount", - "IoFreeMdl", - "MmUnmapIoSpace", - "ExFreePoolWithTag", + "KeBugCheckEx", "RtlInitUnicodeString", + "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "MmBuildMdlForNonPagedPool", - "IofCompleteRequest", - "RtlUnwind", - "KeBugCheckEx", - "WRITE_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "READ_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT" + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -43605,116 +29178,134 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Shuttle Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shuttle Inc.", + "ValidFrom": "2012-03-08 00:00:00", + "ValidTo": "2013-03-07 23:59:59", + "Signature": "cf02e69bede8ead2f0e0d61eedbfe480168251486257bcef72f27c482310aa56b7569ecec9ef3955bc5de9fc8f4251dc425df409fcd576c3545e6bc3c1bb2a5987deb41d575e8623e36656a8c119ed34c1e9673bcddb55387d8066417d8c7e7a46368467d4205f505d780c99d2a46aee1206e3300ac6ac5c419b032b01137de7a801c92796b8d62b358b1d120b1ffbeee5f5f9db21f10703094cc13c7e963d79bea0ea2a1d4b6282531295f2f321b4d30beefabdb2dc9cfb1e3835945f7fa213c49677977a58f9986ba6a89d0ce0a4fd15336dcaf31825d1f8706e7b066e3a2afb1cc4b1574e695d01fb16ae689d9892a9be31155ab71e5c20e760b70e7669be", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RTCN, CN=Realtek Semiconductor Corp", - "ValidFrom": "2010-07-21 00:00:00", - "ValidTo": "2013-06-11 23:59:59", - "Signature": "6944295349cb2f0345a03f4b1be1351f4c361e68dd81dca590ebe4ac5f6e558fbb8b4d658e95ec5fddb5b31fdd4f98c0ca087af7c9b5bda8bf5eb3df56bc645e9402861e569a0f925220fada5ee8000893ace40b2b8b4cf598b2725ecfad20e4bcca8e10246474e8b7df6364ad38a7e2c125930afb624fc0a1431c87e2cb04c63ee62ebe12973baa5fc658ad644787d9802fa7eb5f892acd43155fbfa36e825842ad1799fc4543fc8a3fc0f7e110812faf9cc5846e93ddce7c5cb1670bdf62c648ce43c197d3d6825ca73f6e06eb51c725ee2339c6dbda33588a9970c3fdefe315152dc5a73ff855aba8129a1abc3c2654455deddca9b328bbff973266f5cd91", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2c80892e0115b0b77aa3594b9a733953", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "160cb9192dc4e0fde5cbaf859feae671", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "HwRwDrv.sys" + ], + "yara": true + }, + { + "Id": "afed9dff-245e-4875-a156-3c5584beed03", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create directio64.sys binPath=C:\\windows\\temp\\directio64.sys type=kernel && sc.exe start directio64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "rtkiow10x64.sys", - "MD5": "96a8b535b5e14b582ca5679a3e2a5946", - "SHA1": "f6b3577ea4b1a5641ae3421151a26268434c3db8", - "SHA256": "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89", + "FileName": "directio64.sys", + "MD5": "537e2c3020b1d48b125da593e66508ec", + "SHA1": "e702221d059b86d49ed11395adffa82ef32a1bce", + "SHA256": "092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0", "Authentihash": { - "MD5": "02f3eb42f514eb2652d6097e36874a1c", - "SHA1": "3c5cc137458500a4a7a0be5860a02a00df92e2d8", - "SHA256": "8944a3f50f38d92d17b8cfe2e08201a79ea30f38812d18f28036e59789d3f58c" + "MD5": "e9ded101dac8161f1c3625da578d390d", + "SHA1": "e8f7e20061f9cc20583dcab3b16054d106b8aa83", + "SHA256": "b8bf3bd441ebc5814c5d39d053fdcb263e8e58476cbdee4b1226903305f547b6" }, - "Description": "Realtek IO Driver", - "Company": "Realtek ", - "InternalName": "rtkiow10x64.sys ", - "OriginalFilename": "rtkiow10x64.sys ", - "FileVersion": "1.009.0709.2020", - "Product": "Realtek IO Driver ", - "ProductVersion": "1.009.0709.2020", - "Copyright": "Copyright (C) 2020 Realtek Semiconductor Corporation. All Right Reserved. ", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KfRaiseIrql", - "MmUnmapIoSpace", - "MmMapIoSpaceEx", - "RtlInitUnicodeString", - "MmGetSystemRoutineAddress", - "KeSetSystemAffinityThreadEx", - "KeQueryActiveProcessors", "ExAllocatePoolWithTag", + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "ExCreateCallback", - "ExRegisterCallback", - "ExUnregisterCallback", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "KeLowerIrql", - "IoAllocateMdl", + "NtBuildNumber", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", + "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "IoAllocateErrorLogEntry", + "ZwCreateFile", + "wcsrchr", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", + "ZwUnmapViewOfSection", + "_snwprintf_s", + "ZwClose", + "RtlAppendUnicodeStringToString", "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoRegisterShutdownNotification", - "IoUnregisterShutdownNotification", - "IoWMIRegistrationControl", "ObfDereferenceObject", - "ZwClose", - "ZwOpenKey", - "ZwQueryValueKey", - "__C_specific_handler", - "ZwCreateKey", - "MmUnmapLockedPages", - "_vsnprintf", - "ZwSetSecurityObject", - "IoDeviceObjectType", "IoCreateDevice", - "ObOpenObjectByPointer", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor" + "RtlAssert", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "wcscpy_s", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IofCallDriver", + "ZwOpenKey", + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx" ], "Signatures": [ { @@ -43722,96 +29313,120 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=HSINCHU, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2020-01-09 00:00:00", - "ValidTo": "2020-09-15 12:00:00", - "Signature": "622ab6660f0bb6b692dbbfe701f462a2f59e43a039ed1bf699a2e55c1871b0d24036819d02f456b8b5903628c5cf7094cd138332eed3e985232c30c7b3bb7c0640f06bb230d5c1eccd4e13d2377c168df20895c77a8c87b44c6200f6f06bc3bc40b285efa3f855f75c7ff3518dfb299c638b5d560fb94d3e97eea3a29a7524a0c1192311571fd06905346264c6d6c8336e08cb34d9ee7440677b92aa061981364db6bb67b4d3479041e85c7b4e31e009f3d315b75c6c50d8cefe6b63475ac598505235fe9c5f69bee61d70940d47ac10a760e3eac26e268f21508b5e567e6d92c5b1ba9b1de5ebc9da9ac472d6ca33dae12b01fca6113e6e8082bd00a3a33840", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "04df4d56733ae38d598ea004dd2d9c51", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "rtkio.sys", - "MD5": "664ad9cf500916c94fc2c0020660ac4e", - "SHA1": "444f96d8943aec21d26f665203f3fb80b9a2a260", - "SHA256": "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab", + "FileName": "DirectIo64.sys", + "MD5": "8fbb1ffc6f13f9d5ee8480b36baffc52", + "SHA1": "3c9c86c0b215ecbab0eeb4479c204dba65258b8e", + "SHA256": "0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135", "Authentihash": { - "MD5": "2131039a2273befb71bfd7aedf9196b1", - "SHA1": "df5d3b52f987c4b48c6d164d8266e57c86a4a2d7", - "SHA256": "1044ea40d459fe4c619a44afe53e6ff5a9cc5a37cf568d974ae23ed62da58759" + "MD5": "fc4afd4ae9e72a9f117067d3b76be36c", + "SHA1": "b74246c8cb77b0364b7cece38bff5f462eec983c", + "SHA256": "40e624bf557b51775af1ca17062c4eca3693322e250b257aec7dc579e626ef07" }, - "Description": "Realtek IODriver", - "Company": "Windows (R) Codename Longhorn DDK provider", - "InternalName": "rtkio.sys", - "OriginalFilename": "rtkio.sys", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetSystemAffinityThread", - "IoCreateDevice", - "DbgPrint", - "IoAllocateMdl", - "MmUnmapLockedPages", - "KeQueryActiveProcessors", + "ExAllocatePoolWithTag", + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "ExAllocatePool", - "MmMapIoSpace", - "KeBugCheckEx", + "NtBuildNumber", + "ZwMapViewOfSection", "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", + "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "IoAllocateErrorLogEntry", + "ZwCreateFile", + "wcsrchr", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", + "ZwUnmapViewOfSection", + "_vsnwprintf", + "ZwClose", + "RtlAppendUnicodeStringToString", "IofCompleteRequest", - "__C_specific_handler", - "KeStallExecutionProcessor" + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "IoCreateDevice", + "RtlAssert", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IofCallDriver", + "ZwOpenKey", + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx" ], "Signatures": [ { @@ -43832,6 +29447,13 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", "ValidFrom": "2009-05-21 00:00:00", @@ -43845,133 +29467,107 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RTCN, CN=Realtek Semiconductor Corp", - "ValidFrom": "2010-07-21 00:00:00", - "ValidTo": "2013-06-11 23:59:59", - "Signature": "6944295349cb2f0345a03f4b1be1351f4c361e68dd81dca590ebe4ac5f6e558fbb8b4d658e95ec5fddb5b31fdd4f98c0ca087af7c9b5bda8bf5eb3df56bc645e9402861e569a0f925220fada5ee8000893ace40b2b8b4cf598b2725ecfad20e4bcca8e10246474e8b7df6364ad38a7e2c125930afb624fc0a1431c87e2cb04c63ee62ebe12973baa5fc658ad644787d9802fa7eb5f892acd43155fbfa36e825842ad1799fc4543fc8a3fc0f7e110812faf9cc5846e93ddce7c5cb1670bdf62c648ce43c197d3d6825ca73f6e06eb51c725ee2339c6dbda33588a9970c3fdefe315152dc5a73ff855aba8129a1abc3c2654455deddca9b328bbff973266f5cd91", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2c80892e0115b0b77aa3594b9a733953", + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "rtkio64.sys" - ] - }, - { - "Id": "d55a5955-6220-4f38-ba7d-91339330fe98", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create nvflash.sys binPath=C:\\windows\\temp \\n \\n \\n vflash.sys type=kernel && sc.exe start nvflash.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "nvflash.sys", - "MD5": "84fb76ee319073e77fb364bbbbff5461", - "SHA1": "a4b2c56c12799855162ca3b004b4b2078c6ecf77", - "SHA256": "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508", - "Signature": [ - "NVIDIA Corporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "NVIDIA Corporation", - "Description": "NVIDIA Flash Driver, Version 1.8.0", - "Product": "NVIDIA Flash Driver", - "ProductVersion": "1.8.0", - "FileVersion": "1.8.0", - "MachineType": "AMD64", - "OriginalFilename": "nvflash.sys", + "FileName": "DirectIo64.sys", + "MD5": "76d1d4d285f74059f32b8ad19a146d0c", + "SHA1": "3f338ab65bac9550b8749bb1208edb0f7d7bcb81", + "SHA256": "4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8", "Authentihash": { - "MD5": "aa2051841a882c7080ddf6b224f838da", - "SHA1": "ee9073dedb3f05797de41f79be5cc2e5e5028b61", - "SHA256": "1c8cb72b9a011b60b1b9caea508b26fbbd95a1e3634af66082417381fe6544fb" + "MD5": "333bdf3d4b1fcc9038db0cacb89b9bab", + "SHA1": "8b86e08d610bcc9ab7b7750f036dbb568f733be0", + "SHA256": "841f965977f33d621d126412032c47dd6118251623c380e5572f7553b620b0e1" }, - "InternalName": "nvflash", - "Copyright": "(C) 2017 NVIDIA Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ExAllocatePool", - "ZwClose", - "ZwOpenSection", + "ExFreePoolWithTag", + "NtBuildNumber", + "IoBuildSynchronousFsdRequest", "ZwMapViewOfSection", + "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", + "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "IoAllocateErrorLogEntry", + "IoDriverObjectType", + "ZwCreateFile", + "wcsrchr", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", "ZwUnmapViewOfSection", - "KeBugCheckEx", + "_vsnwprintf", + "MmMapIoSpace", + "ZwClose", + "RtlAppendUnicodeStringToString", + "ExAllocatePoolWithTag", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", + "IoGetAttachedDeviceReference", + "IoCreateSymbolicLink", "ObfDereferenceObject", - "RtlInitUnicodeString", - "MmGetSystemRoutineAddress", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "ObReferenceObjectByName", "IoCreateDevice", - "ZwSetSecurityObject", - "RtlGetOwnerSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "_snwprintf", - "RtlCreateSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlSetDaclSecurityDescriptor", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "wcschr", + "RtlAssert", + "IoEnumerateDeviceObjectList", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "IoGetDeviceProperty", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IoAllocateMdl", + "IofCallDriver", "ZwOpenKey", - "ZwQueryValueKey", - "RtlFreeUnicodeString", - "ZwSetValueKey", - "ZwCreateKey", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "HalTranslateBusAddress" + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx", + "IofCompleteRequest", + "MmUnmapLockedPages", + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -43982,502 +29578,413 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2013-01-14 00:00:00", + "ValidTo": "2015-01-14 23:59:59", + "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=IT,MIS, CN=NVIDIA Corporation", - "ValidFrom": "2018-07-09 00:00:00", - "ValidTo": "2019-07-10 23:59:59", - "Signature": "e16f403e9d4ad4eb92ff8c7cb35f08838ae4c714539398996b0998de180e70e3dc31155318bce5acf29464b2d2f5abec7f8e6d81fac7e99f121f49cd724e930215907f4d7d12acad911d0bfe9f4247b4a9e3cb1644c85d9d4df75f3c8b429b1a0014ddef7701365b60ea013eec2136309e7d918303f87f17d39d64685fddb5ea610e98ef8ac96e503b16634c69eb9aa91dd4b01973e2c54d626e7f6d1096273f04f61c79e0fda32842cc4c313da10ec23032db9e26d4435bff9c4522e82b881cd3ff6b8a587fe017db52b6a1156fd16788c1a585ad141f414c821acf7399440c982b7cbc5345a866303592a977df3df905215f3708692cf44d9f141b789f2f03", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4fbe0a02426ebd20c26244b5eca652a3", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "nvflash.sys" - ] - }, - { - "Id": "1d4f7a3a-786b-4a74-b34f-14d44343de9e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create nt4.sys binPath=C:\\windows\\temp \\n \\n \\n t4.sys type=kernel && sc.exe start nt4.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "nt4.sys", - "SHA256": "d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", + "FileName": "DirectIo64.sys", + "MD5": "f41eea88057d3dd1a56027c4174eed22", + "SHA1": "13572d36428ef32cfed3af7a8bb011ee756302b0", + "SHA256": "72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1", + "Authentihash": { + "MD5": "598c5fa89cbf0dbcdf6b252cac71aecd", + "SHA1": "02a7e085631ecfe031b76afa883a266c850ed61b", + "SHA256": "fb5e65aec819c5a91ef0ce0fec0a957826b5e1ac9bac559a1b4201a3870462a3" + }, "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "nt4.sys" - ] - }, - { - "Id": "6a50e368-1120-434b-9232-1a0702c80437", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrDrv106.sys binPath=C:\\windows\\temp\\AsrDrv106.sys type=kernel && sc.exe start AsrDrv106.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsrDrv106.sys", - "MD5": "12908c285b9d68ee1f39186110df0f1e", - "SHA1": "b0032b8d8e6f4bd19a31619ce38d8e010f29a816", - "SHA256": "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838", - "Signature": [ - "ASROCK INC.", - "GlobalSign GCC R45 EV CodeSigning CA 2020", - "GlobalSign Code Signing Root R45", - "GlobalSign", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", + "Copyright": "", "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", - "Authentihash": { - "MD5": "f67b148a13ad3caa51c3c2ef142791ea", - "SHA1": "f621633290173daac18bb14ca3f52bc027cd2721", - "SHA256": "ac7b3c3b74e6e282c7f50c17a6213b81b181f779cd7c0c78e3cb426c427a98db" - }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "cng.sys" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "NtBuildNumber", + "IoBuildSynchronousFsdRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", + "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", "RtlQueryRegistryValues", "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", + "IoAllocateErrorLogEntry", + "IoDriverObjectType", + "ZwCreateFile", + "wcsrchr", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", + "ZwUnmapViewOfSection", + "_vsnwprintf", "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "ZwClose", + "RtlAppendUnicodeStringToString", + "ExAllocatePoolWithTag", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", + "IoGetAttachedDeviceReference", "IoCreateSymbolicLink", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "IoDeleteDevice", - "MmGetSystemRoutineAddress", + "ObfDereferenceObject", + "ObReferenceObjectByName", "IoCreateDevice", - "ZwClose", - "ObOpenObjectByPointer", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "RtlAssert", + "IoEnumerateDeviceObjectList", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "IoGetDeviceProperty", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IoAllocateMdl", + "IofCallDriver", "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlInitUnicodeString", - "MmFreeContiguousMemorySpecifyCache", - "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor", - "BCryptCloseAlgorithmProvider", - "BCryptGenerateSymmetricKey", - "BCryptOpenAlgorithmProvider", - "BCryptDecrypt", - "BCryptDestroyKey" + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx", + "IofCompleteRequest", + "MmUnmapLockedPages", + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2018-09-19 00:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2013-01-14 00:00:00", + "ValidTo": "2015-01-14 23:59:59", + "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Code Signing Root R45", - "ValidFrom": "2020-07-28 00:00:00", - "ValidTo": "2029-03-18 00:00:00", - "Signature": "acf7cc158b3079a81d0b28881909d71c7ffe86bd7b5a336e0d670e7b62d9e1185cb0bd135d1d23ae39507637aa44fd5f01235986564cccadbc64131430a420a8e03fe89c72dc7ef3d80c23baa82daa3cf6ec9f87310765f539a7518275e1f22f97f6d1e165968364fea11d51fbb5249bf5d27769bc852c5cfa5877d1aea7b10be2d677bba9b4344aa96f3df4f30d955de6f97a45b02517312edbf70f68e6831fa9f7e5d49d988cd3614b2fc3287e7ade930eb47da00a6d92c4b4663f7da758eeacf7ecc30801ab38fc0a1ca9c597b288c8090219f65c9a1af14d6c30d4b306ab0060480d78abcf17ad9293622077756cbdc832b4dc4debd9dfc1909629bdc17f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020", - "ValidFrom": "2020-07-28 00:00:00", - "ValidTo": "2030-07-28 00:00:00", - "Signature": "2575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, serialNumber=80333613, ??=TW, C=TW, ST=Taipei, L=Taipei, ??=2F., No. 37, Sec. 2, Zhongyang S. Rd., Beitou Dist., O=ASROCK INC., CN=ASROCK INC.", - "ValidFrom": "2021-09-17 08:05:26", - "ValidTo": "2024-09-17 08:05:26", - "Signature": "a55d62e7c374666fc5f4d61d7c92d6a8c0b220441906ce5196674436a3f42f969875922d7a88766d7191ede53d1bcf28605c1a94a5b2fbe5598a686ee80ee3090a6cc96070fd98e7a975fdc7af0e12dbd070f5648a1b75d7f492448a1131dd6e4313a64293abaf9ba2a95fb1eaad5f20b04992d5e3b160501de906a7dc3c52d59bc106bc0b80928a1ad86cc4eb6e711e2d25c32ad092642679f257a32d7c0bc56af451d55e01473deac2c62d58c9e70d9d03dcaf493c5b4443caf3e120f0a5a8638c3a79d3b3c84554e90016bdcd301d9892193cc85a2e40a675ff543a78328be3b85c0cad5cfd9c59ed7a5e1978cc4f6af8d3b68640375405535be14e04a3c988992626fda57d1b3b30a10050c4aca6b499b53b9806b4b3620cbd458820c919bfdeccb5f7901ff7a3110fc2df7034acd4be5b4170395c4249c88ee70f11f20867623ba709a8788c40a7db56003ce5569303cd0ca7f14866b2170a559e0f70479c640b5a7076c91290ea7cb106262f87eb01e1167a842d116307f765e5632663e0f07b10139c17fd3732087602ec0a6f43dd57decad308e53f2a2a2ae45b10e7895a56ff73f0697e1e96f63324294b660a795bcf1e634ce94d77edc753157a70fc47628ef9c8fc764775fbe465dd8585c597d9d022a35a3662a289ec71351c325fe83370cababb5399e0882cbaf7aa3a58d00213097cb3eeb13ca1fb4a457d6e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3be24b96d2c8d729eddb03e3", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020" - } - ] - } - ] - } - ], - "Tags": [ - "AsrDrv106.sys" - ] - }, - { - "Id": "8c2fa9d1-b2b1-4ba1-bad9-60c44c2c20eb", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create t8.sys binPath=C:\\windows\\temp\\t8.sys type=kernel && sc.exe start t8.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + } + ] + } + ] + }, { - "Filename": "t8.sys", - "SHA256": "258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", + "FileName": "DirectIo64.sys", + "MD5": "c4f5619ce04d4bee38024d08513c77fd", + "SHA1": "4c6ec22bc10947d089167b19d83a26bdd69f0dd1", + "SHA256": "79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463", + "Authentihash": { + "MD5": "060c97a44e53086add25404d8694d094", + "SHA1": "66941573dafd7259cba113c0fa9eaccd347355fd", + "SHA256": "a520ff5c754a1fb62ba88399a313d0c0fb99145ba2d3d91dbf4282388b77fa84" + }, "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "t8.sys" - ] - }, - { - "Id": "2e1531b2-d370-4543-9e2e-5319a1c13c22", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create daxin_blank2.sys binPath=C:\\windows\\temp\\daxin_blank2.sys type=kernel && sc.exe start daxin_blank2.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "daxin_blank2.sys", - "MD5": "1cd158a64f3d886357535382a6fdad75", - "SHA1": "a48aa80942fc8e0699f518de4fd6512e341d4196", - "SHA256": "5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a", - "Signature": "A certificate was explicitly revoked by its issuer.", - "Date": "4:05 AM 2/6/2021", - "Publisher": "Fuqing Yuntan Network Tech Co.,Ltd.", "Company": "", - "Description": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "9853eedacdfe3384f34b8eaa771f4f70", - "SHA1": "d7254e751cd3a49176a547a5bb70f8a0662d8d28", - "SHA256": "4b10f4f03eaa545d2fdb3b88890917a6fa24142689d3c43a7c39fc5bed5725bf" - }, - "InternalName": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS", - "ntoskrnl.exe", - "hal.dll" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "vsprintf", - "NdisMSendNetBufferListsComplete", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "NtBuildNumber", + "IoBuildSynchronousFsdRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", + "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", "IoFreeMdl", - "ExAllocatePool", - "ExFreePool", - "NtQuerySystemInformation", - "HalMakeBeep" + "IoAllocateErrorLogEntry", + "IoDriverObjectType", + "ZwCreateFile", + "wcsrchr", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", + "ZwUnmapViewOfSection", + "_vsnwprintf", + "MmMapIoSpace", + "ZwClose", + "RtlAppendUnicodeStringToString", + "ExAllocatePoolWithTag", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", + "IoGetAttachedDeviceReference", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByName", + "IoCreateDevice", + "RtlAssert", + "IoEnumerateDeviceObjectList", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "IoGetDeviceProperty", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx", + "IofCompleteRequest", + "MmUnmapLockedPages", + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Fuzhou, L=Fuqing, O=Fuqing Yuntan Network Tech Co.,Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Fuqing Yuntan Network Tech Co.,Ltd.", - "ValidFrom": "2013-04-09 00:00:00", - "ValidTo": "2014-04-09 23:59:59", - "Signature": "6946a8e63d6d38e19d41b4b5f4a71715c2c03ea0f9775b97dd3bf2d343be21049f4b78a351a0b1b8d30121393af537dfee0828f051ea2a87bed271ccc0e85e7ed9911d1d36d35da6e1141edc77520be857cf00bf3ac9b7e80722dd3580dd9eb7fab6f4134e4f1f1b794f1c28bc521ee4abbf5be4b6f2b149fca0f2beb4ba69616a0a442b06093c04ece1b42b0c121b0703c6a7d7af421a880bf3e45bfe28bcc4da347397d3aa67c89e3656062e9397dec782863abe49df79527e06388885b9d28c4bd078cc002a41206a266bfbe584b35748d6d0526fef478931c7527be7095fc9c7ee088f1c889834bb2533c3f45cfe41d1b19d0b80863ed52bc8a9d1b1d2ea", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2013-01-14 00:00:00", + "ValidTo": "2015-01-14 23:59:59", + "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", "ValidFrom": "2010-02-08 00:00:00", "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "516ceb03f17e10c24b45ffb6336e5915", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "daxin_blank2.sys" - ] - }, - { - "Id": "31686f0e-3748-48c2-be09-fc8f3252e780", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create FairplayKD.sys binPath=C:\\windows\\temp\\FairplayKD.sys type=kernel && sc.exe start FairplayKD.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/244386-mta-fairplaykd-driver-reversed-exploited-rpm.html", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "FairplayKD.sys", - "MD5": "4e90cd77509738d30d3181a4d0880bfa", - "SHA1": "b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f", - "SHA256": "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5", - "Signature": [ - "Hans Roes", - "Thawte Code Signing CA - G2", - "thawte" - ], - "Date": "", - "Publisher": "", - "Company": "Multi Theft Auto", - "Description": "Multi Theft Auto patch driver", - "Product": "MTA San Andreas", - "ProductVersion": "367.3269.61.64", - "FileVersion": "367.3269.61.64", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "DirectIo64.sys", + "MD5": "5093f38d597532d59d4df9018056f0d1", + "SHA1": "0904b8fa4654197eefd6380c81bbb2149ffe0634", + "SHA256": "8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587", "Authentihash": { - "MD5": "5fb82230ba512d33a6e3090985a29e49", - "SHA1": "0eaa4cf7d1944f6259dd9941209dec15a4029c4a", - "SHA256": "66d59e646f3965bc5225eca4285ae65f34b8681fb1bee3eaf440f6795b2fa70f" + "MD5": "5789f4f652c129f3cfa28290ffad8672", + "SHA1": "706686f2a1ef4738a1856d01ab10eb730fc7b327", + "SHA256": "9996b31234ba736fc2c6f2b75f641e25d156f19d6ac84cf85283fde08a714842" }, + "Description": "", + "Company": "", "InternalName": "", - "Copyright": "(C) 2003 - 2017 Multi Theft Auto", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsProcessType", - "RtlAnsiStringToUnicodeString", - "KeUnstackDetachProcess", - "ObReferenceObjectByHandle", - "KeStackAttachProcess", "RtlInitUnicodeString", - "PsThreadType", - "PsGetThreadProcessId", + "RtlQueryRegistryValues", "MmGetSystemRoutineAddress", - "_vsnwprintf", - "RtlCompareUnicodeString", - "RtlCompareMemory", - "RtlCopyUnicodeString", + "RtlWriteRegistryValue", + "RtlAppendUnicodeStringToString", + "RtlAppendUnicodeToString", + "DbgPrintEx", "RtlGetVersion", - "MmUnmapLockedPages", + "KeInitializeEvent", + "KeWaitForSingleObject", "ExAllocatePoolWithTag", - "ProbeForRead", - "ExRaiseStatus", + "ExAllocatePoolWithQuotaTag", "ExFreePoolWithTag", - "ProbeForWrite", - "MmHighestUserAddress", + "MmBuildMdlForNonPagedPool", "MmMapLockedPagesSpecifyCache", - "IoGetCurrentProcess", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmIsAddressValid", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateErrorLogEntry", + "IoAllocateMdl", + "IoBuildDeviceIoControlRequest", + "IoBuildSynchronousFsdRequest", + "IofCallDriver", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetAttachedDeviceReference", + "IoGetDeviceObjectPointer", + "IoWriteErrorLogEntry", + "RtlIntegerToUnicodeString", + "ObReferenceObjectByHandle", + "ObReferenceObjectByPointer", "ObfDereferenceObject", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenKey", + "ZwQueryValueKey", + "MmGetPhysicalMemoryRanges", + "PsGetProcessId", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "IoEnumerateDeviceObjectList", + "ObQueryNameString", + "_vsnwprintf", + "ObReferenceObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsInitialSystemProcess", + "NtBuildNumber", + "IoDriverObjectType", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KdSystemDebugControl", + "KdDebuggerEnabled", + "KeQueryActiveProcessors", "KeBugCheckEx", - "PsGetVersion", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "__C_specific_handler" + "IoGetDeviceProperty", + "wcsrchr", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -44502,10 +30009,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, ST=Antwerpen, L=Kasterlee, O=No Organization Affiliation, OU=Individual Developer, CN=Hans Roes", - "ValidFrom": "2016-07-06 00:00:00", - "ValidTo": "2018-07-06 23:59:59", - "Signature": "8e7c473dcbc241b3f17748f8144534fd278052b0ce46a6f86849323c04ad1d558a109d51583480f1e9db3a010800c6d930db6f9daad6c80caec40fef353b9c5b6bd7a438c5d5c3c9736d44e98d2ae6eb4aa202aa1af72439d60cab335a5027d1b3203df74c811eaf51aa5bfad4517dee3fd410450fdc4b9c3a8a8f0861a2a39202d8981e2a9bf98b31304fbb05ca33baf0c8140084f26c545ef24b0f1d9572354f552379f7cedd37344f720baaff27b61dfafdfd541b35027402ed88852853d8925eb2b3418ff3f0e6169ed7571d6416ec3f6815b23774be20d80d811f094f82c5a7c909a74c7f187d63780a0738d7f86629adca71c05d31b27f6e217724174e", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2014-10-23 00:00:00", + "ValidTo": "2017-01-13 23:59:59", + "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -44518,143 +30025,103 @@ ], "Signer": [ { - "SerialNumber": "371fc099cdb143347b4424e9dc1f3b30", + "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "FairplayKD.sys" - ] - }, - { - "Id": "2cc3dd4f-8a1e-4f1f-9871-0a14815949b4", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create 80.sys binPath=C:\\windows\\temp\\80.sys type=kernel && sc.exe start 80.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "80.sys", - "SHA1": "bc2f3850c7b858340d7ed27b90e63b036881fd6c", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", + "FileName": "DirectIo64.sys", + "MD5": "790ccca8341919bb8bb49262a21fca0e", + "SHA1": "61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799", + "SHA256": "9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f", + "Authentihash": { + "MD5": "7b9da0ee121248056b6ff192abd03ccb", + "SHA1": "8ec43d1def8bb20354aeba49a9084bacd2c02817", + "SHA256": "ad44cfd9c6262a6ff36ee9d03e59ba4b0524ef87f6b980ce15abb10a35d39f88" + }, "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "80.sys" - ] - }, - { - "Id": "47fe1aaf-02cd-4a41-8bf5-0047015a2a6e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create phymem64.sys binPath=C:\\windows\\temp\\phymem64.sys type=kernel && sc.exe start phymem64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "phymem64.sys", - "MD5": "2c54859a67306e20bfdc8887b537de72", - "SHA1": "d7f7594ff084201c0d9fa2f4ef1626635b67bce5", - "SHA256": "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52", - "Signature": [ - "Super Micro Computer, Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Super Micro Computer, Inc.", - "Description": "phymem Application", - "Product": "phymem", - "ProductVersion": "1, 0, 0, 0", - "FileVersion": "1, 0, 0, 0", + "Copyright": "", "MachineType": "AMD64", - "OriginalFilename": "phymem.sys", - "Authentihash": { - "MD5": "aa43aa9f88e2fed984077a8852d85a4f", - "SHA1": "52a8cd44646973b59c244b5f7b04b33a412634a2", - "SHA256": "6ed3379d7ac1ad8bcfd13cd2502420569088ee7f1e04522ada48481d9a545a08" - }, - "InternalName": "phymem", - "Copyright": "Copyright(c) 1993-2015 Super Micro Computer, Inc.", "Imports": [ - "NTOSKRNL.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "IofCallDriver", + "IoWriteErrorLogEntry", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "NtBuildNumber", "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "RtlIntegerToUnicodeString", "IoDeleteDevice", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "IoAllocateErrorLogEntry", + "IoDriverObjectType", + "ZwCreateFile", + "wcsrchr", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwQueryValueKey", + "ZwUnmapViewOfSection", + "_vsnwprintf", + "MmMapIoSpace", + "ZwClose", + "RtlAppendUnicodeStringToString", + "ExAllocatePoolWithTag", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlWriteRegistryValue", + "IoGetAttachedDeviceReference", "IoCreateSymbolicLink", + "ObfDereferenceObject", + "ObReferenceObjectByName", "IoCreateDevice", - "RtlInitUnicodeString", - "ExAllocatePool", + "RtlAssert", + "IoEnumerateDeviceObjectList", + "MmGetPhysicalMemoryRanges", + "ZwWriteFile", + "IoGetDeviceProperty", + "ZwOpenSection", + "DbgPrintEx", + "ObReferenceObjectByPointer", + "PsGetProcessId", + "DbgPrint", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeQueryActiveProcessors", + "KeLeaveCriticalRegion", + "MmGetSystemRoutineAddress", + "KdSystemDebugControl", + "KeEnterCriticalRegion", + "KdDebuggerEnabled", + "KeBugCheckEx", "IofCompleteRequest", - "ExFreePoolWithTag", - "IoFreeMdl", "MmUnmapLockedPages", - "MmUnmapIoSpace", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "IoDeleteSymbolicLink", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer" + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -44664,6 +30131,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -44672,110 +30146,121 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=San Jose, O=Super Micro Computer, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=Super Micro Computer, Inc.", - "ValidFrom": "2012-09-14 00:00:00", - "ValidTo": "2015-11-13 23:59:59", - "Signature": "47334026faeeba8c5d59d4971b4bfccff0fdf0a606adfb714c7ece1a3ddc350f198097d2ba6079ca9eabe64f03f7375b78366baa8ac1e9295c31d03b9fca004b8fb5f70d9c98b7905f4b151edc16ca82731498451fcc28f31665c1850d887f0ece1ef0fad9ffd0dd7b1515fa1e121e2575e6a31f25010f0306df2b81ddf291c9f17b3d582c0af97d219c007ec03b1a38a8794ab447b5cdb8637a8f6704124f9776eda3af121ab980a2525f0f09accea3213c6fa4d606d7e48580db97aee01a048ad3420d205b99b0023b59a4f8df1b3013e4e8bc496b73cd950e297202bd09a6c77011deecb43cbffb7038344e025dad84099324518c5a2deb3c6728b4346603", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2014-10-23 00:00:00", + "ValidTo": "2017-01-13 23:59:59", + "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3676642ba91b1d0bdf1d3ad0a6efaf4b", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "phymem64.sys" - ] - }, - { - "Id": "19897aed-9be8-4111-a7d8-35618b9d75b3", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create smep_capcom.sys binPath=C:\\windows\\temp\\smep_capcom.sys type=kernel && sc.exe start smep_capcom.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "smep_capcom.sys", - "MD5": "f406c5536bcf9bacbeb7ce8a3c383bfa", - "SHA1": "21edff2937eb5cd6f6b0acb7ee5247681f624260", - "SHA256": "db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004", - "Signature": [ - "CAPCOM Co.,Ltd.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "DirectIo64.sys", + "MD5": "7978d858168fadd05c17779da5f4695a", + "SHA1": "2db49bdf8029fdcda0a2f722219ae744eae918b0", + "SHA256": "ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25", "Authentihash": { - "MD5": "37458813b5115cbf06552da28fefbbbb", - "SHA1": "1d1cafc73c97c6bcd2331f8777d90fdca57125a3", - "SHA256": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4" + "MD5": "4f19a1d2166d52af3e3590d9748e91bc", + "SHA1": "f1bdd3236f43338a119d74eca730f0d464ded973", + "SHA256": "96a5b3cd7c1a6dda5b6f402e6c35ba535270467f56addc7448dbe4aa78428411" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "IofCompleteRequest", + "RtlQueryRegistryValues", "MmGetSystemRoutineAddress", - "IoCreateSymbolicLink", + "RtlWriteRegistryValue", + "RtlAppendUnicodeStringToString", + "RtlAppendUnicodeToString", + "DbgPrintEx", + "RtlGetVersion", + "KeInitializeEvent", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExAllocatePoolWithQuotaTag", + "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateErrorLogEntry", + "IoAllocateMdl", + "IoBuildDeviceIoControlRequest", + "IoBuildSynchronousFsdRequest", + "IofCallDriver", + "IofCompleteRequest", "IoCreateDevice", - "IoDeleteDevice" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetAttachedDeviceReference", + "IoGetDeviceObjectPointer", + "RtlIntegerToUnicodeString", + "IoGetDeviceProperty", + "ObReferenceObjectByHandle", + "ObReferenceObjectByPointer", + "ObfDereferenceObject", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenKey", + "ZwQueryValueKey", + "MmGetPhysicalMemoryRanges", + "PsGetProcessId", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "IoEnumerateDeviceObjectList", + "ObQueryNameString", + "_vsnwprintf", + "ObReferenceObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsInitialSystemProcess", + "NtBuildNumber", + "IoDriverObjectType", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KdSystemDebugControl", + "KdDebuggerEnabled", + "KeQueryActiveProcessors", + "KeBugCheckEx", + "IoWriteErrorLogEntry", + "wcsrchr", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -44783,191 +30268,273 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=JP, ST=Osaka, L=Chuo,ku, O=CAPCOM Co.,Ltd., OU=R&D Asset Management Section, CN=CAPCOM Co.,Ltd.", - "ValidFrom": "2016-05-02 00:00:00", - "ValidTo": "2017-05-02 23:59:59", - "Signature": "6b29c609e5a3bc4d2e3b59a22b42cfdcf409104be6cc7767624c4f96d585ef8243554de2513754867f64e7fdd39b00956903eee7ac6087641b82d8d49548202b8349085d9298c8e2498f2094190aa46cdda0510d937d4ab73ba469229672407822b47c4f1312475a14adcb291a101f0360acdcfa64a6aac9147b034fcea762c2a68a103885208922461990ef0bf3e602ba942257b36604ef4832c715d5320b99d5fd5ba7a76128ed6d0ba7cf90c4362ee2a96422fa4a69d5af070babf4ad786adfa43a21d1ae93fedfcef13b7e2f56b7c619f7d40bcaf8756e09797a9928daa90a582c8e7180cdb62f47c0873cc708f3e396820a7fdef929190fe86dea0b2566", + "Subject": "??=AU, ??=Private Organization, serialNumber=099 321 392, C=AU, ST=New South Wales, L=Surry Hills, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", + "ValidFrom": "2018-10-18 00:00:00", + "ValidTo": "2021-02-28 12:00:00", + "Signature": "5c01ed6a6f6c302d1b2ff3c17bae241ce2fcd501196d753b285ea9d44ba291565fc97503fa50ba4b0abba54066e1b04ac66018e8eb06c8104515df0b903f432e04c1d486336929a4d637fe7e06197a75ad7199bfae0a3a66ea6e55cf1ba9b68e33ef35f5b46cef71f5c8b6230d459c2e843a09b01ebe5020852ac9948357f09a66ad78bc60d795fce62fb63288f5550bc6446acbe7fdad31f8dd76045d7ed50bb79dc6ee9333ad8c12b64e2e544f922dfea0586b0d1cb80c37f96fc68b20f95b104f11ef5fe49349829afe35ceecfd22c96b5f89263701f95364d4f0816bcd0bee9e40aa1b956cd4659181e05d0872f4838b3208138b67d9c03faad605f1b924", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7e59408d3c99c511a853fb2f73c03dc4", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0d671c2c3c13676231329afa97b1ec2b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - } - ], - "Tags": [ - "smep_capcom.sys" - ] - }, - { - "Id": "0f59ce3b-20ac-41ba-8010-2abc74827eb8", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create cpuz.sys binPath=C:\\windows\\temp\\cpuz.sys type=kernel && sc.exe start cpuz.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "cpuz.sys", - "MD5": "c2eb4539a4f6ab6edd01bdc191619975", - "SHA1": "4d41248078181c7f61e6e4906aa96bbdea320dc2", - "SHA256": "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6", - "Signature": [ - "CPUID", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "CPUID", - "Description": "CPUID Driver", - "Product": "CPUID service", - "ProductVersion": "6.1.7600.16385", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "MachineType": "I386", - "OriginalFilename": "cpuz.sys", + "FileName": "DirectIo64.sys", + "MD5": "d660fc7255646d5014d45c3bca9c6e20", + "SHA1": "01b95ae502aa09aabc69a0482fcc8198f7765950", + "SHA256": "b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1", "Authentihash": { - "MD5": "d8a92124984eb0c21f84461d5babd6de", - "SHA1": "6e928611c1afb608bf0df53a0d9f9e59a51199a2", - "SHA256": "4bf6f1b49ed332b31c695ee1e3e8db69d7514a3179f707034eec96de4865e1d2" + "MD5": "21853c3ceffa008b53f1144772a6750e", + "SHA1": "4aea4fbb9a732d57643f61f1bf3b82cebb18ab72", + "SHA256": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1" }, - "InternalName": "cpuz.sys", - "Copyright": "Copyright(C) 2010 CPUID", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "RtlFreeUnicodeString", - "ObfDereferenceObject", - "MmIsAddressValid", - "IoGetDeviceObjectPointer", - "MmUnmapIoSpace", - "RtlInitAnsiString", + "RtlInitUnicodeString", + "RtlQueryRegistryValues", + "MmGetSystemRoutineAddress", + "RtlWriteRegistryValue", + "RtlAppendUnicodeStringToString", + "RtlAppendUnicodeToString", + "DbgPrintEx", + "RtlGetVersion", + "KeInitializeEvent", + "KeWaitForSingleObject", + "ExAllocatePool2", + "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", "MmMapIoSpace", - "IoCreateSymbolicLink", + "MmUnmapIoSpace", + "IoAllocateErrorLogEntry", + "IoAllocateMdl", + "IoBuildDeviceIoControlRequest", + "IoBuildSynchronousFsdRequest", + "IofCallDriver", + "IofCompleteRequest", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetAttachedDeviceReference", + "IoGetDeviceObjectPointer", + "IoWriteErrorLogEntry", + "RtlIntegerToUnicodeString", + "ObReferenceObjectByHandle", + "ObReferenceObjectByPointer", + "ObfDereferenceObject", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenKey", + "ZwQueryValueKey", + "MmGetPhysicalMemoryRanges", + "PsGetProcessId", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "IoEnumerateDeviceObjectList", + "ObQueryNameString", + "_vsnwprintf", + "ObReferenceObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsInitialSystemProcess", + "NtBuildNumber", + "IoDriverObjectType", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KdSystemDebugControl", + "KdDebuggerEnabled", + "KeQueryActiveProcessors", "KeBugCheckEx", + "IoGetDeviceProperty", + "wcsrchr", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "serialNumber=49 099 321 392, ??=AU, ??=Private Organization, C=AU, postalCode=2010, ST=New South Wales, L=Surry Hills, ??=Level 5 63 Foveaux Street, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", + "ValidFrom": "2021-01-06 00:00:00", + "ValidTo": "2024-01-06 23:59:59", + "Signature": "20b704815b2994a60f2bf8da03e3b563a506587e0796ca7707668d9138d0960576f873d06d5ac0d7a207b01f70b3610a0e518d5e4608cbe2c78bc694fbee783a1644c423892f6cea356af62dd9bdd6fcd121206601ed3e945e18588282a62bc21725563d3c14d08c20acbd8db092534053b2e83f4752089dd4c0a2ec0b738a2adf3360b328d17deb2efe66ecba0f46bba4a5fcc09e8e9638d344617c9079ae148fd3b5d1999ff464f88f20e358710270f53d3a31ac07f62c4b7396a393953b89e7ef635c872ba1a5158cd887bbe75dbe58036a736a87a696b2c82f7551c58effb02481e9f108ac9ce0c8aa893a4678883ae99f5def735d60650a98ed092b8167", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", + "ValidFrom": "2014-12-03 00:00:00", + "ValidTo": "2029-12-02 23:59:59", + "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "00c230ef10f73148fd583fc3836a573892", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + } + ] + } + ] + }, + { + "FileName": "DirectIo64.sys", + "MD5": "b3424a229d845a88340045c29327c529", + "SHA1": "ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c", + "SHA256": "bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961", + "Authentihash": { + "MD5": "21853c3ceffa008b53f1144772a6750e", + "SHA1": "4aea4fbb9a732d57643f61f1bf3b82cebb18ab72", + "SHA256": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "PsGetVersion", + "RtlQueryRegistryValues", + "MmGetSystemRoutineAddress", + "RtlWriteRegistryValue", + "RtlAppendUnicodeStringToString", + "RtlAppendUnicodeToString", + "DbgPrintEx", + "RtlGetVersion", "KeInitializeEvent", + "KeWaitForSingleObject", + "ExAllocatePool2", + "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateErrorLogEntry", + "IoAllocateMdl", "IoBuildDeviceIoControlRequest", + "IoBuildSynchronousFsdRequest", "IofCallDriver", - "KeWaitForSingleObject", - "RtlAnsiStringToUnicodeString", - "IoCancelIrp", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "KeStallExecutionProcessor", - "READ_PORT_UCHAR" + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetAttachedDeviceReference", + "IoGetDeviceObjectPointer", + "IoWriteErrorLogEntry", + "RtlIntegerToUnicodeString", + "ObReferenceObjectByHandle", + "ObReferenceObjectByPointer", + "ObfDereferenceObject", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenKey", + "ZwQueryValueKey", + "MmGetPhysicalMemoryRanges", + "PsGetProcessId", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "IoEnumerateDeviceObjectList", + "ObQueryNameString", + "_vsnwprintf", + "ObReferenceObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsInitialSystemProcess", + "NtBuildNumber", + "IoDriverObjectType", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KdSystemDebugControl", + "KdDebuggerEnabled", + "KeQueryActiveProcessors", + "KeBugCheckEx", + "IoGetDeviceProperty", + "wcsrchr", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2009-02-02 00:00:00", - "ValidTo": "2012-02-07 23:59:59", - "Signature": "9a9bbecb393272aaedfd7a125e0fe581151a18a75a4094e082a38156f62018b9d59edef27429bbea60d6e146a2ce134546d54e00b6585c1d85e3aedfb3b9a5de7728a96b2bcc26106655bae6bc5ce3a72714f9e23282a2fba29fc870b394e832f07dc50ded3a042953fe91379769e424398278b6ed14ae4f6b4cce5fa7ba20fc8d157a78fd308214d177189bcd76b2bd62a861a8c1562e2748f338f7369f0f062804685399a6655fcb4564a644e7a8bee8330557376884cce9153992e8e205bc1474dbd0109b3c87991db9bb77a9dff5775267390431ce56ff49500d8ad70be34a0d9a0b112e07eb55f0fe07de9ac93a0b30cb36029b5ec41e032daf66627d4e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "serialNumber=49 099 321 392, ??=AU, ??=Private Organization, C=AU, postalCode=2010, ST=New South Wales, L=Surry Hills, ??=Level 5 63 Foveaux Street, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", + "ValidFrom": "2021-01-06 00:00:00", + "ValidTo": "2024-01-06 23:59:59", + "Signature": "20b704815b2994a60f2bf8da03e3b563a506587e0796ca7707668d9138d0960576f873d06d5ac0d7a207b01f70b3610a0e518d5e4608cbe2c78bc694fbee783a1644c423892f6cea356af62dd9bdd6fcd121206601ed3e945e18588282a62bc21725563d3c14d08c20acbd8db092534053b2e83f4752089dd4c0a2ec0b738a2adf3360b328d17deb2efe66ecba0f46bba4a5fcc09e8e9638d344617c9079ae148fd3b5d1999ff464f88f20e358710270f53d3a31ac07f62c4b7396a393953b89e7ef635c872ba1a5158cd887bbe75dbe58036a736a87a696b2c82f7551c58effb02481e9f108ac9ce0c8aa893a4678883ae99f5def735d60650a98ed092b8167", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", + "ValidFrom": "2014-12-03 00:00:00", + "ValidTo": "2029-12-02 23:59:59", + "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "29f25a23906de1bbfa2c46067eba0ddd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "00c230ef10f73148fd583fc3836a573892", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" } ] } @@ -44975,127 +30542,117 @@ } ], "Tags": [ - "cpuz.sys" - ] + "directio64.sys" + ], + "yara": false }, { - "Id": "3c5c8c6e-b14e-40d5-b231-c0be0f9b3932", - "Author": "Michael Haag", - "Created": "2023-01-09", + "Id": "52ded752-2708-499e-8f37-98e4a9adc23c", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsUpIO64.sys binPath=C:\\windows\\temp\\AsUpIO64.sys type=kernel && sc.exe start AsUpIO64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create GLCKIO2.sys binPath=C:\\windows\\temp\\GLCKIO2.sys type=kernel && sc.exe start GLCKIO2.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "AsUpIO64.sys", - "MD5": "1392b92179b07b672720763d9b1028a5", - "SHA1": "8b6aa5b2bff44766ef7afbe095966a71bc4183fa", - "SHA256": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "GLCKIO2.sys", + "MD5": "dedd07993780d973c22c93e77ab69fa3", + "SHA1": "83b5e60943a92050fccb8acef7aa464c8f81d38e", + "SHA256": "e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8", "Authentihash": { - "MD5": "1e97ead4c5049f8fefe2b72edd5fa90e", - "SHA1": "2a95f882dd9bafcc57f144a2708a7ec67dd7844c", - "SHA256": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057" + "MD5": "9266ad818c7d32f3f6b759cbd20f742a", + "SHA1": "e78779533d76b402eab613557170ccbf5d951883", + "SHA256": "47489362609fa9bd398deec955d5600780bb3788eb29a282bcc5245905713eb0" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "MmGetSystemRoutineAddress", + "ObfDereferenceObject", "ZwClose", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", + "ZwOpenSection", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "IoIs32bitProcess", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "KeDelayExecutionThread", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "RtlInitUnicodeString", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } @@ -45103,18 +30660,19 @@ } ], "Tags": [ - "AsUpIO64.sys" - ] + "GLCKIO2.sys" + ], + "yara": false }, { - "Id": "2cfede23-67f4-4af7-830f-c95ba30a43ae", + "Id": "d05a0a6c-c037-4647-99ac-c41593190223", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create WinIo64A.sys binPath=C:\\windows\\temp\\WinIo64A.sys type=kernel && sc.exe start WinIo64A.sys", + "Command": "sc.exe create d2.sys binPath=C:\\windows\\temp\\d2.sys type=kernel && sc.exe start d2.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -45131,8 +30689,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "WinIo64A.sys", - "SHA1": "0c74d09da7baf7c05360346e4c3512d0cd433d59", + "Filename": "d2.sys", + "SHA256": "cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612", "Signature": [], "Date": "", "Publisher": "", @@ -45146,300 +30704,18 @@ } ], "Tags": [ - "WinIo64A.sys" - ] - }, - { - "Id": "25d5ebe3-e827-44a4-86fc-898844595c23", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create POORTRY.sys binPath=C:\\windows\\temp\\POORTRY.sys type=kernel && sc.exe start POORTRY.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "POORTRY.sys", - "MD5": "7f9309f5e4defec132b622fadbcad511", - "SHA1": "a3ed5cbfbc17b58243289f3cf575bf04be49591d", - "SHA256": "6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "103f3c1ce174dff5dfc79a428d4bf385", - "SHA1": "b4d007b0c6ae6b4cfd96aab617f239cd8ebc8afb", - "SHA256": "45b9eee68266d1128bc252087f4a8ae18dbb0e0b6317e28bc248b25ca2431a56" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "NETIO.SYS", - "ntoskrnl.exe", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "WskCaptureProviderNPI", - "WskReleaseProviderNPI", - "WskDeregister", - "WskRegister", - "RtlDeleteElementGenericTableAvl", - "vsprintf_s", - "RtlEqualUnicodeString", - "MmBuildMdlForNonPagedPool", - "ObfDereferenceObject", - "IoAllocateMdl", - "ZwCreateSection", - "ExAcquireResourceExclusiveLite", - "ObCloseHandle", - "IoCreateFileEx", - "RtlInitUnicodeString", - "RtlLookupElementGenericTableAvl", - "ObReferenceObjectByHandleWithTag", - "ZwQueryVirtualMemory", - "IoFileObjectType", - "KeStackAttachProcess", - "ZwAllocateVirtualMemory", - "PsLookupProcessByProcessId", - "RtlImageNtHeader", - "ZwMapViewOfSection", - "RtlInitAnsiString", - "RtlCaptureContext", - "ExReleaseResourceLite", - "_vsnprintf_s", - "KeCapturePersistentThreadState", - "IoFreeMdl", - "wcsstr", - "RtlCompareString", - "ZwSetSystemInformation", - "MmGetSystemRoutineAddress", - "_stricmp", - "ZwDeleteFile", - "ExFreePoolWithTag", - "ZwOpenFile", - "ObReferenceObjectByName", - "MmUnmapLockedPages", - "IoDriverObjectType", - "MmFlushImageSection", - "ZwClose", - "KeUnstackDetachProcess", - "MmMapLockedPages", - "__C_specific_handler", - "MmIsAddressValid", - "MmUnlockPages", - "MmProbeAndLockPages", - "IoFreeIrp", - "KeSetEvent", - "IoAllocateIrp", - "KeInitializeEvent", - "KeWaitForSingleObject", - "ZwReadFile", - "RtlCopyUnicodeString", - "ZwUnmapViewOfSection", - "ZwQuerySystemInformation", - "ExAllocatePool", - "RtlGetVersion", - "__chkstk", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] - } - ], - "Tags": [ - "POORTRY.sys" - ] - }, - { - "Id": "902249eb-87cb-4c01-8da7-17675d743cd7", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create WinFlash64.sys binPath=C:\\windows\\temp\\WinFlash64.sys type=kernel && sc.exe start WinFlash64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WinFlash64.sys", - "MD5": "a4fda97f452b8f8705695a729f5969f7", - "SHA1": "8183a341ba6c3ce1948bf9be49ab5320e0ee324d", - "SHA256": "677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf", - "Signature": [ - "Phoenix Technology Ltd.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "9fd32632e404f7d009ffe1ed34364539", - "SHA1": "da21f5889f8374c3961856d681adec3d663d2964", - "SHA256": "f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteDevice", - "RtlFreeUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAnsiStringToUnicodeString", - "RtlInitString", - "IofCompleteRequest", - "MmMapLockedPages", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", - "ValidFrom": "2006-10-17 00:00:00", - "ValidTo": "2007-10-17 23:59:59", - "Signature": "66da102458b1f7a00e4d83c2b5fc3f96e6c55489b52830af684ef682ba836adeaf11984c59a876a882bf9bf2de527d34872a457e01a02c8bb8c630e41e364b96980b7e774228d49597ba47674b21c4da7d9cccd87bb5af940b761a9b70c64d2d4455d764a0004a9e55cecb4cde90e49481fced746ec91fe2b63f0176df8b7400928964cb53088a06e779021ae79280e58c9d0a7ac19ad0b9ab042e223ea97c13830cc55dcad096dab50f11126be42fe8142814e943a0b408659ff0f155449719c2afbf4c911fd78cba7f91d4ca280b1959a40fc8e7785d58b7a71e5357c946e5ddf20ea489e58877cf26a28691eccdcf20b4a40f353dbaa91e703db89aa7470b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "2ca9ca93cd9b19a96ddad68aff3a668d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } + "d2.sys" ], - "Tags": [ - "WinFlash64.sys" - ] + "yara": false }, { - "Id": "34fa6ba4-dc7c-4fd6-b947-8a0bb8ebd031", + "Id": "0e8da43d-92e0-43f9-bc34-50a7d15b34bd", "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Created": "2023-05-11", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create amifldrv64.sys binPath=C:\\windows\\temp\\amifldrv64.sys type=kernel && sc.exe start amifldrv64.sys", + "Commands": "sc.exe create etdsupp binPath=C:\\windows\\temp\\etdsupp.sys type=kernel && sc.exe start etdsupp.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -45448,29 +30724,50 @@ "Internal Research" ], "Acknowledgement": { - "Person": [], - "Handle": "" + "Person": "Michael Alfaro", + "Handle": "@_mmpte_software" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "FileName": "amifldrv64.sys", - "MD5": "0dff47f3b14fb1c1bad47cc517f0581a", - "SHA1": "db3538f324f9e52defaba7be1ab991008e43d012", - "SHA256": "20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "etdsupp.sys", + "MD5": "a92bf3c219a5fa82087b6c31bdf36ff3", + "SHA1": "a57eefa0c653b49bd60b6f46d7c441a78063b682", + "SHA256": "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145", "Authentihash": { - "MD5": "d63561be67c8adae1db28b0e503b3ba1", - "SHA1": "8e67628743959e8b73d82ae5b9ee7a387a51925d", - "SHA256": "6999caca67b37860abb5e6d95420d1b0d04966bc6674aac3bfde4e2394ad37fd" + "MD5": "bcc13f939e945b7395681cc6299a45bb", + "SHA1": "96faa975feb28588372a98a1e77d98af7fc90e41", + "SHA256": "c9532a354c24fd256c24534c554bca5a126414eb496dbd3223fe9486418df2ea" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "ETDi Support Driver", + "Company": "HP Development Company", + "InternalName": "etdsupp.sys", + "OriginalFilename": "etdsupp.sys", + "FileVersion": "18.0.0.0", + "Product": "HP ETDi Driver DLL", + "ProductVersion": "18.0.0.0", + "Copyright": "(C) Copyright 1991-2022 Hewlett-Packard Development Company, L.P.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -45478,29 +30775,18 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "IoDeleteSymbolicLink", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx", "MmGetPhysicalAddress", - "MmUnmapIoSpace", - "HalTranslateBusAddress" + "__C_specific_handler", + "KeBugCheckEx", + "DbgPrint", + "IoDeleteSymbolicLink", + "RtlAppendUnicodeToString", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -45508,414 +30794,732 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "??=Private Organization, ??=US, ??=California, serialNumber=C2895304, C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", + "ValidFrom": "2022-01-19 00:00:00", + "ValidTo": "2024-01-19 23:59:59", + "Signature": "9500d1da5fadfef36a40966dce1ca0cee421500966b33f49f4c10f8acfea86f00dffde1f543367816b85f0ff09bc7f4767f7ca4533ea1b94c8eb026cd04936cd558ae73815b87a5e7a5b25a8b8aa9fb309f20a455067b17f1648d46a46f1f714b6f7c3df658545a43513e08b23828fa4e2180bf7356ab845318358cb4655b3c2c5efbf3ef01ebf6a172a271d714da3b844a184412a57d7e36e52480f8d3ced0fb1fa5c42257b05904820138acaea141a50294d827b92ef804d25d7cb36426edb915c90e97b8461df38f47ecb905b29b40ecf54dea2b060276444740357f2e8557a5fe064a03426c9408652e88a9b253f7bd37334199ce81b866b73b897217dcf019c8c7e5be66905b528a9eda563bca9b4922ea972df2e68c06d3396ac1bb76e4551f750ebd66d1c68edb6ecffdd8f9f492b7630e4a0591867edccec6d5cb6d58c35b89a8aebdc12c210b38289ecf419f8e82c1a03e2c8761b984bafafa502db482659a1ff256eee72175bc1a3d5dd5afa71fedbd7a8f4ad1cf6e569e382775ed6828dedeea6bf8689ee18dbe380140949cdc4a827622f23841731bb062941226d030e3873a425b078fe4926ef1985d8aecfce1140848b565dc0b5b722bf11fe129f6caee67af3e1c797562224849cfecbeda2f6c801d727f93a53e8b01cf475c541f3f4e26cf4c34e7b28cdb059f46880d92c6aab7d15eca050c395e4035fa5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "0ec67729a8c3327b1b23804ce24719bd", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] + } + ], + "Tags": [ + "etdsupp.sys" + ], + "yara": true + }, + { + "Id": "d0048840-970f-4ad5-9a07-1d39469d721f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create asmmap64.sys binPath=C:\\windows\\temp\\asmmap64.sys type=kernel && sc.exe start asmmap64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "ee57cbe6ec6a703678eaa6c59542ff57", - "SHA1": "c614ab686e844c7a7d2b20bc7061ab15290e2cfd", - "SHA256": "2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "asmmap64.sys", + "MD5": "4c016fd76ed5c05e84ca8cab77993961", + "SHA1": "00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b", + "SHA256": "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "ASUS", + "Description": "Memory mapping Driver", + "Product": "ATK Generic Function Service", + "ProductVersion": "1, 0, 9, 0", + "FileVersion": "1, 0, 9, 1", + "MachineType": "AMD64", + "OriginalFilename": "asmmap.sys", "Authentihash": { - "MD5": "05c371cbcccf828fd3c9251ba2f61442", - "SHA1": "73265b25f043d2520b81a68ad0342baaff30e7cf", - "SHA256": "bee62b69023212a5a964d323f60e5858d7cbd767a39f3d5ef87cacb080b1dbf2" + "MD5": "882ef4da71bcb67204bdec731afe1c94", + "SHA1": "734f215383ef61350c2da97dea53589ede21a3d2", + "SHA256": "ab300e7e0d5d540900dbe11495b8d6788039d1cffb22e2dc2304b730a71eec97" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "asmmap.sys", + "Copyright": "Copyright (C) 2009", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "MmMapLockedPages", "ZwMapViewOfSection", "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmMapLockedPages", + "IoDeleteDevice", "MmFreeContiguousMemory", "MmBuildMdlForNonPagedPool", "IoFreeMdl", "MmGetPhysicalAddress", - "MmMapIoSpace", - "PsGetVersion", - "MmIsAddressValid", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "DbgPrint", + "ZwUnmapViewOfSection", "IoDeleteSymbolicLink", - "IoDeleteDevice", "IofCompleteRequest", + "ObReferenceObjectByHandle", "IoCreateSymbolicLink", "IoCreateDevice", + "ZwOpenSection", + "DbgPrint", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "KeBugCheckEx", - "MmMapLockedPagesSpecifyCache", - "MmUnmapIoSpace", + "ZwClose", + "MmUnmapLockedPages", + "__C_specific_handler", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2014-06-24 00:00:00", - "ValidTo": "2017-08-30 12:00:00", - "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2008-07-22 00:00:00", + "ValidTo": "2009-07-31 23:59:59", + "Signature": "89ad20860cc0358a80a8a1a898ed70bff3f31496402a4cc453d2f0e46ad52635e6c42d305874ddb46fc271e5721ae1253f16050842c579562bdd0c470db15d1fdc1429d585118c27862594e46cbb8dd8f42379f0d3f074498e03d8242fb7c2917be7fee09fbb2b35ac52950881082e51171f6fec7b998b0e257bf42d33745ed6c673c23fed0a6d6d69024458b30244d8c58a1c92fba89e0d709264793ceeb8f69a39d0b1b6011855035003ce50e3ee3c7a59d394e589126e2ab96c3b243b0abbc1e485ce9ae9e70da5ba5d925cacbc054d78bd4fb82686509b0803e8526c5ab202d8307b9701b983e424919eeb1485981a5cff8f307c551266a89d499badb24e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "37ed9092bdd1dccf58d2afa47f961448", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "asmmap64.sys" + ], + "yara": true + }, + { + "Id": "ad21819d-3080-4fe2-89b1-74385031fb4d", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ATSZIO64.sys binPath=C:\\windows\\temp\\ATSZIO64.sys type=kernel && sc.exe start ATSZIO64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "df5f8e118a97d1b38833fcdf7127ab29", - "SHA1": "5fece994f2409810a0ad050b3ca9b633c93919e4", - "SHA256": "36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ATSZIO64.sys", + "MD5": "b12d1630fd50b2a21fd91e45d522ba3a", + "SHA1": "490109fa6739f114651f4199196c5121d1c6bdf2", + "SHA256": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "ASUSTek Computer Inc.", + "Description": "ATSZIO Driver", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "FileVersion": "0.2.1.7", + "MachineType": "AMD64", + "OriginalFilename": "ATSZIO.sys", "Authentihash": { - "MD5": "28f8b0bdf1fc0b1d065ed3236931fab3", - "SHA1": "b7b33ed598425c008e51ff90cf28b288f7250cdd", - "SHA256": "a4e850e7847499e7d4c2754f8a4973fc5b4adeb728e1e142d1d35d519edf3274" + "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", + "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", + "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "ATSZIO.sys", + "Copyright": "Copyright (C) 2012", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", "MmAllocateContiguousMemory", - "IoDeleteSymbolicLink", - "IoDeleteDevice", + "MmFreeContiguousMemory", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "MmUnmapIoSpace", - "HalTranslateBusAddress" + "__C_specific_handler", + "DbgPrint", + "IoDeleteDevice", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "ATSZIO64.sys" + ], + "yara": true + }, + { + "Id": "6a50e368-1120-434b-9232-1a0702c80437", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrDrv106.sys binPath=C:\\windows\\temp\\AsrDrv106.sys type=kernel && sc.exe start AsrDrv106.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "785045f8b25cd2e937ddc6b09debe01a", - "SHA1": "029c678674f482ababe8bbfdb93152392457109d", - "SHA256": "37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrDrv106.sys", + "MD5": "12908c285b9d68ee1f39186110df0f1e", + "SHA1": "b0032b8d8e6f4bd19a31619ce38d8e010f29a816", + "SHA256": "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838", + "Signature": [ + "ASROCK INC.", + "GlobalSign GCC R45 EV CodeSigning CA 2020", + "GlobalSign Code Signing Root R45", + "GlobalSign", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "51219fe8395e9ac49d271ccf7fde2512", - "SHA1": "6aeb587edcd01289abc84316ae88959c235663fe", - "SHA256": "af20c1b4eb703083979e6f4e211327495f7a0a27ace9a52bd22dd3737be7a8b1" + "MD5": "f67b148a13ad3caa51c3c2ef142791ea", + "SHA1": "f621633290173daac18bb14ca3f52bc027cd2721", + "SHA256": "ac7b3c3b74e6e282c7f50c17a6213b81b181f779cd7c0c78e3cb426c427a98db" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "cng.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmMapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", "IoFreeMdl", "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", - "PsGetVersion", - "MmIsAddressValid", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "DbgPrint", - "IoDeleteSymbolicLink", - "IoDeleteDevice", "IofCompleteRequest", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", "KeBugCheckEx", - "MmMapLockedPagesSpecifyCache", - "MmUnmapIoSpace", - "HalTranslateBusAddress" + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoCreateDevice", + "ZwClose", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlInitUnicodeString", + "MmFreeContiguousMemorySpecifyCache", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor", + "BCryptCloseAlgorithmProvider", + "BCryptGenerateSymmetricKey", + "BCryptOpenAlgorithmProvider", + "BCryptDecrypt", + "BCryptDestroyKey" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2014-06-24 00:00:00", - "ValidTo": "2017-08-30 12:00:00", - "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2018-09-19 00:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Code Signing Root R45", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2029-03-18 00:00:00", + "Signature": "acf7cc158b3079a81d0b28881909d71c7ffe86bd7b5a336e0d670e7b62d9e1185cb0bd135d1d23ae39507637aa44fd5f01235986564cccadbc64131430a420a8e03fe89c72dc7ef3d80c23baa82daa3cf6ec9f87310765f539a7518275e1f22f97f6d1e165968364fea11d51fbb5249bf5d27769bc852c5cfa5877d1aea7b10be2d677bba9b4344aa96f3df4f30d955de6f97a45b02517312edbf70f68e6831fa9f7e5d49d988cd3614b2fc3287e7ade930eb47da00a6d92c4b4663f7da758eeacf7ecc30801ab38fc0a1ca9c597b288c8090219f65c9a1af14d6c30d4b306ab0060480d78abcf17ad9293622077756cbdc832b4dc4debd9dfc1909629bdc17f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2030-07-28 00:00:00", + "Signature": "2575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, serialNumber=80333613, ??=TW, C=TW, ST=Taipei, L=Taipei, ??=2F., No. 37, Sec. 2, Zhongyang S. Rd., Beitou Dist., O=ASROCK INC., CN=ASROCK INC.", + "ValidFrom": "2021-09-17 08:05:26", + "ValidTo": "2024-09-17 08:05:26", + "Signature": "a55d62e7c374666fc5f4d61d7c92d6a8c0b220441906ce5196674436a3f42f969875922d7a88766d7191ede53d1bcf28605c1a94a5b2fbe5598a686ee80ee3090a6cc96070fd98e7a975fdc7af0e12dbd070f5648a1b75d7f492448a1131dd6e4313a64293abaf9ba2a95fb1eaad5f20b04992d5e3b160501de906a7dc3c52d59bc106bc0b80928a1ad86cc4eb6e711e2d25c32ad092642679f257a32d7c0bc56af451d55e01473deac2c62d58c9e70d9d03dcaf493c5b4443caf3e120f0a5a8638c3a79d3b3c84554e90016bdcd301d9892193cc85a2e40a675ff543a78328be3b85c0cad5cfd9c59ed7a5e1978cc4f6af8d3b68640375405535be14e04a3c988992626fda57d1b3b30a10050c4aca6b499b53b9806b4b3620cbd458820c919bfdeccb5f7901ff7a3110fc2df7034acd4be5b4170395c4249c88ee70f11f20867623ba709a8788c40a7db56003ce5569303cd0ca7f14866b2170a559e0f70479c640b5a7076c91290ea7cb106262f87eb01e1167a842d116307f765e5632663e0f07b10139c17fd3732087602ec0a6f43dd57decad308e53f2a2a2ae45b10e7895a56ff73f0697e1e96f63324294b660a795bcf1e634ce94d77edc753157a70fc47628ef9c8fc764775fbe465dd8585c597d9d022a35a3662a289ec71351c325fe83370cababb5399e0882cbaf7aa3a58d00213097cb3eeb13ca1fb4a457d6e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "3be24b96d2c8d729eddb03e3", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020" } ] } ] + } + ], + "Tags": [ + "AsrDrv106.sys" + ], + "yara": true + }, + { + "Id": "9c3c6e89-3916-498f-81e5-da057ab3ed42", + "Author": "Michael Haag", + "Created": "2023-04-22", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create windbg.sys binPath=C:\\windows\\temp\\windbg.sys type=kernel && sc.exe start windbg.sys", + "Description": "Kernel driver seen in a recent CopperStealer campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", + "https://twitter.com/jaydinbas/status/1642898531445886978?s=20", + "https://twitter.com/jaydinbas/status/1646475092006785027?s=20" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d.yara" }, { - "FileName": "amifldrv.sys", - "MD5": "119f0656ab4bb872f79ee5d421e2b9f9", - "SHA1": "e35969966769e7760094cbcffb294d0d04a09db6", - "SHA256": "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "windbg.sys", + "MD5": "88bea56ae9257b40063785cf47546024", + "SHA1": "b5a8e2104d76dbb04cd9ffe86784113585822375", + "SHA256": "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", "Authentihash": { - "MD5": "973ff01a8901563e12119ca09b427e8e", - "SHA1": "9f8870ec272933ee6f4e1eda975a6d5db5f9fbde", - "SHA256": "4f35cf1f2e0fb87a2728303091ee505a0bc546cf63dcd38178adf48477ec0f91" + "MD5": "265462dbda175886e0c02257f2385753", + "SHA1": "0e45b675fec76249e64f8a2d4bd5483886b91169", + "SHA256": "37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c" }, - "Description": "AMI Generic Utility Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "amifldrv.sys", - "OriginalFilename": "amifldrv.sys", - "FileVersion": "10.0.10011.16384", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "10.0.10011.16384", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetPhysicalAddress", - "RtlInitUnicodeString", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeLowerIrql", - "MmBuildMdlForNonPagedPool", - "MmMapIoSpace", - "MmUnmapIoSpace", - "ObReferenceObjectByHandle", + "IoDetachDevice", + "memcpy", + "memset", "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", "PsGetVersion", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "KfRaiseIrql", - "RtlCompareMemory", - "HalTranslateBusAddress" + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -45926,401 +31530,628 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", "ValidFrom": "2012-04-18 12:00:00", "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] }, { - "FileName": "amifldrv64.sys", - "MD5": "530feb1e37831302f58b7c219be6b844", - "SHA1": "1e09f3dd6ba9386fa9126f0116e49c2371401e01", - "SHA256": "3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134", + "Filename": "windbg.sys", + "MD5": "b6b530dd25c5eb66499968ec82e8791e", + "SHA1": "9c1c9032aa1e33461f35dbf79b6f2d061bfc6774", + "SHA256": "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", "Authentihash": { - "MD5": "aefe7422cfe20a6f576092d04a592311", - "SHA1": "943a16dde2e44f7bae629f62cf937cceb10ec1b4", - "SHA256": "7e8e7bc080b4c32ce703b3e8b3cc7e13fa9ef2422dc6f370a2c2b82496564aae" + "MD5": "dbc72430b48b0ca636a84b9e5ed0d534", + "SHA1": "58ca196bfd54c6166aae0f8000fa8a1a66a0073e", + "SHA256": "45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeLowerIrql", - "KfRaiseIrql", + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", "IoFreeMdl", "MmMapLockedPages", "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlMoveMemory", - "IofCompleteRequest", - "RtlZeroMemory", - "IoCreateSymbolicLink", - "IoCreateDevice", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", "IoAllocateMdl", - "MmMapIoSpace", - "HalTranslateBusAddress" + "_allshl", + "RtlUnwind" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2023-01-12 19:14:51", + "ValidTo": "2023-12-15 19:14:51", + "Signature": "04d1261b735b38b551b427cf9a295d4eb18edd92de14079aa33a10511ee6d262938b29ae208f96be64a80e2967fb8d7aa5750613901a9da6a82935398175482096430c9acecb55ee2c5468d119f467378c18251a8fe01e9d7b79bce903ccb7afb227e2d0abee00bd9fd6bbbbd67c014888dc46f3efa912d4576f7ca9980957609cd21fbd51815cb11bee95fa780498d905e866bc1a604e407ee0d97a105bcc8e600200b19b9c3a56cb3918047f21ba9ee2228b46b8e5c8b456ba65e6f0c40d28294b654761660e9d14948866c3f0f65f028e47641059d3f195812e871362128bcefb901d5aeace862e3d683b291d65c138138ea1335fe3552f4c46a7f7b0c6e5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2006-09-30 00:00:00", - "ValidTo": "2009-11-16 23:59:59", - "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "33000000f3158ea57d1c559f290000000000f3", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "amifldrv64.sys", - "MD5": "c098f8aeb67eeb2262dbf681690a9306", - "SHA1": "7e8efd93a1dad02385ec56c8f3b1cfd23aa47977", - "SHA256": "5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa", + "Filename": "windbg.sys", + "MD5": "40b968ecdbe9e967d92c5da51c390eee", + "SHA1": "b8b123a413b7bccfa8433deba4f88669c969b543", + "SHA256": "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", "Authentihash": { - "MD5": "f2a4fd2aae63ffe766a7a8d2d775a59e", - "SHA1": "52008f007e84756ba84dacb7cbb465e592dfe260", - "SHA256": "d259e9b1d04b5fa966094f15f8edbaeba5da2a14bf34bf0a5490a0e308c025d7" + "MD5": "98a3ab2b723de48256701b417ff87a65", + "SHA1": "ff80d6663a92ff454526e88847cbb4d9bd00e21e", + "SHA256": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", - "IoFreeMdl", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", "IoAllocateMdl", - "MmMapIoSpace", - "HalTranslateBusAddress" + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2023-01-12 19:14:52", + "ValidTo": "2023-12-15 19:14:52", + "Signature": "5548d9042f4a8d4776b5fccbacda2e58d5161fb7932287aa5da1c9afaca15c230908ed96adeb0f6a86dc3972a85de00fb4d4db0a52394116887998fd673f57a0520fa1e39806b348e555cfe5a419c501a0fbfbdb79e88d37656735fa6cd56d5c465fe3871f5157e357d73956d4586bd50508522be7e24d2357d7ab53e3ae46d2d168e52d0d15761eaab962c36ee0791cabd33869f11f9512772261cda6249f16f85772116cc0585975600e5fe949e1a2bb85820ddf901b9e48ee805aacd1c826a1304916e2180de5d3ecc2fc0375d3a877ab8a058dda7e05aa91727523e579d17ce0dce414612d9b638b1ff5ad74d654c5b7e638a3cca372c5f51db638794ed6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2010-05-07 00:00:00", - "ValidTo": "2012-05-06 23:59:59", - "Signature": "41aa6f714033d64479b8e3492829a9435eeaaa4d4d82b4a95192c18a07ab08afe25582abe5acaea015492a737f7bdd4591fdb50b670888a4d66dae5fc240fbd68276b8264e9f438df308568bbae1a06544acd767d960475aaf62cbce8e8feea6eafd802954e28ecf016620e7686727c6b75ddfb2818317e1e333641aae42d1cf6ec8f95bcc96a647143801547c6b3857323c08b552602724268d3c35569e83368bfed55c81cee51ac4a16db9f81fff47687ad82c20ef5fb7ea9102a43de699caa0b86c1a07b4a4b6f949c28cec24892a74461a0d3f8659f2abfc58818ba2b44393970d08bde058c694a73e335eab3a17df129668db432e2ea659f1f4774a1bdc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1ecbf523c0f14748fe14841dbb88c365", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000f5e8773b206b1ccd610000000000f5", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] + } + ], + "Tags": [ + "windbg.sys" + ], + "yara": true + }, + { + "Id": "3bc629e8-7bf8-40c2-965b-87eb155e0065", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create mtcBSv64.sys binPath=C:\\windows\\temp\\mtcBSv64.sys type=kernel && sc.exe start mtcBSv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "f22740ba54a400fd2be7690bb204aa08", - "SHA1": "5812387783d61c6ab5702213bb968590a18065e3", - "SHA256": "65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "mtcBSv64.sys", + "MD5": "9dfd73dadb2f1c7e9c9d2542981aaa63", + "SHA1": "29a190727140f40cea9514a6420f5a195e36386b", + "SHA256": "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8", + "Signature": [ + "Mitac Technology Corporation", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "MiTAC Technology Corporation", + "Description": "MiTAC System Service Provider", + "Product": "MiTAC System Service Provider", + "ProductVersion": "21, 1, 4, 0", + "FileVersion": "21, 1, 4, 0", + "MachineType": "AMD64", + "OriginalFilename": "mtcBSv64.sys", "Authentihash": { - "MD5": "4bb9654a5a20bc189b000d4a2fba5856", - "SHA1": "444ce1608768884d1e9742f80ccf4f53e0aa709d", - "SHA256": "d052299252f0f0bd70b5e7c46b9ca71a99a052b47f693582becb6f0d567e8245" + "MD5": "c467ed521f199f0d5c1c3705dabf2896", + "SHA1": "8533994513c4f65feb48806b36f42ec9fe21a4c3", + "SHA256": "da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "mtcBSv64.sys", + "Copyright": "Copyright (C) 2007 MiTAC Technology Corporation", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmGetPhysicalAddress", - "MmMapIoSpace", - "PsGetVersion", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "DbgPrint", + "ExAllocatePoolWithTag", + "KeClearEvent", "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "KeInitializeMutex", + "IoRegisterDeviceInterface", + "IoSetDeviceInterfaceState", + "IoBuildSynchronousFsdRequest", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "KeInitializeEvent", + "KeReleaseSpinLock", + "IoDetachDevice", + "KeReleaseMutex", + "RtlFreeUnicodeString", + "ExInterlockedInsertTailList", + "PoStartNextPowerIrp", "IofCompleteRequest", + "KeWaitForSingleObject", + "IoGetAttachedDeviceReference", + "IoAttachDeviceToDeviceStack", + "PoCallDriver", "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", - "KeBugCheckEx", - "MmMapLockedPagesSpecifyCache", + "IofCallDriver", + "KeAcquireSpinLockRaiseToDpc", + "IoBuildDeviceIoControlRequest", "MmUnmapIoSpace", - "HalTranslateBusAddress" + "MmMapIoSpace", + "ExAllocatePool", + "RtlTimeToTimeFields", + "KeBugCheckEx", + "RtlUnicodeToMultiByteN" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Mitac Technology Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Mitac Technology Corporation", + "ValidFrom": "2008-10-08 00:00:00", + "ValidTo": "2009-10-23 23:59:59", + "Signature": "9c744d221ef49ac5485f8833994046192117e43bba976d71dfb3c8c75596b460638f786855f09fa612ee759ca9dde70bf7bcc5d5fbd6b106b17a8220371d0ebfac391f197f97d4c1d3220612c1ecc219fcad6d1e91e58fc1233253b14dd792a0c382cdea0e1d863e27bed56d5a3b39530db0973a425e0c4febb349965a6312d12bf12d6c67bbc6a3020c9a0de56eb295df368e3ee6f27ccb48d98216a6648432b9731981838fdb72417a163f7883556926398afdd4b16226da80cd8ae58d16ba1d06449f59db81545741b3a8657dbfc1645b3aa4e15dd758b7556c57bd82580a22c1a63c48003d948da81cdda831c8ffe2da7779bf7c22bd596ada4a446b7191", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "6088078ee11491f60ccddef11374431a", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "mtcBSv64.sys" + ], + "yara": true + }, + { + "Id": "95d244a5-fa5b-4bcb-a2fd-39ed6c7ea7a4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create rtkio64.sys binPath=C:\\windows\\temp\\rtkio64.sys type=kernel && sc.exe start rtkio64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "24156523b923fd9dcfdd0ac684dcdb20", - "SHA1": "ff9048c451644c9c5ff2ba1408b194a0970b49e6", - "SHA256": "6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "rtkio64.sys", + "MD5": "70dcd07d38017b43f710061f37cb4a91", + "SHA1": "99201c9555e5faf6e8d82da793b148311f8aa4b8", + "SHA256": "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129", + "Signature": [ + "Realtek Semiconductor Corp.", + "DigiCert EV Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "Realtek ", + "Description": "Realtek IO Driver", + "Product": "Realtek IO Driver ", + "ProductVersion": "1.008.0823.2017", + "FileVersion": "1.008.0823.2017 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "rtkio64.sys ", "Authentihash": { - "MD5": "229a8958720d362fab81a2b527e717a2", - "SHA1": "2cea31932e00c69e6f1bb0b0bf6b16b8c72dc3f6", - "SHA256": "aef3985caa213c9e5e0a0d5e75a9a7918a92c08690b5a04a6b14d6372c2dd71c" + "MD5": "dbe68427fd1f2194715b4d146dedeae7", + "SHA1": "118ebc5c7ac859d17c14ceeaa8ab973d694fdd7b", + "SHA256": "e46bb410c3bb95a1f3d61ced157c679bfac7dc997534e46b83b234a6fc5cbb14" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "rtkio64.sys ", + "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", "Imports": [ "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmMapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "PsGetVersion", - "MmIsAddressValid", - "IoAllocateMdl", - "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "ExUnregisterCallback", + "ExAllocatePoolWithTag", + "IoWMIRegistrationControl", + "KeQueryActiveProcessors", "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "IoWMIWriteEvent", + "IoRegisterShutdownNotification", + "RtlInitUnicodeString", "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmUnmapIoSpace", + "ZwQueryValueKey", + "IoUnregisterShutdownNotification", + "ZwClose", "IofCompleteRequest", + "ExRegisterCallback", + "RtlCompareMemory", "IoCreateSymbolicLink", + "KeSetSystemAffinityThread", + "ObfDereferenceObject", "IoCreateDevice", + "ExCreateCallback", + "IoAllocateMdl", + "ZwOpenKey", "KeBugCheckEx", - "MmGetPhysicalAddress", - "MmUnmapIoSpace", - "HalTranslateBusAddress" + "MmMapLockedPagesSpecifyCache", + "_vsnprintf", + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -46331,11 +32162,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2014-06-24 00:00:00", - "ValidTo": "2017-08-30 12:00:00", - "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2016-06-13 00:00:00", + "ValidTo": "2019-01-24 12:00:00", + "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", @@ -46345,11 +32176,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", "ValidFrom": "2012-04-18 12:00:00", "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", @@ -46361,74 +32192,227 @@ ], "Signer": [ { - "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "0320be3eb866526927f999b97b04346e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] - }, + } + ], + "Tags": [ + "rtkio64.sys" + ], + "yara": true + }, + { + "Id": "cacc48e6-6ed8-431c-abee-88ee6c2dc3c1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create nt2.sys binPath=C:\\windows\\temp \\n \\n \\n t2.sys type=kernel && sc.exe start nt2.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "amifldrv64.sys", - "MD5": "7331720a5522d5cd972623326cf87a3f", - "SHA1": "456a1acacaa02664517c2f2fb854216e8e967f9d", - "SHA256": "b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441", - "Authentihash": { - "MD5": "d5816277859ccb21e901e3ce39f6e929", - "SHA1": "d240db93654ce2685d3b903db809edcc82322dfc", - "SHA256": "05e2d2f2b58da5391598d30d7f5f33ae38cfeb0d9b9ae19b4312de39c678f301" - }, + "Filename": "nt2.sys", + "SHA256": "cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "nt2.sys" + ], + "yara": false + }, + { + "Id": "b7ec29c6-e151-4a9f-a293-e61f04ee6489", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create My.sys binPath=C:\\windows\\temp\\My.sys type=kernel && sc.exe start My.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "My.sys", + "SHA256": "d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "My.sys" + ], + "yara": false + }, + { + "Id": "193df066-c27c-4343-a4eb-ad2ac417a4cc", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create nt5.sys binPath=C:\\windows\\temp \\n \\n \\n t5.sys type=kernel && sc.exe start nt5.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "nt5.sys", + "SHA256": "fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533", + "Signature": [], + "Date": "", + "Publisher": "", "Company": "", - "InternalName": "", - "OriginalFilename": "", + "Description": "", + "Product": "", + "ProductVersion": "", "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "nt5.sys" + ], + "yara": false + }, + { + "Id": "902249eb-87cb-4c01-8da7-17675d743cd7", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create WinFlash64.sys binPath=C:\\windows\\temp\\WinFlash64.sys type=kernel && sc.exe start WinFlash64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WinFlash64.sys", + "MD5": "a4fda97f452b8f8705695a729f5969f7", + "SHA1": "8183a341ba6c3ce1948bf9be49ab5320e0ee324d", + "SHA256": "677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf", + "Signature": [ + "Phoenix Technology Ltd.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", "Product": "", "ProductVersion": "", - "Copyright": "", + "FileVersion": "", "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "9fd32632e404f7d009ffe1ed34364539", + "SHA1": "da21f5889f8374c3961856d681adec3d663d2964", + "SHA256": "f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc" + }, + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IofCompleteRequest", + "RtlFreeUnicodeString", "IoCreateSymbolicLink", "IoCreateDevice", - "IoAllocateMdl", + "RtlAnsiStringToUnicodeString", + "RtlInitString", + "IofCompleteRequest", + "MmMapLockedPages", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "MmUnmapIoSpace", "MmMapIoSpace", - "HalTranslateBusAddress" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -46436,6 +32420,13 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", "ValidFrom": "2004-07-16 00:00:00", @@ -46451,231 +32442,196 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2006-09-30 00:00:00", - "ValidTo": "2009-11-16 23:59:59", - "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", + "ValidFrom": "2006-10-17 00:00:00", + "ValidTo": "2007-10-17 23:59:59", + "Signature": "66da102458b1f7a00e4d83c2b5fc3f96e6c55489b52830af684ef682ba836adeaf11984c59a876a882bf9bf2de527d34872a457e01a02c8bb8c630e41e364b96980b7e774228d49597ba47674b21c4da7d9cccd87bb5af940b761a9b70c64d2d4455d764a0004a9e55cecb4cde90e49481fced746ec91fe2b63f0176df8b7400928964cb53088a06e779021ae79280e58c9d0a7ac19ad0b9ab042e223ea97c13830cc55dcad096dab50f11126be42fe8142814e943a0b408659ff0f155449719c2afbf4c911fd78cba7f91d4ca280b1959a40fc8e7785d58b7a71e5357c946e5ddf20ea489e58877cf26a28691eccdcf20b4a40f353dbaa91e703db89aa7470b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", + "SerialNumber": "2ca9ca93cd9b19a96ddad68aff3a668d", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "WinFlash64.sys" + ], + "yara": false + }, + { + "Id": "b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WiseUnlo.sys binPath=C:\\windows\\temp\\WiseUnlo.sys type=kernel && sc.exe start WiseUnlo.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69.yara" }, { - "FileName": "amifldrv64.sys", - "MD5": "2971d4ee95f640d2818e38d8877c8984", - "SHA1": "28fa0e9429af24197134306b6c7189263e939136", - "SHA256": "bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248", - "Authentihash": { - "MD5": "fac2590714168b1e586ff99a1f2322de", - "SHA1": "2d6cd59a2df6883bfec777ddfe7d10c50555e2cb", - "SHA256": "846cc7c9bf2eab3400e66481568a010fb0dfbac01416a99258a4baabf1e10d35" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IoAllocateMdl", - "MmMapIoSpace", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2010-05-07 00:00:00", - "ValidTo": "2012-05-06 23:59:59", - "Signature": "41aa6f714033d64479b8e3492829a9435eeaaa4d4d82b4a95192c18a07ab08afe25582abe5acaea015492a737f7bdd4591fdb50b670888a4d66dae5fc240fbd68276b8264e9f438df308568bbae1a06544acd767d960475aaf62cbce8e8feea6eafd802954e28ecf016620e7686727c6b75ddfb2818317e1e333641aae42d1cf6ec8f95bcc96a647143801547c6b3857323c08b552602724268d3c35569e83368bfed55c81cee51ac4a16db9f81fff47687ad82c20ef5fb7ea9102a43de699caa0b86c1a07b4a4b6f949c28cec24892a74461a0d3f8659f2abfc58818ba2b44393970d08bde058c694a73e335eab3a17df129668db432e2ea659f1f4774a1bdc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1ecbf523c0f14748fe14841dbb88c365", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "FileName": "amifldrv64.sys", - "MD5": "2503c4cf31588f0b011eb992ca3ee7ff", - "SHA1": "e700fcfae0582275dbaee740f4f44b081703d20d", - "SHA256": "c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247", + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "WiseUnlo.sys", + "MD5": "356bda2bf0f6899a2c08b2da3ec69f13", + "SHA1": "b9807b8840327c6d7fbdde45fc27de921f1f1a82", + "SHA256": "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69", + "Signature": [ + "Lespeed Technology Co., Ltd", + "COMODO RSA Extended Validation Code Signing CA", + "Sectigo (formerly Comodo CA)" + ], + "Date": "", + "Publisher": "", + "Company": "WiseCleaner.com", + "Description": "WiseUnlo", + "Product": "WiseUnlo", + "ProductVersion": "1.0.2.13", + "FileVersion": "1.0.2.13", + "MachineType": "AMD64", + "OriginalFilename": "WiseUnlo.sys", "Authentihash": { - "MD5": "b1ea291940f1ae17794e05b8275fd130", - "SHA1": "dc0d3d244d27b85e10135fff8d34a76c17022ee1", - "SHA256": "96cb847fab0befab75a6f39080dd444d022d4bec73017c9d7187fe6282a0faa1" + "MD5": "6d1e6e5682f9a5e8a64dc8d2ec6ddfac", + "SHA1": "49fb554b77c8d533e4a1ff30bbc60ef7f80b7055", + "SHA256": "c36ace67f4e25f391e8709776348397e4fd3930e641b32c1b0da398e59199ca7" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "WiseUnlo.sys", + "Copyright": "Copyright © 2015", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmGetPhysicalAddress", - "MmMapIoSpace", - "PsGetVersion", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "DbgPrint", "IoDeleteSymbolicLink", + "IoGetRelatedDeviceObject", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "IoFileObjectType", + "ZwClose", "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "IoFreeIrp", + "IoAllocateIrp", "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", - "KeBugCheckEx", - "MmMapLockedPagesSpecifyCache", - "MmUnmapIoSpace", - "HalTranslateBusAddress" + "DbgPrint", + "IofCallDriver" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", + "ValidFrom": "2014-12-03 00:00:00", + "ValidTo": "2029-12-02 23:59:59", + "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2011-04-11 22:06:20", + "ValidTo": "2021-04-11 22:16:20", + "Signature": "81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "serialNumber=91110101593898951F, ??=CN, ??=Private Organization, C=CN, postalCode=100028, ST=Beijing Shi, L=Beijing, ??=Chaoyang District, ??=Room 1610, Haocheng Building, No.9 Building, No.6 Courtyard, Zuojiazhuang Middle Street, O=Lespeed Technology Co., Ltd, CN=Lespeed Technology Co., Ltd", + "ValidFrom": "2020-07-09 00:00:00", + "ValidTo": "2023-07-09 23:59:59", + "Signature": "0813de16aad5aae2206ec189ee90af05a8a8b9d096e6812c419f8a6320ea5936e3089eb2abf2022a5e946464d9a3cb09d0b041ce8dd90c37d791f5e3fdafa755ad2fd7fbd7da760fa4bbaeba655509ad015c5f37df20229360fb596ebb7a91b644f7a86ef28c4f8d16debe8666f4d6ebefd7d4a4d5d8c3b96d36c54ebc0386ae680dd469dc252893eca2fba6929f4e589974cf6cb1d33fa8270b67d606dc4118ee320a1cb2894a7ea655dbf42f9ef9c2e204a736a62e326ef85afad054c8f38506b050580120383f3136b33f8f6160bddabbe9cdc3c9d130d2915a5987951d7237bb2480172bb326256efa866a88f4e4432b844a69892ea38c560dde939f18d7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "2e4a279bde2eb688e8ab30f5904fa875", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" } ] } ] - }, + } + ], + "Tags": [ + "WiseUnlo.sys" + ], + "yara": true + }, + { + "Id": "275c80c5-a67c-4536-b29e-4e481242cb01", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create RTCore64.sys binPath=C:\\windows\\temp\\RTCore64.sys type=kernel && sc.exe start RTCore64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "amifldrv64.sys", - "MD5": "e5e8ecb20bc5630414707295327d755e", - "SHA1": "06ecf73790f0277b8e27c8138e2c9ad0fc876438", - "SHA256": "e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f", + "FileName": "RTCore64.sys", + "MD5": "3ecd3ca61ffc54b0d93f8b19161b83da", + "SHA1": "4f376b1d1439477a426ef3c52e8c1c69c2cb5305", + "SHA256": "03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9", "Authentihash": { - "MD5": "83a8c462f323e93e725875f6e96c8727", - "SHA1": "c42feaa6c9788b7161b765f725070204f7b5e3ec", - "SHA256": "709ab95302bb44c7a7dafaf342ca933422ea03ed7b492be204a319161feb350e" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, "Description": "", "Company": "", @@ -46692,28 +32648,19 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", "RtlInitUnicodeString", - "ZwUnmapViewOfSection", "ZwClose", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", "ZwOpenSection", - "MmUnmapLockedPages", - "MmFreeContiguousMemory", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "MmAllocateContiguousMemory", "IoDeleteSymbolicLink", - "IoDeleteDevice", "IofCompleteRequest", + "MmIsAddressValid", + "ZwUnmapViewOfSection", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", - "MmGetPhysicalAddress", - "MmUnmapIoSpace", + "__C_specific_handler", + "IoDeleteDevice", "HalTranslateBusAddress" ], "Signatures": [ @@ -46722,59 +32669,66 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", + "ValidFrom": "2008-08-28 09:49:45", + "ValidTo": "2011-08-28 09:49:45", + "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "0100000000011c08b7f67e", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "amifldrv64.sys", - "MD5": "1f7b2a00fe0c55d17d1b04c5e0507970", - "SHA1": "eb1ecad3d37bb980f908bf1a912415cff32e79e6", - "SHA256": "fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2", + "FileName": "RTCore64.sys", + "MD5": "925ee3f3227c3b63e141ba16bd83f024", + "SHA1": "57ea07ab767f11c81c6468b1f8a3d5f4618b800b", + "SHA256": "0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8", "Authentihash": { - "MD5": "9e725819820804fbf377917e9e7a3333", - "SHA1": "b0ec7d971da8ae84c0ed8f88a5d46b23996e636c", - "SHA256": "038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, "Description": "", "Company": "", @@ -46791,28 +32745,20 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlInitUnicodeString", "ZwClose", "ZwMapViewOfSection", "ObReferenceObjectByHandle", "ZwOpenSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "IoDeleteDevice", + "MmMapIoSpace", "IoDeleteSymbolicLink", "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "IoAllocateMdl", - "MmMapIoSpace", + "__C_specific_handler", + "IoDeleteDevice", "HalTranslateBusAddress" ], "Signatures": [ @@ -46821,68 +32767,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2006-09-30 00:00:00", - "ValidTo": "2009-11-16 23:59:59", - "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "amifldrv.sys", - "MD5": "7b9717c608a5f5a1c816128a609e9575", - "SHA1": "ec457a53ea03287cbbd1edcd5f27835a518ef144", - "SHA256": "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f", + "FileName": "rtcore64.sys", + "MD5": "483abeee17e4e30a760ec8c0d6d31d6d", + "SHA1": "f56fec3f2012cd7fc4528626debc590909ed74b6", + "SHA256": "077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356", "Authentihash": { - "MD5": "08cac606d72411c22b1400d755a2b6e3", - "SHA1": "6055dbc453c111e57c85ec8cfad9e6e11421c8d4", - "SHA256": "5167b33a95b4db0a1244cb3b95d4024587d9a5a95222babb033210e6b111d2fb" + "MD5": "5860da7a094c5f2ff2787476c37b4b35", + "SHA1": "da1bd3ad4a8fe1e28c1de28a7bf66ad82da0dd29", + "SHA256": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb" }, - "Description": "AMI Generic Utility Driver", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "amifldrv.sys", - "OriginalFilename": "amifldrv.sys", - "FileVersion": "10.0.10011.16384", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "10.0.10011.16384", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -46890,35 +32836,23 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetPhysicalAddress", - "RtlInitUnicodeString", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeLowerIrql", - "KfRaiseIrql", - "MmBuildMdlForNonPagedPool", "MmUnmapIoSpace", - "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", + "MmMapIoSpace", "ZwClose", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", "ZwOpenSection", + "KeBugCheckEx", + "RtlInitUnicodeString", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "PsGetVersion", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "MmMapIoSpace", - "RtlCompareMemory", + "ObReferenceObjectByHandle", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", "HalTranslateBusAddress" ], "Signatures": [ @@ -46927,226 +32861,150 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", - "ValidFrom": "2017-08-30 00:00:00", - "ValidTo": "2020-09-24 12:00:00", - "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "O=GlobalSign, OU=GlobalSign Root CA , R3, CN=GlobalSign", + "ValidFrom": "2015-06-04 17:47:53", + "ValidTo": "2025-06-04 17:47:53", + "Signature": "6002ac0e090db46a7d590cad66450a180f5ea7255c14f6d35acf9d5e3bc77afc005f6e402b2de1ce6f76ab3cabd9f945cf779052ea21973ad25d3e57ba73ec007577a2754574c76226b054bad5c9c9da6ced66f2ff8b17b27959ca805465da96ca11de2abbc3d43d37fce6fdcb92866eb9ad4d1b68e047d9b08634231cda1ddd6e54edcb0ee17ad54db2a1abceda712fa23e0804ac2a53d713d93c6e338ca7b7b935afa559df305fea3ee8777123f8f9e91edbe214036a8aef64c17be05d56e0e4f2c84ce0d7ef07d3d620fade651998a7c6712b5d94aee9c90b91578690ccde9fd43c1995043efd5c2ba4fc39958fa88787b25bca804fc31638f50eb0edd7caf6fc774477d84ac89d9fff301798d712d590dde53a66e0f12c974799b60f0e56da9b410dc34bd5f0689ccaa5865c866612f23b8304ff46ed2d64d456952b7e799d01831318d568bd91cedd86fb08a0ab0c4564c3d126345e56a26c4c690c8b63ca84187ac573abb352ae8ddce22b03677d862a126f684f6481752d85e5b8ec80059bab3969ee1f316a6a2afb35bd63aac5ee65d3d696a43e99931ebeee3b6c646caecd140afcd88c20a31cf8627fa4c07d1f2c7f3a50c0269396379c8fa51363b473d816ab27487eaafeeb0f487f29989e3b499190f08f3ebadc9f26819d736631a727b6e4a94d04e5ea5331c0fa934a879dfc4a61e063a2ac4f88f4c5781f65", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, serialNumber=22178368, ??=TW, C=TW, ST=New Taipei, L=New Taipei, ??=NO.69, LI,DE ST., ZHONGHE DIST., O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2019-09-16 08:28:21", + "ValidTo": "2022-09-16 08:28:21", + "Signature": "31d3e258a115d41cea97ae1122b5482d2df37785b800cd8b16ee0e42b12a04e5b75d4c3447e1ffb7da8be87e733164fd2ed0020ab3d1010bf21a78cda4d031c4a75cec091a5072b44e8946476eb7c04c69e2e46af012ce640075751baf523140e803c62108f3b9efff3024a0e27138ba6763d36ca957fb480006e9b824f677b980edb98903a116d529b318753b539854a15778dacc6e4db10e4f3c5748b399f7270b244fe83e59743dbe4576c110bde088b2224d91e0c32bc8e4e5c7a61516602b962d66b01a46ccd5814a71bf9e99aac9604179d90230caea6c1229ecd20d2638084d62ff053dcf29675a0a44de07b9e75d5c3f8aeb66900828b949ea9289a8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "6a7bb9e55c0bbf1def6c739c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" } ] } ] - } - ], - "Tags": [ - "amifldrv64.sys" - ] - }, - { - "Id": "b72f7335-6f27-42c5-85f5-ed7eb9016eac", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrAutoChkUpdDrv.sys binPath=C:\\windows\\temp\\AsrAutoChkUpdDrv.sys type=kernel && sc.exe start AsrAutoChkUpdDrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "AsrAutoChkUpdDrv.sys", - "MD5": "75d6c3469347de1cdfa3b1b9f1544208", - "SHA1": "6523b3fd87de39eb5db1332e4523ce99556077dc", - "SHA256": "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "ASRock Incorporation", - "Description": "AsrAutoChkUpdDrv Driver", - "Product": "AsrAutoChkUpdDrv Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "AsrAutoChkUpdDrv.sys", + "FileName": "RTCore64.sys", + "MD5": "c508d28487121828c3a1c2b57acb05be", + "SHA1": "7c43d43d95232e37aa09c5e2bcd3a7699d6b7479", + "SHA256": "0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3", "Authentihash": { - "MD5": "18d039cb3a6ac52395a74fb8189c4110", - "SHA1": "2eaa89604fa6e129825219b0debb59e775949672", - "SHA256": "d3d601c77d4bb367ab3105920ca8435aa775448a49c1eda6ac6f46ee5d8709cb" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, - "InternalName": "AsrAutoChkUpdDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "MmMapIoSpace", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "AsrAutoChkUpdDrv.sys" - ] - }, - { - "Id": "90ecbbf7-b02f-424d-8b7d-56cc9e3b5873", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create eneio64.sys binPath=C:\\windows\\temp\\eneio64.sys type=kernel && sc.exe start eneio64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "eneio64.sys", - "MD5": "66066d9852bc65988fb4777f0ff3fbb4", - "SHA1": "24343ec4dfec11796a8800a3059b630e8be89070", - "SHA256": "38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0", + "FileName": "RTCore64.sys", + "MD5": "08c1bce6627764c9f8c79439555c5636", + "SHA1": "4d4535c111c7b568cb8a3bece27a97d738512a6b", + "SHA256": "1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb", "Authentihash": { - "MD5": "2a99d8330fe122a45ba45dcf897c1bf9", - "SHA1": "b4afe8a5554e68bf22994725cf096b77430a9cf1", - "SHA256": "b45d78a6780f125143dbd198ac2439be78424e7ae37a4234541ecb327dc190c1" + "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", + "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", + "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" }, "Description": "", "Company": "", @@ -47163,21 +33021,23 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "DbgPrint", - "ZwClose", "ZwOpenSection", - "ZwMapViewOfSection", + "MmMapIoSpace", + "__C_specific_handler", + "ZwClose", "ZwUnmapViewOfSection", - "KeBugCheckEx", - "ObfDereferenceObject", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", "RtlInitUnicodeString", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -47185,66 +33045,59 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "EneIo64.sys", - "MD5": "86fd54c56dcafe2de918c36f8dfda67e", - "SHA1": "0b01c4c1f18d72eb622be2553114f32edfe7b7aa", - "SHA256": "9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3", + "FileName": "RTCore64.sys", + "MD5": "2d91d45cd09dfc3f8e89da1c261fd1ac", + "SHA1": "634b1e9d0aafac1ec4373291cefb52c121e8d265", + "SHA256": "18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c", "Authentihash": { - "MD5": "6055cbe0b4c535baa8c15473fc97e61a", - "SHA1": "ce280412dd778cafbe6dbb05b8cab42e98d3ae56", - "SHA256": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, "Description": "", "Company": "", @@ -47256,40 +33109,24 @@ "Copyright": "", "MachineType": "AMD64", "Imports": [ - "cng.sys", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "BCryptCloseAlgorithmProvider", - "BCryptGetProperty", - "BCryptDecrypt", - "BCryptImportKey", - "BCryptDestroyKey", - "BCryptSetProperty", - "BCryptOpenAlgorithmProvider", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "wcsstr", - "ObfDereferenceObject", + "RtlInitUnicodeString", "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", "ZwUnmapViewOfSection", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetCurrentProcessId", - "RtlTimeToSecondsSince1970", + "IoCreateSymbolicLink", + "IoCreateDevice", "__C_specific_handler", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "RtlInitUnicodeString", - "KeBugCheckEx", - "ObReferenceObjectByHandle", + "IoDeleteDevice", "HalTranslateBusAddress" ], "Signatures": [ @@ -47298,1428 +33135,879 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", - "ValidFrom": "2022-06-09 00:00:00", - "ValidTo": "2031-11-09 23:59:59", - "Signature": "9a1602a501ef81fb0db458b278ada82319d97337da609e51d7cbf82f40b9a31f7c404e333e903ce789017585e8627b1d56e071bade5ec637bc795c62004df8497a514d0632f3c5d2002a2720ea892e1539e02c3ef8757c2c824161350f23d0ed3595d288952943cbe0a658107c538e9f45c9203714c0ed19ba7e7739d25496c7a611df3433f67552424b1c9d8d96d5956c471214245f2641fa1a46bddeb0e5914703ac1808cbcbdb66897f2b9c65bfbe374ebe2df39d4ac3cccc475ec89595add1cbbb2a0620f93f72ea36eb4572927a297b14033cfb4dd648717a10118a0874cd6c1b045cd28a950376515053d62ef74a46c3ae102c714cb087b62737446044", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", - "ValidFrom": "2022-03-23 00:00:00", - "ValidTo": "2037-03-22 23:59:59", - "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2010-04-14 00:00:00", + "ValidTo": "2012-04-15 23:59:59", + "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2022 , 2", - "ValidFrom": "2022-03-29 00:00:00", - "ValidTo": "2033-03-14 23:59:59", - "Signature": "0d2d2374a6d1f5f8ea4b993f01e4f60ce4af169dd9b38c9782299c436f012dab38b57011bf84198b3f5de5864fbe933ade2a395a394ed88459a5bc1b98aae86cefd1486919385bcf89391d7070d94edf23226cd5dff659cba1c2ea4c76caa1dca12b96b89b55a91a6b7dd1f502094f82d6a57388c49880dfee4995b7b3ccc5a7ee0ee1ef1e388a9fef11c9314a58b6df387ccbfa5cf7e453bf6e0a7c7ed7de98d52965890fa29cc065f4012265c7ea5e74a65b3592507cf417a687644f3e46891663206bcbf27bd035e34a7048a9b6e71d60bd04221525700672a9443b694711d3eee9c7a03e4f10b93036e4f3aa6909a88b7e64a2659411fb6e32f1f5bb38adcdc09311d532784a4b372a4cf35cdcb685c0bb70305578d698fe546d7f71a9481a78dd46772e1b7ac0338af84a288c12a873cf2df9d323f29e19e00d9428a0ebdb1a51a095828e286ba4ce9d76dea973aa486a5943ae5feaf80f06429ddf066896fe2aa0745b6366de6b2cb878aa4d706df02cf107157e35b4e6b50ca299a5d7156b350e85d6e02ccce00c24b87c520b1e997cefc8c8c58c5869afab3de1cfcc7d15ae14bf8a71dfca97b1d847ea1c85e0454e121c142958cc6fd37fcbbec10e4a6f209caed973325908e72d92a11a11fe3298a65d2b97e08bd39ccc6db50dae47633847175b6f13da6a106e1f49b7445bb4080a875a59047611a1a77702131c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=16505809, C=TW, L=HSINCHU CITY, O=ENE TECHNOLOGY INC., CN=ENE TECHNOLOGY INC.", - "ValidFrom": "2021-07-06 00:00:00", - "ValidTo": "2024-08-29 23:59:59", - "Signature": "1c799045dbfc1da5f1dfdadef58c38978109600b513226a29abbc20ec9b30e03e9a0c7679f1b7d388009015a1edc77a4bbd817838d7b17c62493514bf6c095ff9d6d1ae40f761678be2b04ced07db70e5f6a58be33016c1de06f7bf2008b1040c2f8677a62667b4b110e5fe57816934686086bdf2941c980fc79945950338e2e9dbe37e24e8cb745f6f54a0f6b26feca8b6894545afd98da94e45ab6574b16043ad7458e750834b853a57c0ece0114268a0a099f9178ef3939b8871218f6376f0b870a49e29d0c83bae3fcf4444e04b7eda9453813e65de04312e0e6311616bc9b9d90f4bc784b9a5fc1a4ede394a5c742564ba9ed93f0a517bc4888e08a0a37cb74e40c86de9cc01de3dcd5dd30d6f76773f933812fa246c439380cf61a4d31d390da3c6b067b7b8628f9059a1160cc72c47d1bf593cde1ddfabcea0ddec96bc2953e0354765744be490ec3223488075bbbabb4a800016b076e26319da7901e01083c46dd90fc51aa08d7038600801043b46db5d5e992a7bb8682f7cf4b2598740159e69e83e8c47f9998316abc1c02385ed99c16bb9dbd11789023c7c16ffe832fa802142b8c4c34856a60062802e24a230cd118c1926be1dcc155cd06dd75f6eabd6be9be0eeddf3efe9bd342d2cc4687d4e9527120e4843ddd295647d8a2a0c88327dac8df1a0ccd94eaef279629eecedf87a23c60cd2355deabb77b8b06", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0d6403ef47571a33435fc827ccefc858", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "eneio64.sys" - ] - }, - { - "Id": "a338a9fc-9fe3-400c-9fe4-69bb7892602d", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create UCOREW64.SYS binPath=C:\\windows\\temp\\UCOREW64.SYS type=kernel && sc.exe start UCOREW64.SYS", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "UCOREW64.SYS", - "MD5": "a17c58c0582ee560c72f60764ed63224", - "SHA1": "bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825", - "SHA256": "a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200", - "Signature": [ - "American Megatrends, Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "bcd60bf152fdec05cd40562b466be252", + "SHA1": "6ce0094a9aacdc050ff568935014607b8f23ff00", + "SHA256": "3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c", "Authentihash": { - "MD5": "6957cb828dd243621e2e67c948171264", - "SHA1": "c55173b926235b8678bddb9b49a1a8b9a92a1ada", - "SHA256": "f9c290ffc007e94fb61aecff42d267c1e626ec7939025b1a7d7285441d1c490d" + "MD5": "5860da7a094c5f2ff2787476c37b4b35", + "SHA1": "da1bd3ad4a8fe1e28c1de28a7bf66ad82da0dd29", + "SHA256": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "DbgPrint", - "MmUnmapLockedPages", - "MmMapIoSpace", "MmUnmapIoSpace", - "IoFreeMdl", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", "ZwUnmapViewOfSection", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "MmMapIoSpace", + "ZwClose", "IofCompleteRequest", + "IoDeleteDevice", "IoCreateSymbolicLink", "IoCreateDevice", - "ZwClose", - "MmFreeContiguousMemory", + "ZwOpenSection", + "KeBugCheckEx", + "RtlInitUnicodeString", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", + "ValidFrom": "2016-03-16 00:00:00", + "ValidTo": "2024-03-16 00:00:00", + "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=New Taipei, L=New Taipei, O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2019-10-21 14:23:20", + "ValidTo": "2020-09-27 12:07:15", + "Signature": "80eea00620eb4bfc1ad0ef7c9e79f1144fb3b03c826a99a76f7a6cab8262a09b0d976bf4d98c7a310ad80acbab76bbf5b068d5b1aaec1fcb55d5feef03a1f19a307788f4029b9bb26a12fe489d2f6b20b5b5bdeb3b8299143b3b30c1ca1736091fc6de585d63f8c095186e7cad6fecbba32d70e64b696458b8dd7f269e0ea199e7984bc3a49065314aba56cac457f0dff5cc71b2a1598306dfb31bb40fadaff604da5e7ee91581fe9868e524163eb47dce3dd54f6edb714a5a126d20e6d89b2567b6aceed6ef8f29938e95b22ee41d2a45229657e6c8bddbfd1d46320bd41d03b8b7b5da6763bbc0e82cdaea96ef23f81e221a3578e882ef3c38bfe790b92240", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", - "ValidFrom": "2006-09-30 00:00:00", - "ValidTo": "2009-11-16 23:59:59", - "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "2636eab537f6156b78af523a", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" } ] } ] - } - ], - "Tags": [ - "UCOREW64.SYS" - ] - }, - { - "Id": "d5118882-6cdd-4b06-8bf4-e9818f16137e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create nt3.sys binPath=C:\\windows\\temp \\n \\n \\n t3.sys type=kernel && sc.exe start nt3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "nt3.sys", - "SHA256": "7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", + "FileName": "RTCore64.sys", + "MD5": "69ac6165912cb263a656497cc70155e6", + "SHA1": "722aa0fa468b63c5d7ea308d77230ae3169d5f83", + "SHA256": "3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6", + "Authentihash": { + "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", + "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", + "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" + }, "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "nt3.sys" - ] - }, - { - "Id": "ca415ed5-b611-4840-bfb2-6e1eacac33d1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Monitor_win10_x64.sys binPath=C:\\windows\\temp\\Monitor_win10_x64.sys type=kernel && sc.exe start Monitor_win10_x64.sys", - "Description": "CVE-2018-16712", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/244386-mta-fairplaykd-driver-reversed-exploited-rpm.html", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Monitor_win10_x64.sys", - "MD5": "988dabdcf990b134b0ac1e00512c30c4", - "SHA1": "ef80da613442047697bec35ea228cde477c09a3d", - "SHA256": "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb", - "Signature": [ - "IObit Information Technology", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "IObit", - "Description": "IObit Temperature Monitor", - "Product": "Advanced SystemCare", - "ProductVersion": "12.0.0.0", - "FileVersion": "1.2.0.11", + "Copyright": "", "MachineType": "AMD64", - "OriginalFilename": "Monitor.sys", - "Authentihash": { - "MD5": "68e5bf10aeb81b2ec77280aec1c2dc22", - "SHA1": "c42802424a1e61cc089ba1f071734b390232aec3", - "SHA256": "2dec76da0b361e4ed49a4015e67cefb0e6b812103d8ebf93b74016d99d9fcfad" - }, - "InternalName": "Monitor.sys", - "Copyright": "© IObit. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", + "__C_specific_handler", + "ZwClose", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", "RtlInitUnicodeString", - "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "__C_specific_handler", + "IofCompleteRequest", + "IoDeleteDevice", "HalSetBusDataByOffset", + "HalTranslateBusAddress", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Sichuan, L=Chengdu, O=IObit Information Technology, CN=IObit Information Technology", - "ValidFrom": "2018-01-16 00:00:00", - "ValidTo": "2021-03-30 23:59:59", - "Signature": "2399cd4e647d91c7104b30472ba9c4be48e93b5c0e461daad843ecc81cde308513d1b6bc20ad75ae3ad9882a649b4409440700153f47b8df154d468b5716d8bf06d28dc92d96a2a43cdf5784eed93ff5ed05fbdb4d869a458c2e6bf732f549210ddae9806124e0a1b14371b778a8227b98ae06f3d2d99150ed9a066fa5e424d4a5688306dddad4b81785bbe97c8d61556f962d1f50178da4a1071ae3846770f7ac735d2907230d65e2c65407294c713c9e5f9cbf9235ac2224a0c623ebde5f46e957251594e25101404ae961c171a3aa82d36098e219d1d49b767cb801ff7f3ab00a4d73c00f784ef7328a65748a38690a777041d61042ce0d91f1e4ed550cf6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5cd0502920c27eeaec2a184d0452e53a", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "Monitor_win10_x64.sys" - ] - }, - { - "Id": "892292f9-b87c-40a5-80e5-8c9b02914e8b", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create wantd.sys binPath=C:\\windows\\temp\\wantd.sys type=kernel && sc.exe start wantd.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "wantd.sys", - "MD5": "b0770094c3c64250167b55e4db850c04", - "SHA1": "6abbc3003c7aa69ce79cbbcd2e3210b07f21d202", - "SHA256": "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4", - "Signature": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.", - "Date": "11:59 PM 11/27/2013", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", - "Company": "Microsoft Corporation", - "Description": "WAN Transport Driver", - "Product": "Microsoft Windows Operating System", - "ProductVersion": "6.1.7600.1172", - "FileVersion": "6.1.7600.1172", - "MachineType": "AMD64", - "OriginalFilename": "wantd.sys", + "FileName": "RTCore64.sys", + "MD5": "4eb4069c230a5dc40cd5d60d2cb3e0d0", + "SHA1": "cc3e5e45aca5b670035dfb008f0a88cecfd91cf7", + "SHA256": "40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1", "Authentihash": { - "MD5": "1ed42c05e43c14ab16d16fbe8eaed870", - "SHA1": "68cb54489a0556594a28f5f1410cc64d74a1c182", - "SHA256": "a47b9af109988e8e033886638edc84964968eecd0d24483eafaad6a6d68005ea" + "MD5": "bcd9f192e2f9321ed549c722f30206e5", + "SHA1": "8498265d4ca81b83ec1454d9ec013d7a9c0c87bf", + "SHA256": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4" }, - "InternalName": "wantd.sys", - "Copyright": "Microsoft Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "wcsncmp", - "IoAllocateMdl", - "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "_strnicmp", - "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "_wcsnicmp", - "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", + "MmUnmapIoSpace", + "ZwUnmapViewOfSection", + "MmMapIoSpace", + "ZwClose", "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "atoi", - "_snprintf", - "ZwQuerySystemInformation", - "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", - "RtlImageDirectoryEntryToData", - "KeDetachProcess", - "ZwOpenFile", - "ZwCreateFile", - "PsCreateSystemThread", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", - "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "ObfDereferenceObject", + "ZwOpenSection", + "KeBugCheckEx", + "RtlInitUnicodeString", + "ZwMapViewOfSection", + "IofCompleteRequest", + "IoDeleteSymbolicLink", + "MmGetSystemRoutineAddress", "IoCreateDevice", - "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "PsLookupThreadByThreadId", - "RtlLengthSid", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "ExFreePoolWithTag", "RtlCreateSecurityDescriptor", - "ZwAllocateVirtualMemory", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", - "ZwDeviceIoControlFile", - "IofCompleteRequest", - "ZwClose", - "MmMapLockedPagesSpecifyCache", - "KeDelayExecutionThread", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "ZwWaitForSingleObject", - "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", - "NdisFreeMemory", - "NdisMIndicateStatus", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "__C_specific_handler", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", + "ValidFrom": "2016-03-16 00:00:00", + "ValidTo": "2024-03-16 00:00:00", + "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=New Taipei, L=New Taipei, O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2019-10-21 14:23:20", + "ValidTo": "2020-09-27 12:07:15", + "Signature": "80eea00620eb4bfc1ad0ef7c9e79f1144fb3b03c826a99a76f7a6cab8262a09b0d976bf4d98c7a310ad80acbab76bbf5b068d5b1aaec1fcb55d5feef03a1f19a307788f4029b9bb26a12fe489d2f6b20b5b5bdeb3b8299143b3b30c1ca1736091fc6de585d63f8c095186e7cad6fecbba32d70e64b696458b8dd7f269e0ea199e7984bc3a49065314aba56cac457f0dff5cc71b2a1598306dfb31bb40fadaff604da5e7ee91581fe9868e524163eb47dce3dd54f6edb714a5a126d20e6d89b2567b6aceed6ef8f29938e95b22ee41d2a45229657e6c8bddbfd1d46320bd41d03b8b7b5da6763bbc0e82cdaea96ef23f81e221a3578e882ef3c38bfe790b92240", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "2636eab537f6156b78af523a", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" } ] } ] - } - ], - "Tags": [ - "wantd.sys" - ] - }, - { - "Id": "412f4aaf-5525-458c-b87e-311e504b856d", - "Author": "Guus Verbeek", - "Created": "2023-05-07", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create mJj0ge.sys binPath=C:\\windows\\temp\\mJj0ge.sys type=kernel && sc.exe start mJj0ge.sys", - "Description": "The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "mJj0ge.sys", - "MD5": "3d0b3e19262099ade884b75ba86ca7e8", - "SHA1": "0883a9c54e8442a551994989db6fc694f1086d41", - "SHA256": "5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "680dcb5c39c1ec40ac3897bb3e9f27b9", + "SHA1": "431550db5c160b56e801f220ceeb515dc16e68d2", + "SHA256": "4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae", "Authentihash": { - "MD5": "83f21305be7f7633dd4c48cf1d523ad9", - "SHA1": "707122f1d7cac4419bd5e5d2da1eb947852d38c0", - "SHA256": "a720c9a95ab33b29c19fc37fed2b4d2079a2e4b9bd861d406043bd6010fc4d71" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "rand", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter" + "RtlInitUnicodeString", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", + "ZwUnmapViewOfSection", + "IoCreateSymbolicLink", + "IoCreateDevice", + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., CN=Beijing JoinHope Image Technology Ltd.", - "ValidFrom": "2014-05-16 00:00:00", - "ValidTo": "2015-05-16 23:59:59", - "Signature": "e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2010-04-14 00:00:00", + "ValidTo": "2012-04-15 23:59:59", + "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0a005d2e2bcd4137168217d8c727747c", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "mJj0ge.sys" - ] - }, - { - "Id": "1c6e1d3b-f825-4065-9e0c-83386883e40f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rzpnk.sys binPath=C:\\windows\\temp\\rzpnk.sys type=kernel && sc.exe start rzpnk.sys", - "Description": "A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. CVE-2017-9769.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/nomi-sec/PoC-in-GitHub/blob/2a85c15ed806287861a7adec6545c85aec618e3b/2017/CVE-2017-9769.json#L13", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "rzpnk.sys", - "MD5": "4cc3ddd5ae268d9a154a426af2c23ef9", - "SHA1": "684786de4b3b3f53816eae9df5f943a22c89601f", - "SHA256": "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63", - "Signature": [ - "Razer USA Ltd.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Razer, Inc.", - "Description": "Razer Overlay Support", - "Product": "Rzpnk", - "ProductVersion": "1.0.12.10155", - "FileVersion": "1.0.12.10155", - "MachineType": "I386", - "OriginalFilename": "Rzpnk.sys", + "FileName": "RTCore64.sys", + "MD5": "f8fe655b7d63dbdc53b0983a0d143028", + "SHA1": "d9c1913a6c76b883568910094dfa1d67aad80c84", + "SHA256": "53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e", "Authentihash": { - "MD5": "76934be6e996e801ea4d68c504d427c3", - "SHA1": "b2e03d9e602a6026f45c08b686c6810abd43bfac", - "SHA256": "982ad43111d8b7a7900df652c8873eeb6aa485bb429dee6c2ad44acf598bb5e6" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, - "InternalName": "Rzpnk", - "Copyright": "Copyright (C) 2010-2017. Razer, Inc.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoAcquireCancelSpinLock", - "IoReleaseCancelSpinLock", - "ObReferenceObjectByHandle", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeAcquireGuardedMutex", - "KeReleaseGuardedMutex", "RtlInitUnicodeString", - "IoCreateDevice", - "IoCreateSymbolicLink", - "PoStartNextPowerIrp", - "IoDeleteDevice", - "KeInitializeEvent", - "PsSetCreateProcessNotifyRoutine", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "ZwSetEvent", - "_wcslwr", - "wcsstr", "ZwClose", - "KeSetEvent", - "ZwWaitForSingleObject", - "_purecall", - "KeGetCurrentThread", - "_vsnprintf", - "swprintf", - "PsLookupProcessByProcessId", - "PsReferencePrimaryToken", - "SeQueryInformationToken", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlEqualSid", - "PsDereferencePrimaryToken", - "MmGetSystemRoutineAddress", - "MmIsAddressValid", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "wcsrchr", - "ZwOpenProcess", - "PsLookupThreadByThreadId", - "ObOpenObjectByPointer", - "PsThreadType", - "ZwCreateEvent", - "PsGetCurrentProcessId", - "ZwOpenProcessTokenEx", - "ZwQueryInformationToken", - "RtlSubAuthorityCountSid", - "KeTickCount", - "KeBugCheckEx", - "ObfDereferenceObject", - "sprintf", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "memcpy", - "memset", - "RtlUnwind", - "KfAcquireSpinLock", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "KfReleaseSpinLock" + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=California, L=Irvine, O=Razer USA Ltd., CN=Razer USA Ltd.", - "ValidFrom": "2016-02-10 00:00:00", - "ValidTo": "2019-02-07 23:59:59", - "Signature": "06b8b8ab165538f61a5033c866556c0dd5e0f3ccc78633965b7feb8b012f312c40d09a3916370efd6a1747fa6c39c0de0be5226f7de748d11854a396dfcdfb31bdf572c2fa2561204ea01d2a076a197f89b7cb084d4cdd2c788195309cd507be6847667b2c00b74d94f53291c03201e23c363928968cbe4596649a671458d82001d22205c3d4f6beb5405247d9ad1ad832c12a96e7e557426d8fc85b0069b512354557b7e2124305c0171df610bea39f8dabb973e3fec041fbce781db485d88fa826f74f0e0810e62b63615404c2daeaa354fa3c73baafcd5daca7146f3afee8c30cb257f6b25843c5df2317c1d05a619e86e843c081169e0dfd5036cd19f9ef", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1834b81889070312b5c4ca72ea419a5e", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "rzpnk.sys" - ] - }, - { - "Id": "70acea34-7ed2-42d5-885c-eca3c2de640c", - "Author": "Michael Haag, Guus Verbeek", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Sense5Ext.sys binPath=C:\\windows\\temp\\Sense5Ext.sys type=kernel && sc.exe start Sense5Ext.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "Sense5Ext.sys", - "MD5": "f9844524fb0009e5b784c21c7bad4220", - "SHA1": "e6765d8866cad6193df1507c18f31fa7f723ca3e", - "SHA256": "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "Sense5 CORP", - "Description": "Sense5 Driver", - "Product": "", - "ProductVersion": "2.6.0.0", - "FileVersion": "2.6.0.0", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "880611326b768c4922e9da8a8effc582", + "SHA1": "96323381a98790b8ffac1654cb65e12dbbe6aff1", + "SHA256": "5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2", "Authentihash": { - "MD5": "0b2ce413f69677a0bf78a40ed0d081a7", - "SHA1": "af83d2f800c68099976dcf75ee31681708d32ed9", - "SHA256": "13cd99ff2120d9fd651814d826b6c8481d549f684a8fbfb2d8775c9faa1c27f5" + "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", + "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", + "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" }, + "Description": "", + "Company": "", "InternalName": "", - "Copyright": "Copyright (C) 2022", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "ntoskrnl.exe", - "HAL.dll", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoGetCurrentProcess", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "PsGetCurrentProcessId", - "NtBuildNumber", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "_snprintf", - "_vsnprintf", - "ZwQueryInformationFile", - "ZwReadFile", - "strcmp", - "strncmp", - "RtlCompareMemory", - "RtlImageNtHeader", - "RtlCompareUnicodeString", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "isupper", - "isdigit", - "tolower", - "strlen", - "_stricmp", - "strstr", - "wcscat", - "wcslen", - "RtlInitAnsiString", - "RtlQueryRegistryValues", - "RtlAnsiStringToUnicodeString", - "RtlCompareUnicodeStrings", - "ExAllocatePool", - "MmGetSystemRoutineAddress", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ZwOpenProcess", - "PsGetProcessPeb", - "PsGetProcessSessionId", - "RtlRandomEx", - "KeBugCheckEx", - "RtlInitUnicodeString", - "_stricmp", - "NtQuerySystemInformation", + "ZwOpenSection", + "MmMapIoSpace", + "__C_specific_handler", "ZwClose", - "ZwQueryValueKey", - "ZwOpenKey", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", "RtlInitUnicodeString", - "ZwWaitForSingleObject", - "ZwDeviceIoControlFile", - "ZwOpenFile", - "_wcsnicmp", - "ZwEnumerateKey", - "ZwCreateEvent", - "MmGetSystemRoutineAddress", - "ZwCreateFile", - "__C_specific_handler", - "KeSetSystemAffinityThread", - "KeQueryActiveProcessors", - "KeQueryTimeIncrement", - "DbgBreakPointWithStatus", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "IoAllocateMdl", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "MmProbeAndLockPages", - "KeWaitForSingleObject", - "KeReleaseMutex", - "KeInitializeMutex", - "ExFreePoolWithTag", - "ExAllocatePool", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter" + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "Filename": "Sense5Ext.sys", - "MD5": "4e1f656001af3677856f664e96282a6f", - "SHA1": "bc62fe2b38008f154fc9ea65d851947581b52f49", - "SHA256": "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Sense5 CORP", - "Description": "Sense5 Driver", - "Product": "", - "ProductVersion": "2.5.0.0", - "FileVersion": "2.5.0.0", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "515c75d77c64909690c18c08ef3fc310", + "SHA1": "7877bd7da617ec92a5c47f0da1f0abcf6484d905", + "SHA256": "5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3", "Authentihash": { - "MD5": "2855f88dffa0bb68f988d5c116b336fb", - "SHA1": "169b81ce8a74d3a404384ad3e90ac3b053323d50", - "SHA256": "dcfab3c5f99c15cbb7df17c59914af551b90e0ed3c1dc040bad9927b12b67125" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, + "Description": "", + "Company": "", "InternalName": "", - "Copyright": "Copyright (C) 2022", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "ntoskrnl.exe", - "HAL.dll", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoGetCurrentProcess", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "PsGetCurrentProcessId", - "NtBuildNumber", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "_snprintf", - "_vsnprintf", - "ZwQueryInformationFile", - "ZwReadFile", - "strcmp", - "strncmp", - "RtlCompareMemory", - "RtlImageNtHeader", - "RtlCompareUnicodeString", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "isupper", - "isdigit", - "tolower", - "strlen", - "_stricmp", - "strstr", - "wcscat", - "wcslen", - "RtlInitAnsiString", - "RtlQueryRegistryValues", - "RtlAnsiStringToUnicodeString", - "RtlCompareUnicodeStrings", - "ExAllocatePool", - "MmGetSystemRoutineAddress", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ZwOpenProcess", - "PsGetProcessPeb", - "PsGetProcessSessionId", - "RtlRandomEx", - "KeBugCheckEx", "RtlInitUnicodeString", - "_stricmp", - "NtQuerySystemInformation", "ZwClose", - "ZwQueryValueKey", - "ZwOpenKey", - "RtlInitUnicodeString", - "ZwWaitForSingleObject", - "ZwDeviceIoControlFile", - "ZwOpenFile", - "_wcsnicmp", - "ZwEnumerateKey", - "ZwCreateEvent", - "MmGetSystemRoutineAddress", - "ZwCreateFile", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", "__C_specific_handler", - "KeSetSystemAffinityThread", - "KeQueryActiveProcessors", - "KeQueryTimeIncrement", - "DbgBreakPointWithStatus", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "IoAllocateMdl", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "MmProbeAndLockPages", - "KeWaitForSingleObject", - "KeReleaseMutex", - "KeInitializeMutex", - "ExFreePoolWithTag", - "ExAllocatePool", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter" + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2010-04-14 00:00:00", + "ValidTo": "2012-04-15 23:59:59", + "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "Sense5Ext.sys" - ] - }, - { - "Id": "20076ebf-4427-4056-b035-5238f95debe9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BSMIXP64.sys binPath=C:\\windows\\temp\\BSMIXP64.sys type=kernel && sc.exe start BSMIXP64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "BSMIXP64.sys", - "MD5": "fac8eb49e2fd541b81fcbdeb98a199cb", - "SHA1": "9a35ae9a1f95ce4be64adc604c80079173e4a676", - "SHA256": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347", - "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", + "FileName": "RTCore64.sys", + "MD5": "6fa271b6816affaef640808fc51ac8af", + "SHA1": "5291b17205accf847433388fe17553e96ad434ec", + "SHA256": "696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a", + "Authentihash": { + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + }, + "Description": "", "Company": "", - "Description": "SMI Driver", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", - "ProductVersion": "1.0.0.3", - "FileVersion": "1.0.0.3", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", - "OriginalFilename": "BSMI.sys", - "Authentihash": { - "MD5": "0dea670f26bf6bf65701c4aa0dd89079", - "SHA1": "cc071f9cc1cb577b22824d401b63508f61cd76c0", - "SHA256": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7" - }, - "InternalName": "BSMI.sys", - "Copyright": "Copyright (C) BIOSTAR Corp. 2011", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "IoDeleteDevice", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "MmMapIoSpace", + "IoDeleteSymbolicLink", "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "RtlAssert", - "DbgPrint", - "KeBugCheckEx" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2010-09-19 00:00:00", - "ValidTo": "2013-10-19 23:59:59", - "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "BSMIXP64.sys" - ] - }, - { - "Id": "8ff4ab50-05b7-4bfa-b994-1920c4ed4978", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create ncpl.sys binPath=C:\\windows\\temp \\n \\n \\n cpl.sys type=kernel && sc.exe start ncpl.sys", - "Description": "ncpl.sys is a vulnerable driver. CVE-2013-3956.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "ncpl.sys", - "MD5": "a26e600652c33dd054731b4693bf5b01", - "SHA1": "bbc1e5fd826961d93b76abd161314cb3592c4436", - "SHA256": "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44", - "Signature": [ - "Novell, Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Novell, Inc.", - "Description": "Novell Client Portability Layer", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "FileVersion": "3.1.11.0", - "MachineType": "AMD64", - "OriginalFilename": "NICM.SYS", + "FileName": "RTCore64.sys", + "MD5": "d63c9c1a427a134461258b7b8742858f", + "SHA1": "ef0504dd90eb451f51d2c4f987fb7833c91c755b", + "SHA256": "6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293", "Authentihash": { - "MD5": "f3387f3cdaec9306dcc5205eebaf3faf", - "SHA1": "eecf71aa5767c90ead5f86f5438951f4c764b655", - "SHA256": "7b68763c39b45534854ec382434fd5a9640942c1f7393857af642ee327d4c570" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, + "Description": "", + "Company": "", "InternalName": "", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ZwCreateKey", - "ExFreePoolWithTag", - "ExReleaseFastMutex", - "ExAcquireFastMutex", "RtlInitUnicodeString", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwEnumerateValueKey", "ZwClose", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "ZwDeleteKey", - "ZwEnumerateKey", - "ZwOpenKey", - "DbgPrintEx", - "RtlUpcaseUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlUnicodeStringToOemString", - "RtlFreeUnicodeString", - "RtlOemStringToUnicodeString", - "RtlFreeAnsiString", - "DbgPrint", - "KeReleaseSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "RtlInitString", - "RtlEqualUnicodeString", - "RtlCompareString", - "RtlCopyString", - "KeReleaseMutex", - "RtlEqualString", - "RtlUnicodeStringToInteger", - "ExAcquireResourceExclusiveLite", - "KeResetEvent", - "KeInitializeMutex", - "KeLeaveCriticalRegion", - "KeSetEvent", - "ExIsResourceAcquiredSharedLite", - "ExIsResourceAcquiredExclusiveLite", - "KeEnterCriticalRegion", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "ExDeleteResourceLite", - "ExInitializeResourceLite", - "KeWaitForMultipleObjects", - "KeSetPriorityThread", - "IoDeleteDevice", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", "IoCreateDevice", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "RtlCompareMemory", - "IoUninitializeWorkItem", - "IoFreeWorkItem", - "KeInitializeDpc", - "KeInitializeTimer", - "KeDelayExecutionThread", - "IoAllocateWorkItem", - "KeSetTimer", - "IoInitializeWorkItem", - "IoQueueWorkItem", - "KeCancelTimer", - "KeBugCheckEx", - "RtlCompareUnicodeString", - "KeInitializeEvent", - "NicmCreateInstance" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2010-04-03 00:00:00", - "ValidTo": "2013-04-26 23:59:59", - "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -48728,61 +34016,49 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2012-02-29 00:00:00", + "ValidTo": "2014-04-15 23:59:59", + "Signature": "d77d9dbdeea6d42d15335f0b16117963e49d39b89af081160a467824968e611f0947648a83375d1380acca6cbe1117f488b428bcab943b20dad29e72dd48e7d01b080b12c444727bba415a098799abd5e5673dd7eda91787920c3cc53aac068e0a3d1faef713c14f7ec6f68f69a33340b70e81083db2ce1daf45592063235d05232a1d3d8052fc3f102b2b71e1c46275eff3d4a2dc5ee0d5d727d180da205055a3709a32ad6bd11317b1f109e7c5eca18c8293c937ba6f76278bc306c10f0f1bc865cedcf2c2331e7a7f5c0bcfab91786b8ff848d8ef9c59937ddb94f6369884162148f882e7d0c4343538ad23aeb6ab3db0f6d125a8e2fe3889e40ed66bc66a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "26d7f5563eb3e42a81f7c715fcd2799d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "ncpl.sys" - ] - }, - { - "Id": "7a722cd5-69ec-4680-9f20-9387f249a891", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create ElbyCDIO.sys binPath=C:\\windows\\temp\\ElbyCDIO.sys type=kernel && sc.exe start ElbyCDIO.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "ElbyCDIO.sys", - "MD5": "702d5606cf2199e0edea6f0e0d27cd10", - "SHA1": "879e327292616c56bd4aafc279fbda6cc393b74d", - "SHA256": "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4", + "FileName": "RTCore64.sys", + "MD5": "3a7c69293fcd5688cc398691093ec06a", + "SHA1": "aadebbcbde0e7edd35e29d98871289a75e744aad", + "SHA256": "7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd", "Authentihash": { - "MD5": "350ab25a105b2fee583f1b903d48788e", - "SHA1": "23a6345ab41ff68e31cef025de23cc8c81c90725", - "SHA256": "86236392bb2cc77100bd83d34a30e3fb60aa727d0b11c147a838d9a205bae80e" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, - "Description": "ElbyCD Windows x64 I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 3, 2", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2009 Elaborate Bytes AG", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -48790,46 +34066,20 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeWaitForSingleObject", - "KeReleaseMutex", - "__C_specific_handler", - "ProbeForRead", - "ProbeForWrite", - "ZwReadFile", - "ZwWriteFile", - "ZwCreateFile", "RtlInitUnicodeString", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwOpenFile", "ZwClose", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "ZwSetInformationThread", - "ObfDereferenceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeInitializeEvent", - "PsGetCurrentProcessId", - "IofCompleteRequest", - "KeInitializeMutex", - "ExAllocatePool", - "ExFreePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", + "ZwOpenSection", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "MmIsAddressValid", + "ZwUnmapViewOfSection", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", - "KeSetEvent", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -48837,115 +34087,89 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2008-12-23 13:26:11", - "ValidTo": "2011-12-23 13:26:11", - "Signature": "5a634dbf49c9d1dbe5ed4b484689b4f95ee13686141c393683a1decdc986cf94613342607a120df492112daaa92fd772bbbcb1c0f14cec7c0c20304c92d62508859c387138f2d145dbcc54c561f1b9dd73d3686ae3859ea986e4f539db7495a64b551b60d6f976ae6075ca3f6dbe1187b875ee267784b5baefaa850078595fb8b1c8944c9c3da355a802ebc52eacb9bdffdd57b0aae5f49c02c5ae6505b7ca1afb2b29e39374eab8bf1e643c3e1c8240dc113ceb078c70a401e92d0610538eaed48e291cad84635d6100930c8e7b9801323490e4f3e58d9f9fea04843f06633f8b8a8774d2b679be008d1d92bb31815f8f01c5e08144ed9574a605b245de2ba7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2008-04-16 00:00:00", + "ValidTo": "2010-04-16 23:59:59", + "Signature": "13a3b8caa6bd8d63308898b0c92b79574e5d122a3ecba9758ec450b7c8c848ee5bc486db6370a8dfeb4c96c2c25512f7a3e759cc57a4d92f1a44fba15ca0c1156d22c49251b4e6a01bb93e4a62522ee5af4286c759c01c66fa5ce4452a4f112d03560bfa9737a3d0f3008b3cc48f2042b4428643f1efb4b99a34d0545c9934f1a6f35819e469430b74ba475a2135660948131cf24c9b1fb84580a1fd63eb3218d282e4f7caf77f4adbecb51e4b8237937eda0b7fcc20fc2273bf38282ee69ae6730b21c5314bcdc3f2e3a1e6f6c3ccb2139800f69d3f2fadc235080214f1c9b11e6a8f2165a45e15cca3c3542c2bac7225208a84828456d2e93cfe8315b092a1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011e643e96d0", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "546ea040bf5075ce0a5c01d4c6ded19d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "945ef111161bae49075107e5bc11a23f", - "SHA1": "ea37a4241fa4d92c168d052c4e095ccd22a83080", - "SHA256": "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445", + "FileName": "RTCore64.sys", + "MD5": "d5e76d125d624f8025d534f49e3c4162", + "SHA1": "8a23735d9a143ad526bf73c6553e36e8a8d2e561", + "SHA256": "7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35", "Authentihash": { - "MD5": "5560e048b895a592a481f9340852e3cd", - "SHA1": "1e73dbe3d0bed9def62c1f76a0c58aa6c61e8f74", - "SHA256": "d378162a47648bed192270ab4ddd67c99b4ebe8093a267fa1fe1e092559504b0" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 0, 2", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "RtlFreeUnicodeString", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoFreeMdl", - "MmUnlockPages", - "KeReleaseMutex", - "MmProbeAndLockPages", - "IoAllocateMdl", - "ExFreePool", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExAllocatePool", - "ZwDeleteKey", "ZwClose", - "ZwDeviceIoControlFile", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", + "ZwUnmapViewOfSection", "IoCreateSymbolicLink", - "KeInitializeMutex", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", - "MmMapLockedPages", - "IofCompleteRequest", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -48953,131 +34177,90 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2008-04-16 00:00:00", + "ValidTo": "2010-04-16 23:59:59", + "Signature": "13a3b8caa6bd8d63308898b0c92b79574e5d122a3ecba9758ec450b7c8c848ee5bc486db6370a8dfeb4c96c2c25512f7a3e759cc57a4d92f1a44fba15ca0c1156d22c49251b4e6a01bb93e4a62522ee5af4286c759c01c66fa5ce4452a4f112d03560bfa9737a3d0f3008b3cc48f2042b4428643f1efb4b99a34d0545c9934f1a6f35819e469430b74ba475a2135660948131cf24c9b1fb84580a1fd63eb3218d282e4f7caf77f4adbecb51e4b8237937eda0b7fcc20fc2273bf38282ee69ae6730b21c5314bcdc3f2e3a1e6f6c3ccb2139800f69d3f2fadc235080214f1c9b11e6a8f2165a45e15cca3c3542c2bac7225208a84828456d2e93cfe8315b092a1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "546ea040bf5075ce0a5c01d4c6ded19d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "24fe18891c173a7c76426d08d2b0630e", - "SHA1": "f640c94e71921479cc48d06b59aba41ffa50a769", - "SHA256": "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185", + "FileName": "rtcore64.sys", + "MD5": "ecdc79141b7002b246770d01606504f2", + "SHA1": "4d14d25b540bf8623d09c06107b8ca7bb7625c30", + "SHA256": "8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38", "Authentihash": { - "MD5": "46eca1eab6ab83208b56787f55ed4117", - "SHA1": "1b62759087cbe7f5f9a82477bc2f2b19bb51f41d", - "SHA256": "e35d09a903d76810830aff2fc87bb3071026d982a334b3ee4c68f66cba865109" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 1, 1", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwCreateFile", "RtlInitUnicodeString", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwOpenFile", "ZwClose", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "ZwSetInformationThread", - "KeWaitForSingleObject", - "KeSetEvent", - "ObfDereferenceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeInitializeEvent", - "KeReleaseMutex", - "PsGetCurrentProcessId", - "IofCompleteRequest", - "KeInitializeMutex", - "ZwReadFile", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", + "ZwOpenSection", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "ZwDeleteKey", - "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", - "ExAllocatePool", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49085,135 +34268,90 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2010-04-14 00:00:00", + "ValidTo": "2012-04-15 23:59:59", + "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "aaa8999a169e39fb8b48ae49cd6ac30a", - "SHA1": "2eeab9786dac3f5f69e642f6e29f4e4819038551", - "SHA256": "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60", + "FileName": "RTCore64.sys", + "MD5": "3aacaa62758fa6d178043d78ba89bebc", + "SHA1": "f77413ec3bd9ed3f31fc53a4c755dc4123e0068f", + "SHA256": "862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015", "Authentihash": { - "MD5": "efa9728ff65fc5bd690400a9a6252642", - "SHA1": "b827692fe57b0b51f7671d55c0a5dd6446342acd", - "SHA256": "911541d26b605a97ba099563b9eb7e027c102f139dba5884a57df5a13cf3dcef" + "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", + "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", + "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 1, 0", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwClose", - "ZwSetInformationFile", - "ZwQueryInformationFile", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwCreateFile", - "ZwCreateKey", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "ZwQueryValueKey", - "ZwOpenKey", - "ZwSetValueKey", - "ZwSetInformationThread", - "PsTerminateSystemThread", - "KeWaitForSingleObject", - "KeSetEvent", - "ObfDereferenceObject", + "ZwClose", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeInitializeEvent", - "ZwReadFile", - "PsGetCurrentProcessId", - "IofCompleteRequest", - "KeInitializeMutex", - "ExAllocatePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", + "ZwOpenSection", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "ZwDeleteKey", - "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", - "KeReleaseMutex", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49221,38 +34359,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49265,92 +34396,53 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "d21fba3d09e5b060bd08796916166218", - "SHA1": "caa0cb48368542a54949be18475d45b342fb76e5", - "SHA256": "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989", + "FileName": "rtcore64.sys", + "MD5": "4e4b9bdcc6b8d97828ae1972d750a08d", + "SHA1": "82034032b30bbb78d634d6f52c7d7770a73b1b3c", + "SHA256": "9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def", "Authentihash": { - "MD5": "2b8c47b3e15625119ef7576646fdefda", - "SHA1": "5ad820b5cac4e44ded1534169631e7d3fc8547d1", - "SHA256": "8907c476440abdd7f71feb068443a7c9736aa6bf625dfb8b6931c46341aa4abf" + "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", + "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", + "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 0, 7", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwClose", - "ZwSetInformationFile", - "ZwQueryInformationFile", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwCreateFile", - "ZwOpenKey", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "ZwQueryInformationProcess", - "ZwSetInformationThread", - "KeReleaseMutex", - "ObfDereferenceObject", - "KeWaitForMultipleObjects", - "PsCreateSystemThread", - "KeWaitForSingleObject", + "ZwClose", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwOpenProcess", - "KeSetEvent", - "KeInitializeEvent", - "ZwReadFile", - "IofCompleteRequest", - "KeInitializeMutex", - "ExAllocatePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", + "ZwOpenSection", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "ZwDeleteKey", - "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", - "PsGetCurrentProcessId", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49358,38 +34450,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49402,71 +34487,53 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "b5326548762bfaae7a42d5b0898dfeac", - "SHA1": "f3029dba668285aac04117273599ac12a94a3564", - "SHA256": "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00", + "FileName": "RTCore64.sys", + "MD5": "821adf5ba68fd8cc7f4f1bc915fe47de", + "SHA1": "eb0021e29488c97a0e42a084a4fe5a0695eccb7b", + "SHA256": "aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b", "Authentihash": { - "MD5": "fc16498ddf3716e03fdd527c456ea80b", - "SHA1": "7436e16cf348558015593cbf5ab9c117d97738cc", - "SHA256": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b" + "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", + "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", + "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 0, 1", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2006 Elaborate Bytes AG", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeWaitForSingleObject", - "RtlFreeUnicodeString", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoFreeMdl", - "MmUnlockPages", - "KeReleaseMutex", - "MmProbeAndLockPages", - "IoAllocateMdl", - "ExFreePool", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExAllocatePool", - "ZwDeleteKey", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", "ZwClose", - "ZwDeviceIoControlFile", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", - "KeInitializeMutex", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", - "MmMapLockedPages", - "IofCompleteRequest", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49474,38 +34541,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49518,31 +34578,31 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "e9ccb6bac8715918a2ac35d8f0b4e1e6", - "SHA1": "9feacc95d30107ce3e1e9a491e2c12d73eef2979", - "SHA256": "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d", + "FileName": "RTCore64.sys", + "MD5": "0d5774527af6e30905317839686b449d", + "SHA1": "75d0b9bdfa79e5d43ec8b4c0996f559075723de7", + "SHA256": "ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa", "Authentihash": { - "MD5": "b5cb05a635b6932ea1f7c0ee35592e37", - "SHA1": "e8dc3aa48d494fb2bc096523e11859afdd18b10a", - "SHA256": "e85d36ca271c4d65abc1cdfff0e629dc5d14edb5bf97669badbb40d2715c1d47" + "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", + "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", + "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" }, - "Description": "ElbyCD Windows x64 I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 1, 1", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -49550,53 +34610,21 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ZwReadFile", - "ZwWriteFile", - "ZwCreateFile", "RtlInitUnicodeString", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwOpenFile", "ZwClose", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "ZwSetInformationThread", - "KeWaitForSingleObject", - "KeSetEvent", - "ObfDereferenceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeInitializeEvent", - "KeReleaseMutex", - "PsGetCurrentProcessId", - "IofCompleteRequest", - "ExAllocatePool", - "ExFreePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", + "ZwOpenSection", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "ZwDeviceIoControlFile", - "ZwDeleteKey", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", - "KeInitializeMutex", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49604,38 +34632,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49648,87 +34669,53 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "28cb0b64134ad62c2acf77db8501a619", - "SHA1": "5742ad3d30bd34c0c26c466ac6475a2b832ad59e", - "SHA256": "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47", + "FileName": "RTCore64.sys", + "MD5": "18439fe2aaeddfd355ef88091cb6c15f", + "SHA1": "52d9bbe41eea0b60507c469f7810d80343c03c2b", + "SHA256": "b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47", "Authentihash": { - "MD5": "47a02497d57e9ffa7ab2490d15a0bf90", - "SHA1": "da00f69b9d1e4a997094651f4af2c0faad653a10", - "SHA256": "c1bbe628f79528417ea741dfad2f589fc4e5c62152e632a89ed080da029d5384" + "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", + "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", + "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 1, 2", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwCreateFile", "RtlInitUnicodeString", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwOpenFile", "ZwClose", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "KeWaitForSingleObject", - "ZwSetInformationThread", - "KeSetEvent", - "ObfDereferenceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "PsCreateSystemThread", - "KeInitializeEvent", - "KeReleaseMutex", - "PsGetCurrentProcessId", - "IofCompleteRequest", - "KeInitializeMutex", - "ZwReadFile", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", + "ZwOpenSection", + "MmMapIoSpace", "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "ZwDeleteKey", - "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", - "ExAllocatePool", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49736,38 +34723,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49780,71 +34760,53 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "f141db170bb4c6e088f30ddc58404ad3", - "SHA1": "34b0f1b2038a1572ee6381022a24333357b033c4", - "SHA256": "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9", + "FileName": "RTCore64.sys", + "MD5": "4b60ef388071e0baf299496e3d6590ae", + "SHA1": "cf9b4d606467108e4b845ecb8ede2f5865bd6c33", + "SHA256": "b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867", "Authentihash": { - "MD5": "fc16498ddf3716e03fdd527c456ea80b", - "SHA1": "7436e16cf348558015593cbf5ab9c117d97738cc", - "SHA256": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 0, 1", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2006 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "RtlFreeUnicodeString", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", - "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoFreeMdl", - "MmUnlockPages", - "KeReleaseMutex", - "MmProbeAndLockPages", - "IoAllocateMdl", - "ExFreePool", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExAllocatePool", - "ZwDeleteKey", "ZwClose", - "ZwDeviceIoControlFile", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", - "KeInitializeMutex", "IoCreateDevice", - "RtlUnwind", - "KeTickCount", - "MmMapLockedPages", - "IofCompleteRequest", - "KeQueryPerformanceCounter" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -49852,38 +34814,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -49896,92 +34837,55 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ElbyCDIO.sys", - "MD5": "0634299fc837b47b531e4762d946b2ae", - "SHA1": "0a19a9c4c9185b80188da529ec9c9f45cbe73186", - "SHA256": "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439", + "FileName": "RTCore64.sys", + "MD5": "aa9adcf64008e13d7e68b56fdd307ead", + "SHA1": "562368c390b0dadf2356b8b3c747357ecef2dfc8", + "SHA256": "bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63", "Authentihash": { - "MD5": "c18c29b48a4e04a3cd761dc733cfda55", - "SHA1": "f43590d096d3ed0bbcfd2b0e41a327ba365bd9ec", - "SHA256": "262268f21c789c2bdaf1950b556456a9a5114ed5759d806200b0cec107bf76d7" + "MD5": "538e5e595c61d2ea8defb7b047784734", + "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", + "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" }, - "Description": "ElbyCD Windows NT/2000/XP I/O driver", - "Company": "Elaborate Bytes AG", - "InternalName": "ElbyCDIO", - "OriginalFilename": "ElbyCDIO.sys", - "FileVersion": "6, 0, 0, 4", - "Product": "CDRTools", - "ProductVersion": "6, 0, 0, 0", - "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwWriteFile", - "ZwClose", - "ZwSetInformationFile", - "ZwQueryInformationFile", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwCreateFile", - "swprintf", - "ZwQueryVolumeInformationFile", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "PsTerminateSystemThread", - "ZwQueryInformationProcess", - "ZwSetInformationThread", - "KeReleaseMutex", - "ObfDereferenceObject", - "KeWaitForMultipleObjects", - "PsCreateSystemThread", - "KeWaitForSingleObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwOpenProcess", - "KeSetEvent", - "KeInitializeEvent", - "PsGetCurrentProcessId", - "ZwReadFile", - "KeInitializeMutex", - "ExAllocatePool", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "ZwCreateKey", - "ZwOpenKey", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "IoFreeMdl", - "MmUnlockPages", - "MmMapLockedPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "ZwDeleteKey", - "ZwDeviceIoControlFile", + "ZwOpenSection", + "MmMapIoSpace", + "__C_specific_handler", + "ZwClose", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx", - "KeInitializeSpinLock", - "ExFreePool", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "KeQueryPerformanceCounter" + "IoDeleteDevice", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -49989,38 +34893,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", - "ValidFrom": "2006-12-07 11:07:29", - "ValidTo": "2008-12-07 11:07:29", - "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -50033,705 +34930,418 @@ ], "Signer": [ { - "SerialNumber": "0100000000010f5c98b8f5", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "ElbyCDIO.sys" - ] - }, - { - "Id": "39742f99-2180-46d7-8538-56667c935cc3", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create viragt.sys binPath=C:\\windows\\temp\\viragt.sys type=kernel && sc.exe start viragt.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "viragt.sys", - "MD5": "e79c91c27df3eaf82fb7bd1280172517", - "SHA1": "cb22723faa5ae2809476e5c5e9b9a597b26cab9b", - "SHA256": "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53", - "Signature": [ - "TG Soft S.a.s. Di Tonello Gianfranco e C.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "TG Soft S.a.s.", - "Description": "VirIT Agent System", - "Product": "VirIT Agent System", - "ProductVersion": "1, 72, 0, 0", - "FileVersion": "1, 72, 0, 0", - "MachineType": "I386", - "OriginalFilename": "viragt.sys", + "FileName": "RTCore64.sys", + "MD5": "6a094d8e4b00dd1d93eb494099e98478", + "SHA1": "fdf4a0af89f0c8276ad6d540c75beece380703ab", + "SHA256": "d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d", "Authentihash": { - "MD5": "333822355a23fbdfb2599a909b3bbc60", - "SHA1": "72886a692656ebe64592a43273d3f59432cfbf9a", - "SHA256": "9f86fc8a6eaa3b38f33be4a0d552c184e575afa50a60df7383c06a394e3926d8" + "MD5": "538e5e595c61d2ea8defb7b047784734", + "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", + "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" }, - "InternalName": "viragt.sys", - "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2013 - www.tgsoft.it", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitAnsiString", - "wcstombs", - "ZwOpenKey", - "ZwSetValueKey", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwCreateFile", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ObfDereferenceObject", - "IoGetRelatedDeviceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwReadFile", - "ZwWriteFile", - "ZwSetInformationFile", - "ZwOpenProcess", - "ZwTerminateProcess", - "_strupr", - "ZwQuerySystemInformation", - "IoFreeMdl", - "MmUnlockPages", - "MmIsAddressValid", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmIsNonPagedSystemAddressValid", - "IoGetCurrentProcess", - "PsLookupProcessByProcessId", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "sprintf", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "strstr", - "KeServiceDescriptorTable", - "KeReleaseMutex", - "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "ExQueueWorkItem", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeInitializeDpc", - "KeNumberProcessors", - "IofCompleteRequest", - "memcpy", + "ZwOpenSection", + "MmMapIoSpace", + "__C_specific_handler", + "ZwClose", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "PsCreateSystemThread", - "KeInitializeMutex", - "ObOpenObjectByName", - "IoDriverObjectType", - "ZwOpenDirectoryObject", - "RtlUnicodeStringToAnsiString", - "ZwQueryDirectoryObject", - "IoFileObjectType", - "swprintf", - "DbgPrint", - "IoFreeIrp", - "MmUnmapLockedPages", - "KeSetEvent", - "MmLockPagableSectionByHandle", - "MmLockPagableDataSection", - "IoAllocateIrp", - "_wcsnicmp", - "RtlCompareMemory", - "IoBuildDeviceIoControlRequest", - "_alldiv", - "wcsrchr", - "ZwQueryVolumeInformationFile", - "ZwDeviceIoControlFile", - "_strnicmp", - "ZwFsControlFile", - "_allmul", - "ObfReferenceObject", - "_allrem", - "_stricmp", - "strrchr", - "KeQueryActiveProcessors", - "KeTickCount", - "KeBugCheckEx", - "ZwCreateKey", - "ZwQueryValueKey", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "mbstowcs", - "ZwClose", - "memset", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "RtlUnwind", - "KeRaiseIrqlToDpcLevel", - "KfRaiseIrql", - "KfLowerIrql", - "KeGetCurrentIrql", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "READ_PORT_BUFFER_UCHAR", - "KeStallExecutionProcessor" + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2016-05-24 00:00:00", + "ValidTo": "2027-06-24 00:00:00", + "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2012-12-31 00:00:00", - "ValidTo": "2016-02-29 23:59:59", - "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "viragt.sys" - ] - }, - { - "Id": "9074a02a-b1ca-4bfb-8918-5b88e91c04a2", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create superbmc.sys binPath=C:\\windows\\temp\\superbmc.sys type=kernel && sc.exe start superbmc.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "superbmc.sys", - "MD5": "3473faea65fba5d4fbe54c0898a3c044", - "SHA1": "910cb12aa49e9f35ecc4907e8304adf0dcca8cf1", - "SHA256": "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35", - "Signature": [ - "Super Micro Computer, Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Super Micro Computer, Inc.", - "Description": "superbmc", - "Product": "superbmc", - "ProductVersion": "2.0.0.0", - "FileVersion": "2.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "superbmc.sys", + "FileName": "RTCore64.sys", + "MD5": "0fc2653b1c45f08ca0abd1eb7772e3c0", + "SHA1": "94144619920bd086028bb5647b1649a35438028c", + "SHA256": "df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6", "Authentihash": { - "MD5": "70f41d3749f4608b64902dd2c1f1e14f", - "SHA1": "c6609cad7208669e4c34f71f682af1a6bcddc11f", - "SHA256": "9c4ffe4815b5755d2609be21ba53c9157e8f71137f06fe35044406b968b80320" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, - "InternalName": "superbmc", - "Copyright": "Copyright(c) 1993-2015 Super Micro Computer, Inc.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeClearEvent", - "IoCreateNotificationEvent", - "IoRegisterShutdownNotification", - "PsCreateSystemThread", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeDpc", - "KeInitializeTimer", - "KeInitializeSemaphore", - "IoCreateDevice", - "RtlAppendUnicodeToString", - "ExAllocatePool", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", "ZwClose", - "IoUnregisterShutdownNotification", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IoAllocateErrorLogEntry", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmMapIoSpace", + "IoDeleteSymbolicLink", "IofCompleteRequest", - "ExInterlockedInsertTailList", "ZwUnmapViewOfSection", - "KeResetEvent", - "ExInterlockedRemoveHeadList", - "PsTerminateSystemThread", - "KeSetPriorityThread", - "KeSetTimer", - "KeCancelTimer", - "KeDelayExecutionThread", - "ExSetTimerResolution", - "KeInitializeEvent", - "KeSetEvent", - "ZwMapViewOfSection", - "ZwOpenSection", - "KeBugCheckEx", - "KeReleaseSemaphore", - "ExFreePoolWithTag", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "__C_specific_handler", + "IoDeleteDevice", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=San Jose, O=Super Micro Computer, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=Super Micro Computer, Inc.", - "ValidFrom": "2012-09-14 00:00:00", - "ValidTo": "2015-11-13 23:59:59", - "Signature": "47334026faeeba8c5d59d4971b4bfccff0fdf0a606adfb714c7ece1a3ddc350f198097d2ba6079ca9eabe64f03f7375b78366baa8ac1e9295c31d03b9fca004b8fb5f70d9c98b7905f4b151edc16ca82731498451fcc28f31665c1850d887f0ece1ef0fad9ffd0dd7b1515fa1e121e2575e6a31f25010f0306df2b81ddf291c9f17b3d582c0af97d219c007ec03b1a38a8794ab447b5cdb8637a8f6704124f9776eda3af121ab980a2525f0f09accea3213c6fa4d606d7e48580db97aee01a048ad3420d205b99b0023b59a4f8df1b3013e4e8bc496b73cd950e297202bd09a6c77011deecb43cbffb7038344e025dad84099324518c5a2deb3c6728b4346603", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3676642ba91b1d0bdf1d3ad0a6efaf4b", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "superbmc.sys" - ] - }, - { - "Id": "a4eabc75-edf6-4b74-9a24-6a26187adabf", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create dbutil_2_3.sys binPath=C:\\windows\\temp\\dbutil_2_3.sys type=kernel && sc.exe start dbutil_2_3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "dbutil_2_3.sys", - "MD5": "c996d7971c49252c582171d9380360f2", - "SHA1": "c948ae14761095e4d76b55d9de86412258be7afd", - "SHA256": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5", - "Signature": [ - "Dell Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "Dell Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "d424f369f7e010249619f0ecbe5f3805", + "SHA1": "5e4b93591f905854fb870011464291c3508aff44", + "SHA256": "e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f", "Authentihash": { - "MD5": "e593dd14a41fd9a6cb42fdae324c3092", - "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", - "SHA256": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetImportanceDpc", - "KeSetTargetProcessorDpc", - "MmFreeContiguousMemorySpecifyCache", - "KeSetPriorityThread", "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeDpc", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "MmMapIoSpace", - "KeInsertQueueDpc", + "IoDeleteSymbolicLink", "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "KeBugCheckEx" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Dell Inc.", - "ValidFrom": "2006-12-15 00:00:00", - "ValidTo": "2010-01-10 23:59:59", - "Signature": "964a90189bd6c008960e4aae75cdf7c5f763b0e04e8921995bb7bb7898297c7d4c84082cc6c324d5a0cc60c77f72cc04c7782416f13b04254e961796dab40b7b5726a18f4f1a1d6a02f18794758bbbc4f8664cef6cc505a5367a8ea999b3c296006dc8336d03d71bfbb5f828d14646a39714657909190d5927bbfa55aec76aad25fe4ec1c5d73b37caec576dbe1a40d13e91509e316dc512d6b07b01c08b7f59f8dbd0d65fcac246b545a91527a2e89c0d3a6603ef49ae2d5373f640ba930fcac4848ae1d1820d3b80866f4335eb9072ece3ab41e80d9d9b1338d8c0e026a11d90e96396b92bf4e4fdf5a161a526f7896a0b77357976010916e455d6bb888d67", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "18a686a1229059017a672136ac2e7265", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "Filename": "dbutil_2_3.sys", - "MD5": "c996d7971c49252c582171d9380360f2", - "SHA1": "c948ae14761095e4d76b55d9de86412258be7afd", - "SHA256": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5", - "Signature": [ - "Dell Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "Dell Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "RTCore64.sys", + "MD5": "9d884ecd3b6c3f2509851ea15ffefbef", + "SHA1": "e11f48631c6e0277e21a8bdf9be513651305f0d5", + "SHA256": "e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae", "Authentihash": { - "MD5": "e593dd14a41fd9a6cb42fdae324c3092", - "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", - "SHA256": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef" + "MD5": "55466195f0b2f4afc4243b43a806e6d9", + "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", + "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeSetImportanceDpc", - "KeSetTargetProcessorDpc", - "MmFreeContiguousMemorySpecifyCache", - "KeSetPriorityThread", "RtlInitUnicodeString", - "IoDeleteDevice", - "KeInitializeDpc", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "MmMapIoSpace", - "KeInsertQueueDpc", + "IoDeleteSymbolicLink", "IofCompleteRequest", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "KeBugCheckEx" + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Dell Inc.", - "ValidFrom": "2006-12-15 00:00:00", - "ValidTo": "2010-01-10 23:59:59", - "Signature": "964a90189bd6c008960e4aae75cdf7c5f763b0e04e8921995bb7bb7898297c7d4c84082cc6c324d5a0cc60c77f72cc04c7782416f13b04254e961796dab40b7b5726a18f4f1a1d6a02f18794758bbbc4f8664cef6cc505a5367a8ea999b3c296006dc8336d03d71bfbb5f828d14646a39714657909190d5927bbfa55aec76aad25fe4ec1c5d73b37caec576dbe1a40d13e91509e316dc512d6b07b01c08b7f59f8dbd0d65fcac246b545a91527a2e89c0d3a6603ef49ae2d5373f640ba930fcac4848ae1d1820d3b80866f4335eb9072ece3ab41e80d9d9b1338d8c0e026a11d90e96396b92bf4e4fdf5a161a526f7896a0b77357976010916e455d6bb888d67", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "18a686a1229059017a672136ac2e7265", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] - } - ], - "Tags": [ - "dbutil_2_3.sys" - ] - }, - { - "Id": "6ec5ddda-f302-4008-a73e-12814c1d571f", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create ATSZIO.sys binPath=C:\\windows\\temp\\ATSZIO.sys type=kernel && sc.exe start ATSZIO.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "ATSZIO.sys", - "MD5": "17b97fbe2e8834d7ad30211635e1b271", - "SHA1": "e88259de797573fa515603ad3354aed0bce572f1", - "SHA256": "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c", + "FileName": "rtcore64.sys", + "MD5": "5b1e1a9dade81f1e80fdc0a2d3f9006e", + "SHA1": "9b8c7eda28bfad07ffe5f84a892299bc7e118442", + "SHA256": "f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc", "Authentihash": { - "MD5": "f1d41369bc171a32ece45fd99af06814", - "SHA1": "b3511e640bde63fcfbc22b2043a27d84824ad597", - "SHA256": "8926be6aa6df3b5d20483e0e698ea14fa0fb760844468ed69143d7f503250349" + "MD5": "a17d227444e090ff69e24fcb6d43162b", + "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", + "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.7", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "Copyright": "Copyright (C) 2012", - "MachineType": "I386", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "RtlInitUnicodeString", "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", "ZwOpenSection", + "IoDeleteSymbolicLink", "IofCompleteRequest", + "MmIsAddressValid", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "_aullrem", - "memcpy", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "MmFreeContiguousMemory", - "MmAllocateContiguousMemory", - "ExFreePoolWithTag", - "ExAllocatePool", - "KeWaitForSingleObject", - "KeSetEvent", - "DbgPrint", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalGetBusDataByOffset" + "IoCreateSymbolicLink", + "IoCreateDevice", + "__C_specific_handler", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -50739,24 +35349,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", + "ValidFrom": "2009-03-18 11:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", + "ValidFrom": "2009-12-21 09:32:56", + "ValidTo": "2020-12-22 09:32:56", + "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2010-04-14 00:00:00", + "ValidTo": "2012-04-15 23:59:59", + "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -50765,49 +35382,35 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "7ee0c884e7d282958c5b3a9e47f23e13", - "SHA1": "86e893e59352fcb220768fb758fcc5bbd91dd39e", - "SHA256": "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5", + "FileName": "RTCore64.sys", + "MD5": "24061b0958874c1cb2a5a8e9d25482d4", + "SHA1": "282fca60f0c37eb6d76400bca24567945e43c6d8", + "SHA256": "f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496", "Authentihash": { - "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", - "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", - "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" + "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", + "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", + "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.7", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "Copyright": "Copyright (C) 2012", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -50815,28 +35418,22 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwClose", "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", + "MmMapIoSpace", "__C_specific_handler", - "DbgPrint", - "IoDeleteDevice", + "ZwClose", + "ZwUnmapViewOfSection", + "MmUnmapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", "HalSetBusDataByOffset", + "HalTranslateBusAddress", "HalGetBusDataByOffset" ], "Signatures": [ @@ -50845,47 +35442,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2021-09-09 19:15:59", - "ValidTo": "2022-09-01 19:15:59", - "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000004de597a775e3157f7b00000000004d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "030c8432981e4d41b191624b3e07afe2", - "SHA1": "87d47340d1940eaeb788523606804855818569e3", - "SHA256": "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a", + "FileName": "RTCore64.sys", + "MD5": "70196d88c03f2ea557281b24dad85de5", + "SHA1": "55015f64783ddd148674a74d8137bcd6ccd6231d", + "SHA256": "f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298", "Authentihash": { - "MD5": "f3a217e8c7a1c871d6588e7ef85ed660", - "SHA1": "b5407f564315cfd3eac7c7663fac575fd18f565d", - "SHA256": "028aed97e90c5a231069a3fa0853c67ea5853c4bbfea6247c6f4b53509581d05" + "MD5": "538e5e595c61d2ea8defb7b047784734", + "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", + "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" }, - "Description": "ATSZIO Driver", + "Description": "", "Company": "", - "InternalName": "ATSZIO", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0, 2, 1, 2", - "Product": "ATSZIO Driver", - "ProductVersion": "0, 2, 1, 2", - "Copyright": "Copyright (C) 2010", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -50893,27 +35511,23 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "ZwClose", - "IofCompleteRequest", - "__C_specific_handler", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "RtlAssert", "ZwMapViewOfSection", "ObReferenceObjectByHandle", "ZwOpenSection", + "MmMapIoSpace", + "__C_specific_handler", + "ZwClose", "ZwUnmapViewOfSection", - "IoDeleteDevice", - "MmAllocateContiguousMemory", + "MmUnmapIoSpace", "IoCreateSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoCreateDevice", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoDeleteDevice", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -50921,68 +35535,109 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services", + "ValidFrom": "2004-01-01 00:00:00", + "ValidTo": "2028-12-31 23:59:59", + "Signature": "0856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46", + "ValidFrom": "2021-05-25 00:00:00", + "ValidTo": "2028-12-31 23:59:59", + "Signature": "12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", + "ValidFrom": "2022-08-01 00:00:00", + "ValidTo": "2031-11-09 23:59:59", + "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36", + "ValidFrom": "2021-03-22 00:00:00", + "ValidTo": "2036-03-21 23:59:59", + "Signature": "06ff82e17763366e7ba115209b13ff04fe98754461c3569571d1913f85a1eb4040b1c8d6e072fd85ca64393cf98d4ba0da87ae9db600a306c50b600a2be70c7172010f465d39a593b32372041b0c2c7a9a7ef221ac2ca695a4bdf3e429a010b22a9a4fd0e731604754d21a6c6aa0412193ad05a8e3730e7ec3f29e16f3d87cb17f95d6299a51bebddd31aa5a9dd3df620a19f220cbd8e477b18ced809adb1ba559f43a135c59b583445ff7b01a7a7d65e1cfb0dc30be224c0592f8c55778d2e3d65273895284a2ba06b3d3258b38346d431b39a94e84e7c28a99f1f0268b65e5667b9c842e0d3d265a3c04c7bcd233b7ecf53c7a37e43fdfee3da93b54bc042cac4031c26cce4c9e89a7ab969870a0ac75b8747337213a6f1b9229cbad8acaa628be4e4ee9c0bed38d128b5e4a269b90f552676cfbea62a7cc07d9c4297fdddab7754370e2b837b130a08241d246a4ea94b312ee08eb853a819b3bb52fdd18d4a58dfd8e4929d1afb296cead37ce5f25ef98f2fa139db3d4d649e9cb6e305050647de9c16bea51147c02041d50b52faf18d461b1c78fde448f36badf376b11cc562c35fac5696cfc60e754db9e2a35941f77d3bf563c59d868ebdf1800347b4cdc7c5fccf605ebfa4a2bc104e1d8faeaa28ab66d834cbd4a14283f3982727eb74b26ad6adbf1d79ed82bd86570f995a1ad680c4e7f2fd528d9b0b96b8087d91c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=CA, ST=Ontario, O=Cold Air Systems Inc., CN=Cold Air Systems Inc.", + "ValidFrom": "2022-03-21 00:00:00", + "ValidTo": "2023-03-21 23:59:59", + "Signature": "899cc58baab9d8082af52a5a8c62d594e974a7f2d203905cb6165dc431bd5dae5c462a5bc84d32dec948286995c0c74c3450add6b4aec9b1162a19bccfb775f1c2a0bc54e1b252788dc528687347e316960caa524fa1b042cdf1a7dd147211a11de99d3513096b90923e8e24d2fb87da2beed19a91edbaca4d49efbd2d7af5a7f9a3a80b60de35850b969c22edfe268c5b76db79a0841da78b309b3258ca7ae2167876ccb1184c58f8af265e493345d86b419632c7dc2ebe9339216fb6664079c76aa9062603514b8a523084563b215b9aec378627dc7b64682097f3f8df7b4abb4bcd560331f64fbfd2a03074fd34cb09e8e8e335b5852acb05e6e96fa89138510b70bac8cf13ae8ab08640704fe55c1df075e0e7ce96592919126e452cc66b4e7ffce753bdf3ded2ca163030f8848d852097859344bb9cd6ee0319f4ad0deae33ddafaaedfd0c68d8d372a0fe1d8947b785547eab4c58f96846ad26a2ce2cf26deb5961906ee7ad1eec9cc64debbb5b1f8dd5bf1a036053f4dbfe425b57113", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-09-21 00:00:00", + "ValidTo": "2033-11-21 23:59:59", + "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0096c2ac9b7a12bd9588243110dc6b0519", + "Issuer": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36" } ] } ] - }, + } + ], + "Tags": [ + "RTCore64.sys" + ], + "yara": false + }, + { + "Id": "ee2d68aa-1a65-4967-8627-73590b041538", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create DirectIo32.sys binPath=C:\\windows\\temp\\DirectIo32.sys type=kernel && sc.exe start DirectIo32.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "ATSZIO.sys", - "MD5": "715ac0756234a203cb7ce8524b6ddc0d", - "SHA1": "d73dabcb3f55935b701542fd26875006217ebbbe", - "SHA256": "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9", + "FileName": "DirectIo32.sys", + "MD5": "79ab228766c76cfdf42a64722821711e", + "SHA1": "b0a684474eb746876faa617a28824bee93ba24f0", + "SHA256": "0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1", "Authentihash": { - "MD5": "272a0dd6f4b32694511cadaba438aec8", - "SHA1": "584b6a0e2dc45ce2d5ee5becf3ef09e7877a619b", - "SHA256": "18bea05d56bcbc0e23663db9b6dc79d9db3a218e711415a1e420dea2e183cb5e" + "MD5": "643df6049601b73ec4ceaa3d80673871", + "SHA1": "956c004dbed19d2682f159e03d4faa3e2e8fc56c", + "SHA256": "a8492a553ee840235fd12fa47b6caf1e5a8c82c3f4b681921246d7f192ed9126" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.6", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.6", - "Copyright": "Copyright (C) 2012", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -50990,37 +35645,61 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ZwClose", - "IoCreateDevice", "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", "memcpy", - "KeTickCount", - "RtlUnwind", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "MmFreeContiguousMemory", - "MmAllocateContiguousMemory", - "ExAllocatePool", + "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "ObfDereferenceObject", + "RtlQueryRegistryValues", + "ZwOpenKey", + "_snwprintf", + "RtlWriteRegistryValue", "KeWaitForSingleObject", - "KeSetEvent", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcsrchr", + "DbgPrintEx", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwClose", "DbgPrint", - "ZwOpenSection", "RtlInitUnicodeString", - "KeBugCheckEx", - "HalSetBusDataByOffset", + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", "WRITE_PORT_ULONG", "WRITE_PORT_USHORT", "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalGetBusDataByOffset" + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51028,24 +35707,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -51054,49 +35740,35 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "f84da507b3067f019c340b737cd68d32", - "SHA1": "5e9538d76b75f87f94ca5409ae3ddc363e8aba7f", - "SHA256": "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b", + "FileName": "DirectIo32.sys", + "MD5": "e913a51f66e380837ffe8da6707d4cc4", + "SHA1": "0be77bb3720283c9a970a97dab25d2a312e86110", + "SHA256": "38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305", "Authentihash": { - "MD5": "aec83d758be98eb60b7463bc71eb1242", - "SHA1": "1ce64a20f37b9a86bd55b2ae592a5b90e6e9ea40", - "SHA256": "1631d124bd8b2917c37abfe0f7b3dfa9e309ec54f69bdab2e2b5de3929d523d7" + "MD5": "91941a5ecd36d5eda1e509e9f525fc83", + "SHA1": "1ad46a8e038a62e146ddb5a4fe8ca5a56c53f018", + "SHA256": "542cd21b0c835b818e6b2eea2efe5b340ff3d554b2b7e13af084f0817cc920fd" }, - "Description": "ATSZIO Driver", + "Description": "", "Company": "", - "InternalName": "ATSZIO", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0, 2, 1, 2", - "Product": "ATSZIO Driver", - "ProductVersion": "0, 2, 1, 2", - "Copyright": "Copyright (C) 2010", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -51104,33 +35776,58 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "KeSetEvent", - "KeWaitForSingleObject", - "_except_handler3", - "MmFreeContiguousMemory", "ZwMapViewOfSection", "ObReferenceObjectByHandle", "ZwOpenSection", "ZwUnmapViewOfSection", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "ZwClose", + "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "ObfDereferenceObject", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", + "RtlQueryRegistryValues", + "ZwOpenKey", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", "IoCreateDevice", - "IoCreateSynchronizationEvent", - "IoDeleteDevice", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwClose", + "DbgPrint", + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "RtlIntegerToUnicodeString", "RtlAssert", - "IoCreateSymbolicLink", - "READ_PORT_ULONG", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "READ_PORT_UCHAR", "READ_PORT_USHORT", - "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG" + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51151,6 +35848,13 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", "ValidFrom": "2009-05-21 00:00:00", @@ -51164,18 +35868,11 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -51183,52 +35880,100 @@ ] }, { - "FileName": "ATSZIO.sys", - "MD5": "4814205270caa80d35569eee8081838e", - "SHA1": "d6de8983dbd9c4c83f514f4edf1ac7be7f68632f", - "SHA256": "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc", + "FileName": "DirectIo32.sys", + "MD5": "8ac6d458abbe4f5280996eb90235377c", + "SHA1": "bd421ffdcc074ecca954d9b2c2fbce9301e9a36c", + "SHA256": "3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa", "Authentihash": { - "MD5": "84fc06779f79be8a59caa24378db6eaf", - "SHA1": "2905cbd9b37d55b657f952ec5b5804bd3b1f4263", - "SHA256": "e5e4dc1a918e201ec2cf02a036e4dd03dd04dfd179091c8adfbc6745eb830f2f" + "MD5": "e4b5345eaa754dce6279e13b09b491ca", + "SHA1": "ae806ca05e141b71664d9c6f20cc2369ef26f996", + "SHA256": "38fa9b5b66a11fd7387012c5c4bbd414eca8361273d57dba1e49aa6af23337f3" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.6", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.6", - "Copyright": "Copyright (C) 2012", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "IoGetDeviceProperty", + "ObfDereferenceObject", + "IoEnumerateDeviceObjectList", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IoGetAttachedDeviceReference", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "IoAllocateMdl", + "MmMapIoSpace", + "ZwMapViewOfSection", "ZwClose", + "ObReferenceObjectByHandle", "ZwOpenSection", - "ZwMapViewOfSection", + "MmUnmapLockedPages", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "DbgPrint", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "IofCallDriver", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", + "RtlQueryRegistryValues", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "IoDeleteSymbolicLink", + "ZwOpenKey", + "RtlWriteRegistryValue", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcsrchr", + "DbgPrintEx", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "KeWaitForSingleObject", + "DbgPrint", "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "_vsnwprintf", + "memcpy", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51242,6 +35987,13 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -51250,91 +36002,106 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2014-10-23 00:00:00", + "ValidTo": "2017-01-13 23:59:59", + "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "dbf11f3fad1db3eb08e2ee24b5ebfb95", - "SHA1": "cea540a2864ece0a868d841ab27680ff841fcbe6", - "SHA256": "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f", + "FileName": "DirectIo32.sys", + "MD5": "592756f68ab8ae590662b0c4212a3bb9", + "SHA1": "aadaec4c31d661c249e4cf455ec752fffa3e5cfc", + "SHA256": "65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75", "Authentihash": { - "MD5": "2e9b394c4437948e1c27e2f39a966b6c", - "SHA1": "0ddcc3e9e7d0790007fd6e12e4554f460d2c4d9b", - "SHA256": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc" + "MD5": "ae08002e9920a85b42f78d85e4f5baaa", + "SHA1": "6e2ea1d108b9f05f2d077ed6c254a70e2b11251d", + "SHA256": "fb7cb120d51e217ee4cc50bee619603be5eb6091634df45acc5249aed283c9be" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.7", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "Copyright": "Copyright (C) 2012", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwClose", "ZwOpenSection", - "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "DbgPrint", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", + "IofCompleteRequest", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "ObfDereferenceObject", + "RtlAppendUnicodeToString", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "ZwOpenKey", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwClose", + "DbgPrint", "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "RtlIntegerToUnicodeString", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51342,77 +36109,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", - "ValidFrom": "2020-10-30 00:00:00", - "ValidTo": "2023-11-02 23:59:59", - "Signature": "301a945778ef7ae17addaaa66604eba2c6dfdcb0b9db4200e8ac84b325dda0a55eec1d660fa8a409edb3f943e63b40cdb85bc2716c69a014161abc4f455a69a205f263833c8784c78592fcc004d3f99f7e81469ac6dd9e7306add663ea093ce5025330d97968167f535981948f68e02ba22f48fff4074fd8228d8ddfe3a8b363e83a8b606fba71eaac6c91b1bac39ffd8933f69d5177199519a39ba05b5e48e031a8e86bcdd2250c61192fe1ee0d9142e74c07791f25ba2f5830a7b5a892e059576b8844ce45460e7733aa2a3f5bed53a9e1d93e07f5b9eeb6b36faa4c7e2149da1326c6e5a9c9eb288989290f20d4e5b95a60cb537a098acd6dbc9b77f94878", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "068642beebecb7ddb4272ae42e83b490", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "5a1ee9e6a177f305765f09b0ae6ac1c5", - "SHA1": "3f67a43ae174a715795e49f72bc350302de83323", - "SHA256": "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282", + "FileName": "DirectIo32.sys", + "MD5": "0a653d9d0594b152ca835d0b2593269f", + "SHA1": "6102b73489e1d319c0db7b84cb2c426c5f680120", + "SHA256": "72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb", "Authentihash": { - "MD5": "2e9b394c4437948e1c27e2f39a966b6c", - "SHA1": "0ddcc3e9e7d0790007fd6e12e4554f460d2c4d9b", - "SHA256": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc" + "MD5": "4ffb30623d9570c0a19742435ba230bb", + "SHA1": "9703903219c7d7f88748fd68f277649b82f2df83", + "SHA256": "c3a215473d836c1d7315f371bff4dea956d7d1b440e43b4671f6e3772bae00dd" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.1.7", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "Copyright": "Copyright (C) 2012", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "ZwMapViewOfSection", "ObReferenceObjectByHandle", - "ZwClose", "ZwOpenSection", - "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "DbgPrint", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", + "IofCompleteRequest", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "ZwClose", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "ZwOpenKey", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcsrchr", + "DbgPrintEx", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "DbgPrint", "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "_vsnwprintf", + "RtlAppendUnicodeToString", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51420,24 +36240,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -51446,79 +36273,112 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "ATSZIO.sys", - "MD5": "6682176866d6bd6b4ea3c8e398bd3aae", - "SHA1": "962e2ac84c28ed5e373d4d4ccb434eceee011974", - "SHA256": "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22", + "FileName": "DirectIo32.sys", + "MD5": "e140cb81bd27434fc4fd9080b7551922", + "SHA1": "2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8", + "SHA256": "7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd", "Authentihash": { - "MD5": "34057e393322867a580b2a72bc4b282b", - "SHA1": "439a577db1e655d7f4fde8dea0391867b081b59a", - "SHA256": "1d5ded14ba7821a1021815e70399801bf87dadf9b9eb17325e3c918d53971c8e" + "MD5": "c62966c201e259ff8b2642470b2bd621", + "SHA1": "abe422f9289fe922f671cc70c78046e2bde5e309", + "SHA256": "c0752dc13548fe8d3b5a7a73c04ebcd7bcfa5e4ecec9ba233d193bd36ed4b54e" }, - "Description": "ATSZIO Driver", - "Company": "ASUSTek Computer Inc.", - "InternalName": "ATSZIO.sys", - "OriginalFilename": "ATSZIO.sys", - "FileVersion": "0.2.2.3", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.2.3", - "Copyright": "Copyright (C) 2012", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "IoGetDeviceProperty", + "ObfDereferenceObject", + "IoEnumerateDeviceObjectList", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IoGetAttachedDeviceReference", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "IoAllocateMdl", + "MmMapIoSpace", + "ZwMapViewOfSection", "ZwClose", + "ObReferenceObjectByHandle", "ZwOpenSection", - "ZwMapViewOfSection", + "MmUnmapLockedPages", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "__C_specific_handler", - "DbgPrint", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "IofCallDriver", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "ZwOpenKey", + "RtlWriteRegistryValue", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcsrchr", + "DbgPrintEx", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "KeWaitForSingleObject", + "DbgPrint", "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "_vsnwprintf", + "memcpy", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeStallExecutionProcessor", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { @@ -51526,289 +36386,309 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, ??=Pei Tou District, ??=4F No. 150, Li,te Rd, postalCode=11259, C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2015-06-16 00:00:00", - "ValidTo": "2018-06-19 12:00:00", - "Signature": "62395f09957b06539614f157a39a1becf829e9b17f3620785bc445abedbf75d9018c75fdf7d2b5616f6f97ca685ed7c53b4b1e21456c94e9f6258ae51c535d69214696004d0d17d46123bfdcfadf1d03d83d70100dfa74516a74d0793ff5e2b9e5a99d172a94a521cb5902ebc205a1bf8c7f581a1a53b351460be4cb493afa23eb80020c4e9163f64112b474e454cceb4bf5d0ac7418394317a9ad3d6b7a13915309540c983f7172d19a787ce2733381cc1f32d9915a047bb3b53cae37b61870d5b3b17720bbc02c8b38538d9ab60de7b0319f3c541ac55c87df0fe344e8dd91cea16894c8a08509a3a77a817b7b6dd513079ec1b365b613d86d6fca5185dad9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", + "ValidFrom": "2013-01-14 00:00:00", + "ValidTo": "2015-01-14 23:59:59", + "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "031c8403876518b80064120f1485a103", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] - } - ], - "Tags": [ - "ATSZIO.sys" - ] - }, - { - "Id": "0eb5f4ce-12a7-4b45-b021-42b995de07c5", - "Author": "Michael Haag", - "Created": "2023-03-03", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Air_SYSTEM10.sys binPath=C:\\windows\\temp\\Air_SYSTEM10.sys type=kernel && sc.exe start Air_SYSTEM10.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "Air_SYSTEM10.sys", - "MD5": "1f2888e57fdd6aee466962c25ba7d62d", - "SHA1": "c23eeb6f18f626ce1fd840227f351fa7543bb167", - "SHA256": "f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "DirectIo32.sys", + "MD5": "10e681ce84afdd642e59ddfdb28284e9", + "SHA1": "983a8d4b1cb68140740a7680f929d493463e32e3", + "SHA256": "e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac", "Authentihash": { - "MD5": "6f562fc03c72abd6ff33c6df23df0219", - "SHA1": "7435b3f4c67217bfcdcfa9d940b12e5d5d6a22da", - "SHA256": "9c31a9fbf833b732b5f3f06c31e200994a65ce187260e66eff62278660dba4ef" + "MD5": "d2fd725385f0f7acb722a5cb177b40aa", + "SHA1": "de239bda4c75f8b2cfbbf74823466491d2e1f76d", + "SHA256": "d6753d2e6cf2f11932b4fedd4362ab57651f8f3baa886eace22fd98a14ebc2e8" }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "FLTMGR.SYS", - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "FltRegisterFilter", - "FltUnregisterFilter", - "FltStartFiltering", - "FltGetFileNameInformation", - "FltReleaseFileNameInformation", - "FltParseFileNameInformation", - "FltCreateCommunicationPort", - "FltCloseCommunicationPort", - "FltCloseClientPort", - "FltBuildDefaultSecurityDescriptor", - "FltFreeSecurityDescriptor", - "FltGetRequestorProcess", - "ExAllocatePoolWithTag", - "DbgPrintEx", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "strstr", - "wcsstr", - "RtlInitUnicodeString", - "MmGetSystemRoutineAddress", - "ExFreePoolWithTag", - "IoCreateDevice", - "IoGetCurrentProcess", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", "ObReferenceObjectByHandle", + "ZwOpenSection", + "ZwUnmapViewOfSection", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", + "IofCompleteRequest", + "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", "ObfDereferenceObject", - "MmIsAddressValid", - "PsLookupProcessByProcessId", - "PsGetProcessImageFileName", - "__C_specific_handler", - "PsProcessType", - "ExInitializeRundownProtection", - "ExAcquireRundownProtection", - "ExReleaseRundownProtection", - "ExWaitForRundownProtectionRelease", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwClose", - "PsGetCurrentProcessId", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwQueryVirtualMemory", - "ZwProtectVirtualMemory", - "PsGetProcessWow64Process", - "strcpy_s", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "RtlSetDaclSecurityDescriptor", + "RtlQueryRegistryValues", + "ZwOpenKey", + "_snwprintf_s", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcscpy_s", + "wcsrchr", + "DbgPrintEx", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", "KeBugCheckEx", - "RtlCompareUnicodeString", - "KeDelayExecutionThread", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "MmCopyVirtualMemory", - "PsGetProcessPeb", - "ZwQuerySystemInformation" + "ZwClose", + "DbgPrint", + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "Air_SYSTEM10.sys" - ] - }, - { - "Id": "c1265ee4-aed4-4e65-ac54-c64deb5e3b28", - "Author": "Guus Verbeek", - "Created": "2023-05-07", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create fur.sys binPath=C:\\windows\\temp\\fur.sys type=kernel && sc.exe start fur.sys", - "Description": "SophosLabs has discovered that threat actors are using a new driver loader called BURNTCIGAR to install a malicious driver signed with Microsoft.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware, https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "", - "MD5": "6a066d2be83cf83f343d0550b0b8f206", - "SHA1": "8e126f4f35e228fdd3aa78d533225db7122d8945", - "SHA256": "0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "DirectIo32.sys", + "MD5": "aa5dd4beca6f67733e04d9d050ecd523", + "SHA1": "ebafebe5e94fdf12bd2159ed66d73268576bc7d9", + "SHA256": "e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc", "Authentihash": { - "MD5": "5c23bab622d6bbabd23d29b4adaa4ae0", - "SHA1": "9fbb6f9a22d1c676ff1b97a33d4c5e94f18aca5f", - "SHA256": "aab97fb324c883f1de71112e1d9fb716cef40636e39a3b9f4a5b8678cf7bde3f" + "MD5": "e631c2272278e20c81a8d8dcb825ae78", + "SHA1": "ef06513dc0f8456e09260857fd63ee1222c60c82", + "SHA256": "507cee84e2924e81916c8bf090efb1beab3c258a79e1e1bf3637b8b7824d0a86" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "FLTMGR.SYS", - "NETIO.SYS", - "WDFLDR.SYS", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObQueryNameString", - "FltUnregisterFilter", - "WskRegister", - "WdfVersionBind", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ZwUnmapViewOfSection", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", + "IofCompleteRequest", + "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "ObfDereferenceObject", + "RtlQueryRegistryValues", + "ZwOpenKey", + "_snwprintf_s", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", + "ObReferenceObjectByPointer", + "IoGetDeviceObjectPointer", + "IoCreateDevice", + "wcscpy_s", + "wcsrchr", + "DbgPrintEx", "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwClose", "DbgPrint", - "KeQueryPerformanceCounter" + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -51816,100 +36696,126 @@ } ], "Tags": [ - "fur.sys" - ] + "DirectIo32.sys" + ], + "yara": false }, { - "Id": "40bfb01b-d251-4c2c-952e-052a89a76f5b", + "Id": "999a11ae-ec2b-4863-baa4-1384ec2b7339", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create PanMonFltX64.sys binPath=C:\\windows\\temp\\PanMonFltX64.sys type=kernel && sc.exe start PanMonFltX64.sys", + "Command": "sc.exe create NalDrv.sys binPath=C:\\windows\\temp\\NalDrv.sys type=kernel && sc.exe start NalDrv.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", + "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "PanMonFltX64.sys", - "MD5": "0067c788e1cb174f008c325ebde56c22", - "SHA1": "12d38abbc5391369a4c14f3431715b5b76ac5a2a", - "SHA256": "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf", + "Filename": "NalDrv.sys", + "MD5": "1898ceda3247213c084f43637ef163b3", + "SHA1": "d04e5db5b6c848a29732bfd52029001f23c3da75", + "SHA256": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b", "Signature": [ - "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" + "Intel Corporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", - "Description": "PanCafe Manager File Monitor", - "Product": "PanCafe Manager", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "Intel Corporation ", + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.7", + "FileVersion": "1.03.0.7 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "PanMonFltX64.sys", + "OriginalFilename": "iQVW64.SYS", "Authentihash": { - "MD5": "fb2c77030c99606abb5d78bd51d6637d", - "SHA1": "cc0f86949ee6261f8c3de046112b99595db14c00", - "SHA256": "9544fbc011638cbc168f6ea4740cc6ed6fd331769e191fd64bdf9113eb64fde1" + "MD5": "1789a16d20ca2b55f491ad71848166a2", + "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", + "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" }, - "InternalName": "PanMonFltX64.sys", - "Copyright": "Copyright (c) 2012-2014 Pan Yazılım Bilisim Teknolojileri Tic. Ltd. Sti.", + "InternalName": "iQVW64.SYS", + "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeBugCheckEx", - "KeAcquireSpinLockRaiseToDpc", - "ExInterlockedRemoveHeadList", - "ExInterlockedInsertTailList", - "RtlEqualUnicodeString", - "KeReleaseSpinLock", - "IoQueryFileDosDeviceName", - "RtlAppendUnicodeStringToString", - "IoVolumeDeviceToDosName", - "RtlAppendUnicodeToString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", "DbgPrint", - "RtlCopyUnicodeString", - "PsGetCurrentThreadId", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "__C_specific_handler", - "FltSendMessage", - "FltQueryInformationFile", - "FltStartFiltering", - "FltParseFileName", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor", - "FltCloseCommunicationPort", - "FltUnregisterFilter", - "FltAllocateContext", - "FltReleaseContext", - "FltIsDirectory", - "FltFreeSecurityDescriptor", - "FltSetInformationFile", - "FltCreateCommunicationPort", - "FltDeleteContext", - "FltCloseClientPort", - "FltSetStreamHandleContext", - "FltGetStreamHandleContext" + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -51917,45 +36823,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2012-05-17 00:00:00", + "ValidTo": "2015-05-30 23:59:59", + "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "ValidFrom": "2014-04-15 15:12:40", - "ValidTo": "2015-04-15 10:41:35", - "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121506480253469e07e54ee8612041fbb92", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -51963,92 +36869,130 @@ } ], "Tags": [ - "PanMonFltX64.sys" - ] + "NalDrv.sys" + ], + "yara": true }, { - "Id": "4db827b1-325b-444d-9f23-171285a4d12f", + "Id": "81a73e57-2e92-4d21-97d3-1c21eb4c3aea", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create VProEventMonitor.sys binPath=C:\\windows\\temp\\VProEventMonitor.sys type=kernel && sc.exe start VProEventMonitor.sys", - "Description": "", + "Command": "sc.exe create LenovoDiagnosticsDriver.sys binPath=C:\\windows\\temp\\LenovoDiagnosticsDriver.sys type=kernel && sc.exe start LenovoDiagnosticsDriver.sys", + "Description": "The aforementioned driver has been identified as vulnerable to CVE-2022-3699", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://nephosec.com/cve-2022-3699-lenovo-diagnostics-driver-eop-arbitrary-r-w/", + "https://github.com/alfarom256/CVE-2022-3699", + "https://support.lenovo.com/us/en/product_security/LEN-94532" ], "Acknowledgement": { - "Person": "", - "Handle": "" + "Person": "Mike Alfaro", + "Handle": "alfarom256" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "VProEventMonitor.sys", - "MD5": "cd9f0fcecf1664facb3671c0130dc8bb", - "SHA1": "0c26ab1299adcd9a385b541ef1653728270aa23e", - "SHA256": "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca", + "Filename": "LenovoDiagnosticsDriver.sys", + "MD5": "b941c8364308990ee4cc6eadf7214e0f", + "SHA1": "b89a8eef5aeae806af5ba212a8068845cafdab6f", + "SHA256": "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe", "Signature": [ - "Symantec Corporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Lenovo", + "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "DigiCert Trusted Root G4" ], "Date": "", "Publisher": "", - "Company": "Symantec Corporation", - "Description": "VProEventMonitor.Sys - Event Monitoring driver", - "Product": "Symantec Event Monitors Driver Development Edition", - "ProductVersion": "1.0.0", - "FileVersion": "1.0.0.45708", + "Company": "Lenovo Group Limited (R)", + "Description": "Lenovo Diagnostics Driver for Windows 10 and later.", + "Product": "Lenovo Diagnostics", + "ProductVersion": "1.0.4.0", + "FileVersion": "1.0.4.0", "MachineType": "AMD64", - "OriginalFilename": "VProEventMonitor.Sys", + "OriginalFilename": "LenovoDiagnosticsDriver.sys", "Authentihash": { - "MD5": "ed01170d94a5e21d04b6d7212b53c994", - "SHA1": "cbaa70aac878a389c8213a5bc0df830b1d5b4e04", - "SHA256": "9994990c02c37472625cc7b2255044feef9b73c08ca3a70c06861b7d26b27a25" + "MD5": "56b6144e389ce3b1e2a0a96a954aa7d8", + "SHA1": "6d9543725aca0c9c8f403425952692ccc1d2d7f2", + "SHA256": "34e6a56c60746c51034b45a7b2a36617205b598d0bbcc695f92404605a0975d5" }, - "InternalName": "VProEventMonitor.Sys", - "Copyright": "Copyright © 2007-2008 Symantec Corporation. All rights reserved.", + "InternalName": "LenovoDiagnosticsDriver.sys", + "Copyright": "© 2021 Lenovo Group Limited. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "PsGetVersion", - "strncmp", - "ZwOpenProcess", - "ExAcquireFastMutex", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IofCompleteRequest", "IoCreateSymbolicLink", - "PsLookupProcessByProcessId", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "IoCreateDevice", - "RtlInitUnicodeString", "IoDeleteDevice", - "KeSetEvent", - "IoCreateNotificationEvent", - "MmGetSystemRoutineAddress", - "KeInitializeEvent", - "PsSetCreateProcessNotifyRoutine", - "ExAllocatePoolWithTag", - "IoGetCurrentProcess", - "KeClearEvent", - "ZwClose", "IoDeleteSymbolicLink", - "IofCompleteRequest", + "__C_specific_handler", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", "ExFreePoolWithTag", - "KeBugCheckEx", - "DbgPrint", - "ExReleaseFastMutex", - "KeQueryPerformanceCounter" + "ZwClose", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "ObOpenObjectByPointer", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "ExAllocatePoolWithTag", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "RtlGetOwnerSecurityDescriptor", + "DbgPrintEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -52056,52 +37000,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Florida, L=Heathrow, O=Symantec Corporation, OU=IMG, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Symantec Corporation", - "ValidFrom": "2011-09-09 00:00:00", - "ValidTo": "2013-09-08 23:59:59", - "Signature": "b154e1c0d7231a2eff64b32a8d6c1a4eafd117d03f922e305741da6dbaeaa49c7fd79fd0b661e0f14e0d024f38593ecc05ac3496282b270e4184f922fc06598620810f7e6af35b7103a8144c00d47e2482a5be8597525c6e310a3d715130a84c4e26711432b8bac4fff03ce800e45626b6e12c2bb71dc14d97ccd6f42f14279ef1be2544769927322e0e1885cedf22b2d69f239dddb538b8aa4de3e7a5e738e71a730386665ea73c7a43342f6046e9e7e92f4c5b58f143cf18760b7ab00fe76e45ac8bacf4c8d28895ed2851d906629b97f5362ff74bd56b563c454d08b8e2fb4b2b4203b8a17b1e1479fdcddcc1245a1d0b1696da579113bd5345b011db0093", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=North Carolina, L=Morrisville, O=Lenovo, OU=G14, CN=Lenovo", + "ValidFrom": "2021-11-22 00:00:00", + "ValidTo": "2022-03-30 23:59:59", + "Signature": "640fc986f34aa41e35444a37b92461d4eed33b163b6e4f883d188628bbb07ee70df9a8839fdc34ff36d4622cef4a664c73711efaf6b03c7e5c83138199cdc1a7defb5a39cfe365578d2f7af63f2ceb9e745be37e3c2b8612419f7dd1b37232c42e8d63ed1cdab404a0033145c0590be269777ec6c3234a3ba42a3b225a168485eedd9dc9df15978a9aa884f5ff3fb2514cce184fec8c026426ffd20510a00ef203f521b75b994ab7fb14aec2610d7f873d20cd76e608157421a4ca786e0f2e202dda5ecc96680d2d7a4e43031538752be859691b1935de593356fa32fd1f631fed6c5aa475d92c60ff1047ace01d023642c96813e70f5f496942560e9f09b1a79ab47808dacfe1fd36cc957ef31536287b77f7d602b0dbf015e5f8a30299470569757f72bea7a1ee115f7d34cc29bc5d0f8d0080633370dcf5bce318d117831c8501e56f4aac5feace080c836f864b0c8e5a11178bd3b3c244915eeced7db59c6eb299163f566099e33ff606f45ed608dedbb055e19474b82b31269a61221b875eb36e16738c75190f5a14d0c3bfc7d3fff27d4313e9d3852db215295205f1fb3bb8b9d51f70b5222dddd7398deb6a947065d1b2ecd4eb91d84957b71728d2bbec08c0aec19a8fbb0aea3f7be228dfd87a1ead0d674205d1f9bce65b380395059b4d56c46b470a71562eb5aa2e163e7985e134d54b60e865df4d2229ab35efe7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "7b00eb4233c0876e11580566d44735fe", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "01d4b02045832881e2d7530641135991", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } @@ -52109,18 +37025,19 @@ } ], "Tags": [ - "VProEventMonitor.sys" - ] + "LenovoDiagnosticsDriver.sys" + ], + "yara": true }, { - "Id": "47724cc1-bf75-4ab7-a47a-355a9aa30de1", + "Id": "20076ebf-4427-4056-b035-5238f95debe9", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create BSMIx64.sys binPath=C:\\windows\\temp\\BSMIx64.sys type=kernel && sc.exe start BSMIx64.sys", + "Command": "sc.exe create BSMIXP64.sys binPath=C:\\windows\\temp\\BSMIXP64.sys type=kernel && sc.exe start BSMIXP64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -52134,13 +37051,34 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "BSMIx64.sys", - "MD5": "444f538daa9f7b340cfd43974ed43690", - "SHA1": "c6bd965300f07012d1b651a9b8776028c45b149a", - "SHA256": "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9", + "Filename": "BSMIXP64.sys", + "MD5": "fac8eb49e2fd541b81fcbdeb98a199cb", + "SHA1": "9a35ae9a1f95ce4be64adc604c80079173e4a676", + "SHA256": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347", "Signature": [ "BIOSTAR MICROTECH INT'L CORP", "VeriSign Class 3 Code Signing 2009-2 CA", @@ -52156,9 +37094,9 @@ "MachineType": "AMD64", "OriginalFilename": "BSMI.sys", "Authentihash": { - "MD5": "72a5a1e2fc2713cfa0d159485ce1253c", - "SHA1": "b978b3595a1a8cb5a345bce980178e8abf5e0bae", - "SHA256": "15bc804877a607ba0d017df9f6ac951ac7ffbcca8069c5ba28e0cf505f7553b8" + "MD5": "0dea670f26bf6bf65701c4aa0dd89079", + "SHA1": "cc071f9cc1cb577b22824d401b63508f61cd76c0", + "SHA256": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7" }, "InternalName": "BSMI.sys", "Copyright": "Copyright (C) BIOSTAR Corp. 2011", @@ -52186,10 +37124,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -52232,18 +37170,19 @@ } ], "Tags": [ - "BSMIx64.sys" - ] + "BSMIXP64.sys" + ], + "yara": true }, { - "Id": "51c342f3-0b91-4674-8f81-bc016855f30f", + "Id": "b72f7335-6f27-42c5-85f5-ed7eb9016eac", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create AsrDrv101.sys binPath=C:\\windows\\temp\\AsrDrv101.sys type=kernel && sc.exe start AsrDrv101.sys", + "Command": "sc.exe create AsrAutoChkUpdDrv.sys binPath=C:\\windows\\temp\\AsrAutoChkUpdDrv.sys type=kernel && sc.exe start AsrAutoChkUpdDrv.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -52257,13 +37196,34 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "AsrDrv101.sys", - "MD5": "1a234f4643f5658bab07bfa611282267", - "SHA1": "57511ef5ff8162a9d793071b5bf7ebe8371759de", - "SHA256": "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b", + "Filename": "AsrAutoChkUpdDrv.sys", + "MD5": "75d6c3469347de1cdfa3b1b9f1544208", + "SHA1": "6523b3fd87de39eb5db1332e4523ce99556077dc", + "SHA256": "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4", "Signature": [ "ASROCK Incorporation", "VeriSign Class 3 Code Signing 2010 CA", @@ -52272,18 +37232,18 @@ "Date": "", "Publisher": "ASROCK Incorporation", "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", + "Description": "AsrAutoChkUpdDrv Driver", + "Product": "AsrAutoChkUpdDrv Driver", "ProductVersion": "1.00.00.0000", "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", + "OriginalFilename": "AsrAutoChkUpdDrv.sys", "Authentihash": { - "MD5": "236e9dd83b6d3ae6d23a57590b68fb5e", - "SHA1": "d0580bfc31faefb7e017798121c5b8a4e68155f9", - "SHA256": "fee4560f2160a951d83344857eb4587ab10c1cfd8c5cfc23b6f06bef8ebcd984" + "MD5": "18d039cb3a6ac52395a74fb8189c4110", + "SHA1": "2eaa89604fa6e129825219b0debb59e775949672", + "SHA256": "d3d601c77d4bb367ab3105920ca8435aa775448a49c1eda6ac6f46ee5d8709cb" }, - "InternalName": "AsrDrv.sys", + "InternalName": "AsrAutoChkUpdDrv.sys", "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", @@ -52373,119 +37333,267 @@ } ], "Tags": [ - "AsrDrv101.sys" - ] + "AsrAutoChkUpdDrv.sys" + ], + "yara": true }, { - "Id": "4bf4b425-10af-4cd4-88e6-beb4b947eb48", + "Id": "fab98aaa-e4e7-4c4a-af65-c00d35cf66e9", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create IObitUnlocker.sys binPath=C:\\windows\\temp\\IObitUnlocker.sys type=kernel && sc.exe start IObitUnlocker.sys", + "Command": "sc.exe create cpuz141.sys binPath=C:\\windows\\temp\\cpuz141.sys type=kernel && sc.exe start cpuz141.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "IObitUnlocker.sys", - "MD5": "2391fb461b061d0e5fccb050d4af7941", - "SHA1": "7c6cad6a268230f6e08417d278dda4d66bb00d13", - "SHA256": "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004", + "Filename": "cpuz141.sys", + "MD5": "db72def618cbc3c5f9aa82f091b54250", + "SHA1": "f5696fb352a3fbd14fb1a89ad21a71776027f9ab", + "SHA256": "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d", "Signature": [ - "IObit CO., LTD", - "DigiCert EV Code Signing CA", - "DigiCert" + "CPUID", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", - "Publisher": "", - "Company": "IObit Information Technology", - "Description": "Unlocker Driver", - "Product": "Unlocker", - "ProductVersion": "1.3.0.10", - "FileVersion": "1.3.0.10", + "Publisher": "CPUID", + "Company": "CPUID", + "Description": "CPUID Driver", + "Product": "CPUID service", + "ProductVersion": "6.1.7600.16385", + "FileVersion": "6.1.7600.16385 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "IObitUnlocker.sys", + "OriginalFilename": "cpuz.sys", "Authentihash": { - "MD5": "751c91ae91cb43aadaeaa1bb187c593a", - "SHA1": "dd220acea885a954085e614b94da2b5bba5c0cc3", - "SHA256": "e0aff24a54400fe9f86564b8ce9f874e7ff51e96085ff950baff05844cff2bd1" + "MD5": "17b67e675e778c70d3c348d5088ab514", + "SHA1": "b38b98608e410c1555a7d73056e86e1db850bb2e", + "SHA256": "33b88ac3151f2192eaf4c2be3c7ad00e49090c8b94ec51b754e19ac784b087aa" }, - "InternalName": "IObitUnlocker.sys", - "Copyright": "© IObit. All rights reserved.", + "InternalName": "cpuz.sys", + "Copyright": "Copyright(C) 2016 CPUID", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", + "RtlInitUnicodeString", "IoDeleteDevice", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "_wcsnicmp", - "ZwReadFile", - "IoGetRelatedDeviceObject", - "MmGetSystemRoutineAddress", "KeInitializeEvent", - "ExInterlockedPopEntryList", - "KeDelayExecutionThread", - "IoFileObjectType", - "ZwWaitForSingleObject", - "ZwCreateFile", - "ExAllocatePool", - "IoGetCurrentProcess", - "ZwClose", - "ObReferenceObjectByHandle", + "RtlInitAnsiString", + "MmUnmapIoSpace", + "IoCancelIrp", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", "KeWaitForSingleObject", - "RtlCompareUnicodeString", - "IoAllocateIrp", + "PsGetVersion", + "IoCreateSymbolicLink", "ObfDereferenceObject", - "ZwQueryInformationFile", - "ZwWriteFile", - "ObOpenObjectByPointer", - "DbgPrint", + "IoCreateDevice", "IofCallDriver", - "_wcsicmp", - "PsGetProcessPeb", - "PsLookupProcessByProcessId", - "ZwQuerySymbolicLinkObject", - "RtlInitUnicodeString", - "KeSetEvent", - "RtlAppendUnicodeToString", - "IoCreateFile", - "ZwQuerySystemInformation", - "ZwOpenSymbolicLinkObject", - "KeUnstackDetachProcess", - "ObQueryNameString", - "wcsrchr", - "ZwQueryDirectoryFile", - "_vsnwprintf", - "RtlAppendUnicodeStringToString", - "ZwDuplicateObject", - "IoFreeIrp", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "MmIsAddressValid", - "ZwTerminateProcess", - "ExInterlockedPushEntryList", - "KeStackAttachProcess", "KeBugCheckEx", + "ExFreePoolWithTag", + "IoDeleteSymbolicLink", + "IoBuildDeviceIoControlRequest", + "MmMapIoSpace", + "ExAllocatePoolWithTag", + "RtlUnwindEx", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, CN=CPUID", + "ValidFrom": "2014-12-02 00:00:00", + "ValidTo": "2018-03-02 23:59:59", + "Signature": "a59808b35f916a1201f0987b958aaaf50b81f3e507cf9d1b902bc22787244617e38069e4ca74bcf505dfdfeb6bad8bee2ecba26a428c2b26c9b9987241b50ccfd895a7335b35534c5569fdef2554d773cb3b20f10e08eeff2701d2a3e8ef7c5bb759baf1995d1580dce4f0c5da90eff4f07e01e7c9273b24c14c514f2ae1d1fe940dd53bfa25572cd6f3c007c7f21aebc58ea32ca3aea83c731419c9dcc191158cbb52b0b70545a16c9b42aadd4dcb167443d6c15fa03ae7f6f0f644845a69cb8badb3f143fd916a70c5008c3486d1f0cc8e0527f76da5aeaca4925f6eb6861dd54e1ce8b80e6b000446d77ac8bd0299e38db3b8e4a9c43294367cd6a55351d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2d8021d84f098e7abde199f818e211a4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "cpuz141.sys" + ], + "yara": true + }, + { + "Id": "ca1e8664-841f-4e4b-9e67-3f515cc249c6", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ndislan.sys binPath=C:\\windows\\temp \\n \\n \\n dislan.sys type=kernel && sc.exe start ndislan.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ndislan.sys", + "MD5": "47e6ac52431ca47da17248d80bf71389", + "SHA1": "d417c0be261b0c6f44afdec3d5432100e420c3ed", + "SHA256": "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427", + "Signature": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.", + "Date": "4:49 PM 10/12/2012", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "MS LAN Driver", + "Product": "Microsoft® Windows® Operating System", + "ProductVersion": "6.1.7600.1421", + "FileVersion": "6.1.7600.1421", + "MachineType": "AMD64", + "OriginalFilename": "ndislan.sys", + "Authentihash": { + "MD5": "8bddebd3670d9f154318afd62195a2b8", + "SHA1": "7f57424f2ce7186e3a1951f3710f28d7ce9c8a96", + "SHA256": "9345c3af554c06aa949492f1642a7a03404956d2952cca8a68658b62dccb0825" + }, + "InternalName": "ndislan.sys", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapLockedPages", + "RtlInitUnicodeString", + "RtlUnicodeStringToAnsiString", + "IoFreeMdl", + "strncpy", + "MmMapLockedPagesSpecifyCache", + "ZwQueryValueKey", + "ZwFreeVirtualMemory", + "IofCompleteRequest", + "RtlFreeAnsiString", + "MmProbeAndLockPages", + "MmUnlockPages", + "strrchr", + "IoAllocateMdl", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "RtlAnsiStringToUnicodeString", + "_stricmp", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "NtQuerySystemInformation", + "MmGetSystemRoutineAddress", + "RtlImageDirectoryEntryToData", + "ObMakeTemporaryObject", + "RtlInitAnsiString", + "RtlFreeUnicodeString", + "IoDriverObjectType", + "ObfDereferenceObject", + "IoCreateDriver", + "ObReferenceObjectByName", "__C_specific_handler" ], "Signatures": [ @@ -52494,31 +37602,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=CN, ??=Sichuan, ??=Wuhou District, Chengdu, ??=Private Organization, serialNumber=91510107072412418F, C=CN, ST=Sichuan, L=Chengdu, O=IObit CO., LTD, CN=IObit CO., LTD", - "ValidFrom": "2019-08-27 00:00:00", - "ValidTo": "2022-08-30 12:00:00", - "Signature": "89d53256ccf4b2e50a8e05d88de9ed33f6adde16e143a6f7f042ec4ed9220c7c4195b543ad1ae9c5ae5421f192140d62b28449c83a0c31759765c127fed77c447072976f2d5e8d44e07dafbbc5a0cea9e8020081c3f8a22a1519e53d8c69ff3ffbd7e090e92593a738b8bd6d583b27e5e797672294147fd1b8492683b1b3f202c3e0c571f9fad02d95f8204e054fa722ac42bf21e54ec1891942ab339f004ab57cb01838539bf5196fc1579e0add7c42206ff5e10bb0934b4a801fab12ed748a6a858af5c9601296ce6ca9b14b46f731a0485f49f142ab65dacb0103daaee13b2269f2c2b2d2bb2b04abe93642ecc988fa536170194acc1c73d48a781d3d5f0e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0d98f5df96c592c5b76bfde1cb823096", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -52526,18 +37634,19 @@ } ], "Tags": [ - "IObitUnlocker.sys" - ] + "ndislan.sys" + ], + "yara": true }, { - "Id": "19d16518-4aee-4983-ba89-dbbe0fa8a3e7", + "Id": "5943b267-64f3-40d4-8669-354f23dec122", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create AsrRapidStartDrv.sys binPath=C:\\windows\\temp\\AsrRapidStartDrv.sys type=kernel && sc.exe start AsrRapidStartDrv.sys", + "Command": "sc.exe create Agent64.sys binPath=C:\\windows\\temp\\Agent64.sys type=kernel && sc.exe start Agent64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -52551,61 +37660,240 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "AsrRapidStartDrv.sys", - "MD5": "31469f1313871690e8dc2e8ee4799b22", - "SHA1": "89cd760e8cb19d29ee08c430fb17a5fd4455c741", - "SHA256": "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb", + "Filename": "Agent64.sys", + "MD5": "8407ddfab85ae664e507c30314090385", + "SHA1": "8db869c0674221a2d3280143cbb0807fac08e0cc", + "SHA256": "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748", "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "eSupport.com, Inc.", + "GlobalSign CodeSigning CA - SHA256 - G2", + "GlobalSign", + "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "RW-Everything", - "Description": "RW-Everything Read & Write Driver", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", + "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", + "Company": "Phoenix Technologies", + "Description": "DriverAgent Direct I/O for 64-bit Windows", + "Product": "DriverAgent", + "ProductVersion": "6.0", + "FileVersion": "6.0", "MachineType": "AMD64", - "OriginalFilename": "RwDrv.sys", + "OriginalFilename": "Agent64.sys", "Authentihash": { - "MD5": "98a9518fefaf056f5804b631e735ff73", - "SHA1": "5ac05af283a3bda3b09ce8ad292ba5c689216b7a", - "SHA256": "913ab7134ea3460e76db753cf68f336ada8f0b9c397be88c75f9567a8694f4a5" + "MD5": "d86884546c97e614b73d16c600cfb2df", + "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", + "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" }, - "InternalName": "RwDrv.sys", - "Copyright": "Copyright (C) 2008 RW-Everything", + "InternalName": "Agent64.sys", + "Copyright": "EnTech Taiwan, 1997-2009", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "KeInitializeDpc", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCallDriver", "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", + "ExAllocatePool", + "ZwClose", + "MmUnmapLockedPages", "IoDeleteDevice", - "RtlQueryRegistryValues", + "KeSetEvent", + "MmFreeContiguousMemory", "MmUnmapIoSpace", "IoFreeMdl", + "ZwUnmapViewOfSection", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoStartNextPacket", + "KeInsertQueueDpc", + "MmMapLockedPages", + "ZwMapViewOfSection", + "MmBuildMdlForNonPagedPool", "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "KeBugCheckEx", + "RtlInitUnicodeString", + "_snwprintf", + "IoCreateNotificationEvent", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress", + "HalGetInterruptVector", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , SHA256 , G2", + "ValidFrom": "2011-08-02 10:00:00", + "ValidTo": "2019-08-02 10:00:00", + "Signature": "79b06934e20587f6fed4602c2f86793403e0b107930c845cf9e4dc6ccf6eb5ec0a5cba0bd068312e3f64bd0f826b6677817fc629a517d8f0894d832411f66efe9de1480a28a0e27b2480a4ecc29a00d7b06d6ccd88d51578cf13f988a5734dc1362bdccbcedb7e7cd28bef2fbdb34f4d3aadbb626e2893c40ccbd9e6cae011029403b0bd3f942856901e53c227d5c93ccd1a631e825915b640caa781aac355af33d1b575e809ea47084822fb5d1bf32c7a697ec5d75a5e56333cad57e8932542c3d25e713b4a1c54eda955ac2805c7c46c5ddc3c93f6693c8251ce1a153d5e0173ff40a2eab4aed38efaee5d6c47c741f5d45657f2183732d6d4cc4bf671e076", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2009-11-18 10:00:00", + "ValidTo": "2019-03-18 10:00:00", + "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=MA, L=North Andover, O=eSupport.com, Inc., CN=eSupport.com, Inc.", + "ValidFrom": "2014-09-24 20:36:26", + "ValidTo": "2015-09-25 20:36:26", + "Signature": "386e2be7e95562b52e95ae0e00ab2181b2d671a2d324c96e5512d8af948dd9e15d42aafe5431ae079857b9c35ccd663ba7c0fef04974f27d8bf8a384fd5489393bdacf6dee7067f5ea9f11311e4a1b3b917c866eaee253c8edd08fc79e25bca7e0c0e892d4f0d65cce1aea7e4813c53d8baa708ad6ee167c4b6ba2cf88a6f29661aab4cd73062532812338ca25950c06dc45becdf28ee42048c9cbaa8ec58c8f2afb18b82e0b7ef389417c48900b41e4093c664ab69bbf35fb7af80baefd1781999e6b119ff8bf21245611aa6c2cd356631c67e1dd9c69da25746b7f543014be046ef19b1cf9a5bfd0594d8816f83aa590588e9501166b85ed40961885fb54f7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "11216e054fad930d88cabc078eb0d3bcc8ac", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , SHA256 , G2" + } + ] + } + ] + }, + { + "Filename": "Agent64.sys", + "MD5": "1ed08a6264c5c92099d6d1dae5e8f530", + "SHA1": "27d3ebea7655a72e6e8b95053753a25db944ec0f", + "SHA256": "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca", + "Signature": [ + "Phoenix Technologies Ltd", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", + "Company": "Phoenix Technologies", + "Description": "DriverAgent Direct I/O for 64-bit Windows", + "Product": "DriverAgent", + "ProductVersion": "6.0", + "FileVersion": "6.0", + "MachineType": "AMD64", + "OriginalFilename": "Agent64.sys", + "Authentihash": { + "MD5": "d86884546c97e614b73d16c600cfb2df", + "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", + "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" + }, + "InternalName": "Agent64.sys", + "Copyright": "EnTech Taiwan, 1997-2009", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeInitializeDpc", "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", "IofCallDriver", + "ExFreePoolWithTag", + "ExAllocatePool", + "ZwClose", + "MmUnmapLockedPages", + "IoDeleteDevice", + "KeSetEvent", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "IoFreeMdl", + "ZwUnmapViewOfSection", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoStartNextPacket", + "KeInsertQueueDpc", + "MmMapLockedPages", + "ZwMapViewOfSection", + "MmBuildMdlForNonPagedPool", + "MmGetPhysicalAddress", + "MmMapLockedPagesSpecifyCache", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "KeBugCheckEx", - "ExAllocatePoolWithTag", + "RtlInitUnicodeString", + "_snwprintf", + "IoCreateNotificationEvent", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress", + "HalGetInterruptVector", "KeStallExecutionProcessor" ], "Signatures": [ @@ -52628,120 +37916,112 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 13:00:00", + "ValidTo": "2017-01-27 12:00:00", + "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=MA, L=North Andover, O=Phoenix Technologies Ltd, OU=eSupport, CN=Phoenix Technologies Ltd", + "ValidFrom": "2009-12-11 17:20:45", + "ValidTo": "2010-12-12 17:20:42", + "Signature": "a7d9a2c70e374ebde881422b81fab976d3182885474a1379d078c736dc5e32157c8b5c667ec3e4bfb078a7f1e90e27be2bad1a41c54e9b53fcdf4f53c55a4a6e1328c147ca683314ae76a64e00d0487ae707f63c1c8524b5245329d368f7cbe263c7982dc73fe20c76921d51ad2a4333baba7443b5f493d42e8a2abcc510371a0a8a6b549cc41484d1da2442ce77e29284e7a6c1c64f2597e2cef45d2e97e1bb74826cab053233cfffed1d55c0c65b6bdefe00c5817dcbe798aa13bb7fb5c909348d5968c7f049f99943fbe0cf8be7e68fee1c6b45b911ecb1e11683a719be94109894e0c39d50530bbb9d0d2db812b78893f9ed0a870f9f6196268ed35ef119", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 10:00:00", + "ValidTo": "2017-01-27 10:00:00", + "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "010000000001257ee1f400", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] - } - ], - "Tags": [ - "AsrRapidStartDrv.sys" - ] - }, - { - "Id": "9b65dba4-81a0-48cc-8ff0-a4f353881062", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create EneIo64.sys binPath=C:\\windows\\temp\\EneIo64.sys type=kernel && sc.exe start EneIo64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", - "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "EneIo64.sys", - "MD5": "11fb599312cb1cf43ca5e879ed6fb71e", - "SHA1": "b4d014b5edd6e19ce0e8395a64faedf49688ecb5", - "SHA256": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374", + "Filename": "Agent64.sys", + "MD5": "ddc2ffe0ab3fcd48db898ab13c38d88d", + "SHA1": "33cdab3bbc8b3adce4067a1b042778607dce2acd", + "SHA256": "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa", "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" + "Phoenix Technologies Ltd", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", + "Company": "Phoenix Technologies", + "Description": "DriverAgent Direct I/O for 64-bit Windows", + "Product": "DriverAgent", + "ProductVersion": "6.0", + "FileVersion": "6.0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "Agent64.sys", "Authentihash": { - "MD5": "198111fd73515aa7fe4387612f027f0f", - "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", - "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" + "MD5": "d86884546c97e614b73d16c600cfb2df", + "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", + "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" }, - "InternalName": "", - "Copyright": "", + "InternalName": "Agent64.sys", + "Copyright": "EnTech Taiwan, 1997-2009", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", + "KeInitializeDpc", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCallDriver", + "ExFreePoolWithTag", + "ExAllocatePool", + "ZwClose", + "MmUnmapLockedPages", "IoDeleteDevice", + "KeSetEvent", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "IoFreeMdl", "ZwUnmapViewOfSection", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoStartNextPacket", + "KeInsertQueueDpc", + "MmMapLockedPages", "ZwMapViewOfSection", - "ObfDereferenceObject", - "IoCreateDevice", - "RtlAssert", + "MmBuildMdlForNonPagedPool", + "MmGetPhysicalAddress", + "MmMapLockedPagesSpecifyCache", + "ObReferenceObjectByHandle", "ZwOpenSection", - "DbgPrint", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "KeBugCheckEx", - "IoCreateSymbolicLink", + "RtlInitUnicodeString", + "_snwprintf", + "IoCreateNotificationEvent", "IoDeleteSymbolicLink", - "HalTranslateBusAddress" + "HalTranslateBusAddress", + "HalGetInterruptVector", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -52749,103 +38029,125 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2017-10-05 17:44:16", - "ValidTo": "2018-10-05 17:44:16", - "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { - "SerialNumber": "330000001f9800c911029569be00000000001f", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 13:00:00", + "ValidTo": "2017-01-27 12:00:00", + "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=MA, L=North Andover, O=Phoenix Technologies Ltd, OU=eSupport, CN=Phoenix Technologies Ltd", + "ValidFrom": "2009-12-11 17:20:45", + "ValidTo": "2010-12-12 17:20:42", + "Signature": "a7d9a2c70e374ebde881422b81fab976d3182885474a1379d078c736dc5e32157c8b5c667ec3e4bfb078a7f1e90e27be2bad1a41c54e9b53fcdf4f53c55a4a6e1328c147ca683314ae76a64e00d0487ae707f63c1c8524b5245329d368f7cbe263c7982dc73fe20c76921d51ad2a4333baba7443b5f493d42e8a2abcc510371a0a8a6b549cc41484d1da2442ce77e29284e7a6c1c64f2597e2cef45d2e97e1bb74826cab053233cfffed1d55c0c65b6bdefe00c5817dcbe798aa13bb7fb5c909348d5968c7f049f99943fbe0cf8be7e68fee1c6b45b911ecb1e11683a719be94109894e0c39d50530bbb9d0d2db812b78893f9ed0a870f9f6196268ed35ef119", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 10:00:00", + "ValidTo": "2017-01-27 10:00:00", + "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } - ] - } - ] - } - ], - "Tags": [ - "EneIo64.sys" - ] - }, - { - "Id": "2e4fedb0-30ed-400d-b4e1-b2b2004c1607", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create OpenLibSys.sys binPath=C:\\windows\\temp\\OpenLibSys.sys type=kernel && sc.exe start OpenLibSys.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + ], + "Signer": [ + { + "SerialNumber": "010000000001257ee1f400", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] + }, { - "Filename": "OpenLibSys.sys", - "MD5": "ccf523b951afaa0147f22e2a7aae4976", - "SHA1": "ac600a2bc06b312d92e649b7b55e3e91e9d63451", - "SHA256": "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c", + "Filename": "Agent64.sys", + "MD5": "29ccff428e5eb70ae429c3da8968e1ec", + "SHA1": "21e6c104fe9731c874fab5c9560c929b2857b918", + "SHA256": "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f", "Signature": [ - "Noriyuki MIYAZAKI", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", + "eSupport.com, Inc", + "GlobalSign CodeSigning CA - G2", "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "OpenLibSys", - "Product": "OpenLibSys", - "ProductVersion": "1.0.0.2", - "FileVersion": "1.0.0.2", + "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", + "Company": "Phoenix Technologies", + "Description": "DriverAgent Direct I/O for 64-bit Windows", + "Product": "DriverAgent", + "ProductVersion": "6.0", + "FileVersion": "6.0", "MachineType": "AMD64", - "OriginalFilename": "OpenLibSys.sys", + "OriginalFilename": "Agent64.sys", "Authentihash": { - "MD5": "1244664c7917f03f2b43b30e132f64b5", - "SHA1": "d6f015693e56a3ebba725a6591cc07443d0e1661", - "SHA256": "db68a9cbe22b22cba782592eef76e63e080ee8d30943be6da694701f44b6c33e" + "MD5": "d86884546c97e614b73d16c600cfb2df", + "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", + "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" }, - "InternalName": "OpenLibSys.sys", - "Copyright": "Copyright (C) 2007 OpenLibSys.org", + "InternalName": "Agent64.sys", + "Copyright": "EnTech Taiwan, 1997-2009", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "KeInitializeDpc", "IofCompleteRequest", - "IoDeleteDevice", + "IoCreateSymbolicLink", "IoCreateDevice", + "IofCallDriver", + "ExFreePoolWithTag", + "ExAllocatePool", + "ZwClose", + "MmUnmapLockedPages", + "IoDeleteDevice", + "KeSetEvent", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "IoFreeMdl", + "ZwUnmapViewOfSection", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoStartNextPacket", + "KeInsertQueueDpc", + "MmMapLockedPages", + "ZwMapViewOfSection", + "MmBuildMdlForNonPagedPool", + "MmGetPhysicalAddress", + "MmMapLockedPagesSpecifyCache", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "KeBugCheckEx", "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "_snwprintf", + "IoCreateNotificationEvent", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalTranslateBusAddress", + "HalGetInterruptVector", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -52853,102 +38155,119 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", - "ValidFrom": "2007-09-24 10:50:55", - "ValidTo": "2008-09-24 10:50:55", - "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", - "ValidFrom": "2003-12-16 13:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", - "ValidFrom": "2007-02-05 09:00:00", - "ValidTo": "2014-01-27 09:00:00", - "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=US, ST=Massachusetts, L=North Andover, O=eSupport.com, Inc, CN=eSupport.com, Inc", + "ValidFrom": "2013-08-20 20:02:56", + "ValidTo": "2014-08-21 20:02:56", + "Signature": "8f8cbb4f0adaa90368c533e8ccdfa1cc41e00542eeff2f26535b87723292930e207a18e6738acd604e85995e5c2783dae363ed56452392b15f55db6d5f0054352847ecce83b3b40504a1a1299d608674bbe771bb10bdaac159895d747de333ab565ccb7e153003b958d2c2c5e0646faec117a93625865ca9446d2c8fd6cdd474c4c9d11aa2c6dae281c649564df8918607430a7391144cbc9401aac196acabd2bf077fb25dc2d8a90dde1523dbec77eb72c782b3c7b3b0d4c50915bac1f256ed27e6b73d992927946dae1a8675b9cd0e68ba58c4d609f8b3bb20dfade8f1f436213c2965db77ef07105cbb9daf2ba0f70afd473ee557204bf7caeb7938244f50", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "01000000000115372421a8", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "11213d2f2fb6b9005e295e3c9596b6442513", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "Filename": "OpenLibSys.sys", - "MD5": "96421b56dbda73e9b965f027a3bda7ba", - "SHA1": "da9cea92f996f938f699902482ac5313d5e8b28e", - "SHA256": "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008", + "Filename": "Agent64.sys", + "MD5": "a57b47489febc552515778dd0fd1e51c", + "SHA1": "d979353d04bf65cc92ad3412605bc81edbb75ec2", + "SHA256": "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414", "Signature": [ - "Noriyuki MIYAZAKI", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", + "eSupport.com, Inc.", + "GlobalSign Extended Validation CodeSigning CA - SHA256 - G2", + "GlobalSign", "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "OpenLibSys", - "Product": "OpenLibSys", - "ProductVersion": "1.0.1.3", - "FileVersion": "1.0.1.3", + "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", + "Company": "Phoenix Technologies", + "Description": "DriverAgent Direct I/O for 64-bit Windows", + "Product": "DriverAgent", + "ProductVersion": "6.0", + "FileVersion": "6.0", "MachineType": "AMD64", - "OriginalFilename": "OpenLibSys.sys", + "OriginalFilename": "Agent64.sys", "Authentihash": { - "MD5": "bd94d3a0abc78f87147bf8ea41aad734", - "SHA1": "7ecbd5098c4161b95dd7e674003dd53069374f3e", - "SHA256": "6f3937451f0170a0aec3033cadceeb86ab30ee3c67add3926e116ccc20c0d9a7" + "MD5": "d86884546c97e614b73d16c600cfb2df", + "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", + "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" }, - "InternalName": "OpenLibSys.sys", - "Copyright": "Copyright (C) 2007 OpenLibSys.org", + "InternalName": "Agent64.sys", + "Copyright": "EnTech Taiwan, 1997-2009", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "KeInitializeDpc", "IofCompleteRequest", - "IoDeleteDevice", + "IoCreateSymbolicLink", "IoCreateDevice", + "IofCallDriver", + "ExFreePoolWithTag", + "ExAllocatePool", + "ZwClose", + "MmUnmapLockedPages", + "IoDeleteDevice", + "KeSetEvent", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "IoFreeMdl", + "ZwUnmapViewOfSection", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoStartNextPacket", + "KeInsertQueueDpc", + "MmMapLockedPages", + "ZwMapViewOfSection", + "MmBuildMdlForNonPagedPool", + "MmGetPhysicalAddress", + "MmMapLockedPagesSpecifyCache", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "KeBugCheckEx", "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "_snwprintf", + "IoCreateNotificationEvent", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalTranslateBusAddress", + "HalGetInterruptVector", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -52956,52 +38275,38 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", - "ValidFrom": "2007-09-24 10:50:55", - "ValidTo": "2008-09-24 10:50:55", - "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", - "ValidFrom": "2003-12-16 13:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2009-11-18 10:00:00", + "ValidTo": "2019-03-18 10:00:00", + "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", - "ValidFrom": "2007-02-05 09:00:00", - "ValidTo": "2014-01-27 09:00:00", - "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G2", + "ValidFrom": "2011-08-02 10:00:00", + "ValidTo": "2019-08-02 10:00:00", + "Signature": "aaa11197ffb423e8f303ecd38eef52a15c833563e5fff142b78335c693f5505e9b8921e85853188834fbdd49e122ea0f8ab122482919dc2ef92368588114552d24b929687853ac72fdcbf18a53a0dac8106f8938236ebb99f17390dbf1bf80a3ae8d4915bc8d88fd591dfe13ae54c3a697cd006b3d4148901505e4a41803d4d7a9e3a940b66c21acd37e1ce65df404b18bda0cd8aaebb936517f173a8d3728c7b7b8719012c66c6cb4843bf1a547dcc4a33b2c5dea0883c4e33910e4ab21650a4256d8b268f693e51ee28301ab0b86b2cfa54a37a4b2dc6cd782318d3f90e6b12a057089fc201d9f2af7ccdd93b5570deb400302d0044f84edf0728007951214", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, serialNumber=001030216, ??=US, ??=Massachusetts, C=US, ST=MA, L=North Andover, ??=120 Water St, O=eSupport.com, Inc., CN=eSupport.com, Inc.", + "ValidFrom": "2015-09-22 15:11:47", + "ValidTo": "2018-09-22 15:11:47", + "Signature": "0918e9fdc6e22f2f347ef860157ccabe11af3d666c186285f58ca1fdf5259e3785834ba138cc84b2f839762b5622053ab7e75610011ba2162b5cf22d083b01cec6f7f6fb900bb3822068e303260f6e82ac8003b64abc3173b3c01c3da9140a19aa6913fbedc0bb9c7a62d5bb3b71126dfa8c3faacf0f08fdf46504cf14cd7711f4abecb3f3b5fc2bd8f05adffccf777319d702d2072a5bcc49b8b78c888bc99e242d822acee354d996cf399c828701f9f5912816c3da6cfb8f3a6837428973fe0d518e645b25037b6861c436994da8543d286772c2d93ebcf3e1773dc8b47043ed278c3dc099c770f74490e0ce16abd3cbf4aaf348b70e2701f759b9cf61a917", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "01000000000115372421a8", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121b5d4d579fe52c475c01e3da626487f05", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G2" } ] } @@ -53009,26 +38314,27 @@ } ], "Tags": [ - "OpenLibSys.sys" - ] + "Agent64.sys" + ], + "yara": true }, { - "Id": "04d377f9-36e0-42a4-8d47-62232163dc68", + "Id": "f7f88ef4-ada4-4210-a40d-9d84142ef0fb", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-03-04", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create iomem64.sys binPath=C:\\windows\\temp\\iomem64.sys type=kernel && sc.exe start iomem64.sys", - "Description": "", + "Command": "sc.exe create 7.sys binPath=C:\\windows\\temp\\7.sys type=kernel && sc.exe start 7.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" ], "Acknowledgement": { "Person": "", @@ -53037,52 +38343,60 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "iomem64.sys", - "MD5": "0898af0888d8f7a9544ef56e5e16354e", - "SHA1": "4b009e91bae8d27b160dc195f10c095f8a2441e1", - "SHA256": "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4", + "Filename": "7.sys", + "MD5": "dc564bac7258e16627b9de0ce39fae25", + "SHA1": "0291d0457acaf0fe8ed5c3137302390469ce8b35", + "SHA256": "6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1", "Signature": [ - "DT RESEARCH, INC. TAIWAN BRANCH", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", - "Company": "DT Research, Inc.", - "Description": "DTR Kernel mode driver", - "Product": "iomem.sys", - "ProductVersion": "2.3.0.0", - "FileVersion": "2.3.0.0", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "iomem.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "9b6609bd5d9d8de37273fe2d355ae349", - "SHA1": "4bf9ce7ffca224020572af6c13e866d8d41ad5bf", - "SHA256": "46ffe559f5a8f6bd611ac5a9264edf92d8449d8d31b2ddf6b2add5971e309c56" + "MD5": "f147f4f5f6dcaf5d0e5481418ef02c42", + "SHA1": "e31276554b012178dc6fb06c7f44b6241d48f8a7", + "SHA256": "3325f541c9930a321930853e0d7f0f4c35ba99f99a97bfe275c60248957720fb" }, - "InternalName": "iomem.sys", - "Copyright": "DT Research Inc. All Rights Reserved.", + "InternalName": "", + "Copyright": "", "Imports": [ + "NETIO.SYS", + "ntoskrnl.exe", + "WDFLDR.SYS", + "ntoskrnl.exe", + "HAL.dll", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "MmUnmapIoSpace", - "KeEnterCriticalRegion", - "MmFreeNonCachedMemory", - "MmMapIoSpace", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "MmAllocateNonCachedMemory", - "IoCreateDevice", - "KeBugCheckEx", - "KeLeaveCriticalRegion", - "IofCompleteRequest", - "IoDeleteSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "WskCaptureProviderNPI", + "RtlFreeAnsiString", + "WdfVersionBindClass", + "_stricmp", + "KeQueryPerformanceCounter", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -53090,123 +38404,214 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taipei, L=Zhongzheng, O=DT RESEARCH, INC. TAIWAN BRANCH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=DT RESEARCH, INC. TAIWAN BRANCH", - "ValidFrom": "2012-11-28 00:00:00", - "ValidTo": "2014-02-27 23:59:59", - "Signature": "f0db051a101a03822142ad6370846fde79334c0ca76bd6e57fe4dca43570ce0936b1a9c4e3372dfbe23eecf858c76228a3dda166e0a9890c3a9558ee704b9ac6fda3d31e0dfb250d369568f623a15c8c041bfd94332adfd636c16e6e5a00d4fff2d53f85398ce97de15f54baebc937904f72fa829e848b83f9aec30e201930e2811167fc1c7f5b1570b197bc7d797e91060df7946148f43944021c30c2a73a6af1b916358071208ef26c6b3bc59bb2d3db066c0575200b6d65ed47f267412a4a5983735235506602282aa045c6b716827243955ace1bc0222a3d611dab9e84f960c4cb66e23c60b75d50aca0ee9f7dbff7e2a157e5525dfcd8b90448944190e1", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "79666acda698ffe7bb2f8c23ade9d57d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "7.sys" + ], + "yara": false + }, + { + "Id": "13973a71-412f-4a18-a2a6-476d3853f8de", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create AMDRyzenMasterDriver.sys binPath=C:\\windows\\temp\\AMDRyzenMasterDriver.sys type=kernel && sc.exe start AMDRyzenMasterDriver.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d.yara" }, { - "Filename": "iomem64.sys", - "MD5": "f1e054333cc40f79cfa78e5fbf3b54c2", - "SHA1": "6003184788cd3d2fc624ca801df291ccc4e225ee", - "SHA256": "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097", - "Signature": [ - "DT RESEARCH, INC. TAIWAN BRANCH", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "DT Research, Inc.", - "Description": "DTR Kernel mode driver", - "Product": "iomem.sys", - "ProductVersion": "2.2.0.0", - "FileVersion": "2.2.0.0", - "MachineType": "AMD64", - "OriginalFilename": "iomem.sys", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "f16b44cca74d3c3645e4c0a6bb5c0cb9", + "SHA1": "eceb51233f013e04406da11482324d45e70281c7", + "SHA256": "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d", "Authentihash": { - "MD5": "91896c53af5ab967f7f131285354e4ac", - "SHA1": "7eec42b3027252dea4c777bbdbd47560bc179986", - "SHA256": "57d36936fbf8785380536b03e5d9be172e5dd5c3bf435e19875a80aa96f97e1f" + "MD5": "56d3a74361bd38be9c8ee476f0063f16", + "SHA1": "8facd7c1efbfb3b44cde04cc1b9a1f24d171c2b8", + "SHA256": "ab1c74ed1ea4fc7a613aa22fd87ee4251ede260862fdebde2d7d2f00c0f23371" }, - "InternalName": "iomem.sys", - "Copyright": "DT Research Inc. All Rights Reserved.", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.3.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.3.0.0", + "Copyright": "Copyright © 2018 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "MmUnmapIoSpace", - "KeEnterCriticalRegion", - "MmFreeNonCachedMemory", + "KeLeaveCriticalRegion", "MmMapIoSpace", - "RtlInitUnicodeString", + "MmUnmapIoSpace", + "IofCompleteRequest", "IoCreateSymbolicLink", - "MmAllocateNonCachedMemory", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetSystemRoutineAddress", + "ZwClose", + "ZwSetSecurityObject", + "IoDeviceObjectType", "IoCreateDevice", - "KeBugCheckEx", - "KeLeaveCriticalRegion", - "IofCompleteRequest", - "IoDeleteSymbolicLink", + "KeEnterCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "strncmp", "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalGetBusDataByOffset", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=DT RESEARCH, INC. TAIWAN BRANCH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=DT RESEARCH, INC. TAIWAN BRANCH", - "ValidFrom": "2012-01-18 00:00:00", - "ValidTo": "2013-01-17 23:59:59", - "Signature": "b8ae271018c3961846bf8143d1fc6ab9ce843d08c492ac7d179086c44a9453bc00ccfaeb638fce7fef3b83104a060a2e3284f63818f0798ae33db982098c7f4bcff265294f27248dd5874243e55451a30061fff3f1a9e78ca0aadabd376ec0d20176e731df3655c1328763c8fc2cae631e33abcc244a829cebb7bdf54eaf41fc2a63ba2671896ae6371792f40af06b9ac5de4b34837e7b85676eca74761b6e6872be25f14fda20ddd845b155e290b909a3c84329aded0d04a0a79843d71035467c61a72f66668e7941d69c1e2c69c8c2bc4a09243472bcbcec9af16ee4b286109325935364790810d40a59d7ef5758ef9e9444e2623977329efd8c5d38431af7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Bellevue, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.", + "ValidFrom": "2016-04-04 00:00:00", + "ValidTo": "2019-04-04 23:59:59", + "Signature": "954826dae788da2592d025efce7ccbdd68d9c19fe3713a5d3a8737a82d44b47ef6693f473c99f765cfb98e51f7b149b2368000cbae6bf94ae721feecaa23fe179a8032dff1c646816c3467c50cd84d46846af15bba67838d8f4ae9fe6b504cf83737550a75ccacf02a71c856e8dd9007e2681a0445406da6a885000d9a1106112f9a74e2ddc12144162aa7c29fbc5c144e1640c533688eab20d87ed08fed8d05f866dfb6f7163ab6967ccecbda61024481948c2eb2b239b69b69962bdb71c6eb80f51cc907c4e9d13be15aaa96c43fa030bc03c6389cd64ab0a4201ca2342eb94e6fd71489a8695fb7f18f9073b14f8b8e5b32f39a38dfbc0ea2d02ce9c8122d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -53214,821 +38619,755 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "215c8fa3dc44a29e86e5e59bd239b3c8", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "5ca430e4777412a8230bf839f782d4f7", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] - } - ], - "Tags": [ - "iomem64.sys" - ] - }, - { - "Id": "d819bee2-3bff-481f-a301-acc3d1f5fe58", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Se64a.sys binPath=C:\\windows\\temp\\Se64a.sys type=kernel && sc.exe start Se64a.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "Se64a.sys", - "MD5": "0a6a1c9a7f80a2a5dcced5c4c0473765", - "SHA1": "33285b2e97a0aeb317166cce91f6733cf9c1ad53", - "SHA256": "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc", - "Signature": [ - "EnTech Taiwan", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "EnTech Taiwan", - "Description": "EnTech softEngine x64 kernel-mode driver", - "Product": "softEngine-x64", - "ProductVersion": "2.1", - "FileVersion": "1.1", - "MachineType": "AMD64", - "OriginalFilename": "se64a.sys", + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "130c5aec46bdec8d534df7222d160fdb", + "SHA1": "fac870d438bf62ecd5d5c8c58cc9bfda6f246b8b", + "SHA256": "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880", "Authentihash": { - "MD5": "46f46abcb9e3ba747c2a2904babe38c0", - "SHA1": "a4e8e3268569acc0a0b3f6eada713c0fa8825463", - "SHA256": "04cfb452e1ac73fb2f3b8a80d9f27e19a344a6bf0f74c7f9cae3ae82d3770195" + "MD5": "baad4335bf64311b512e159d47cfb3c7", + "SHA1": "dbfd5f346b6117941139006b9c7d88a4d9a6b04f", + "SHA256": "679de7449908838c031db59234cb4f482fbf5d27d7e02d0c30d5ad9d2f36495f" }, - "InternalName": "se64a.sys", - "Copyright": "Copyright (c) EnTech Taiwan, 2004-2006.", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.5.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.5.0.0", + "Copyright": "Copyright © 2020 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwOpenSection", - "RtlInitUnicodeString", - "DbgPrint", + "KeLeaveCriticalRegion", + "MmMapIoSpace", + "MmUnmapIoSpace", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "RtlCopyMemory", - "ObReferenceObjectByHandle", - "KeEnterCriticalRegion", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoCreateDevice", - "ZwMapViewOfSection", - "KeLeaveCriticalRegion", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetSystemRoutineAddress", "ZwClose", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "KeEnterCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, O=EnTech Taiwan, CN=EnTech Taiwan, emailAddress=support@entechtaiwan.com", - "ValidFrom": "2006-09-25 13:13:42", - "ValidTo": "2007-09-25 13:13:42", - "Signature": "739a954688a5bb20b2eb536c3f48cd6e12268b1f20d7c8919b33fe01a7bce0f1b635aa818464902885ff85b54359fc618e27daed7251ddd7b69aadfa93934e4984a4df006169520d8153e467cdda6346d13de5534c458dc65d8cee53d40449ddf07c0141baaf5c5027a3ffa82282697be813b8bfd97f2ba1ca2cfb12a20c6962e5bd556fb794d67bd6d3d6f8db113a64833073294431ed9bfa94dd7d62ec07c6093c7fbdba8663fcff1b5d8c6f6322d236abfacc681f9aaf5711fb415e1622d125175ea225f785983e05f56cd7f3dede31c4faea8272570ea3079a8085a8333d348780b35d671479caef0f7d1c23da8bf317ca12b50da33f87f24a4c1b9766b5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", + "ValidFrom": "2019-02-13 00:00:00", + "ValidTo": "2022-02-13 23:59:59", + "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000010de51c0971", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] - } - ], - "Tags": [ - "Se64a.sys" - ] - }, - { - "Id": "db666d40-c9fa-4039-bfac-a5d7afd61b67", - "Author": "Wack0", - "Created": "2023-04-22", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BEDaisy.sys binPath=C:\\windows\\temp\\BEDaisy.sys type=kernel && sc.exe start BEDaisy.sys", - "Description": "BattlEye Anti-Cheat BEDAISY.SYS PPL privesc.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/magicsword-io/LOLDrivers/issues/23", - "https://infosec.exchange/@Rairii/109310279380973806" - ], - "Acknowledgement": { - "Person": "Wack0", - "Handle": "Wack0" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "BEDAISY.SYS", - "MD5": "7475bfea6ea1cd54029208ed59b96c6b", - "SHA1": "fff7ee0febb8c93539220ca49d4206616e15c666", - "SHA256": "2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "013719e840e955c2e4cd9d18c94a2625", + "SHA1": "b74338c91c6effabc02ae0ced180428ab1024c7d", + "SHA256": "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194", "Authentihash": { - "MD5": "85751ed97dcd3096b4b5ee6f66109551", - "SHA1": "7131f7da22882656c5e22ec033bb95e29273f182", - "SHA256": "35a12d81f7062a22644b500d91b1603b4f97756ad165c3ea571e7fef55c24162" + "MD5": "008ebc7b97c6e3c036bc3d51e4166027", + "SHA1": "f0a89a5719eff19884d6674bd60c1249876e71b9", + "SHA256": "ddc5ff33a19baf1630a92723b5d0103fcc9ca58ee2a548526b9439eec3c97fe8" }, - "InternalName": "", - "Copyright": "", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.1.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.1.0.0", + "Copyright": "Copyright © 2017 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ - "FLTMGR.SYS", - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FltGetRoutineAddress", - "MmGetSystemRoutineAddress", - "__C_specific_handler", - "__chkstk", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmBuildMdlForNonPagedPool", "MmMapLockedPagesSpecifyCache", - "KeBugCheckEx" + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetSystemRoutineAddress", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "ZwSetSecurityObject", + "ZwClose", + "KeLeaveCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "_snwprintf", + "RtlCreateSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlSetDaclSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "ZwOpenKey", + "ZwQueryValueKey", + "RtlFreeUnicodeString", + "ZwSetValueKey", + "ZwCreateKey", + "KeBugCheckEx", + "KeEnterCriticalRegion", + "KeDelayExecutionThread", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlGetOwnerSecurityDescriptor", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=DE, ST=Baden,W??rttemberg, L=Reutlingen, O=BattlEye Innovations e.K., CN=BattlEye Innovations e.K.", - "ValidFrom": "2018-11-09 00:00:00", - "ValidTo": "2019-12-31 12:00:00", - "Signature": "0e1391b52a7dcdcd6e5f1a2e5e98d07fea5314cc4a43b404bcd7e742cf86c6f14beeb1fa766c7c6370fb6bb0f866f43259fa5cd0921b3d094e296ef0b6d529b77b23f5fc3ffc0d7f86295542360a353fe494a90f8d98721c5c9db07d0a8e945be7460ff1a2d78946ac8be50cc85e2d3f148aa13bbba594df6ebf92ff51f22816724045dc0246d43a69393b26c0189e2139a1424a693c111ea1aa5cc6db4ff08cbf1eba10145fe6a35852a6cf1a3ccf7e15568cd62daa91bd7245def0bfb8c885f0507768e0453504403c40a2c74e20c637db0e8bb4c9d5f68153e7d6cb50bbfbd9137c3801dea2264626885501b48652bb0bd75c834f07676e14dfa3bec8ee4f", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", + "ValidFrom": "2016-06-16 00:00:00", + "ValidTo": "2019-07-16 23:59:59", + "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "060323c3204df4501ea15b73390dd856", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "bedaisy.sys" - ] - }, - { - "Id": "d827f7a6-1832-4ddb-90dd-7a8cf1c7f25e", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create LcTkA.sys binPath=C:\\windows\\temp\\LcTkA.sys type=kernel && sc.exe start LcTkA.sys", - "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "LcTkA.sys", - "MD5": "909f3fc221acbe999483c87d9ead024a", - "SHA1": "b2f955b3e6107f831ebe67997f8586d4fe9f3e98", - "SHA256": "c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "aa12c1cb47c443c6108bfe7fc1a34d98", + "SHA1": "88d00eff21221f95a0307da229bc9fe1afb6861b", + "SHA256": "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a", "Authentihash": { - "MD5": "b663d79a688800d84065ccc2809874b7", - "SHA1": "46a9d9e9904ba5f4c011ad69d0795969c721c662", - "SHA256": "675329ef7a63a7c58d3daa6cb5c6e299143decec7a149c36a6bfe204bbf0407e" + "MD5": "daaff8865677433e85f79ac4ceb6be54", + "SHA1": "588d359fa0e976507d2bad89a24de2d3dab34b64", + "SHA256": "0ad2d2fe1b16e42f43788dae1f0f45031b5025ef6bcc52360e18812820682f04" }, - "InternalName": "", - "Copyright": "", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.0.0", + "Copyright": "Copyright © 2017 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll", - "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeEvent", - "HalReturnToFirmware", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmBuildMdlForNonPagedPool", "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", + "MmUnmapLockedPages", + "IoAllocateMdl", "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", + "MmGetSystemRoutineAddress", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "ZwSetSecurityObject", + "ZwClose", + "KeLeaveCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "_snwprintf", + "RtlCreateSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlSetDaclSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "ZwOpenKey", + "ZwQueryValueKey", + "RtlFreeUnicodeString", + "ZwSetValueKey", + "ZwCreateKey", + "KeBugCheckEx", + "KeEnterCriticalRegion", + "KeDelayExecutionThread", "DbgPrint", - "KeQueryPerformanceCounter" + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlGetOwnerSecurityDescriptor", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", + "ValidFrom": "2016-06-16 00:00:00", + "ValidTo": "2019-07-16 23:59:59", + "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "LcTkA.sys" - ] - }, - { - "Id": "9748d5c8-62dd-474b-a336-0aadb49e5ff9", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create daxin_blank3.sys binPath=C:\\windows\\temp\\daxin_blank3.sys type=kernel && sc.exe start daxin_blank3.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "daxin_blank3.sys", - "MD5": "bd5b0514f3b40f139d8079138d01b5f6", - "SHA1": "73bac306292b4e9107147db94d0d836fdb071e33", - "SHA256": "7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376", - "Signature": "Unsigned", - "Date": "12:54 AM 11/18/2009", - "Publisher": "n/a", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "0490f5961e0980792f5cb5aedf081dd7", + "SHA1": "4786253daac6c60ffc0d2871fdd68023ec93dfb3", + "SHA256": "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f", "Authentihash": { - "MD5": "800a604e6039d6dc93d68d116c38b640", - "SHA1": "75670f26e2df371741e8832012e06fdcd179b64c", - "SHA256": "afb9e6b70f707149e7243e41ffafbdda463da9a890c56091c454df60608efa0f" + "MD5": "74e9ae3f89ff8fcf94f0407f7b94f680", + "SHA1": "4fce761086a78302bf6409d4be2c057e3389210d", + "SHA256": "192a27335de23a008c05efe24ea1fa0f633dd8ddc68d904466e4e2741a0bb645" }, - "InternalName": "", - "Copyright": "", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.2.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.2.0.0", + "Copyright": "Copyright © 2017 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ - "NTOSKRNL.EXE", - "HAL.DLL", "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapLockedPagesSpecifyCache", - "ZwClose", + "MmMapIoSpace", + "MmUnmapIoSpace", "IofCompleteRequest", - "KeResetEvent", - "InterlockedIncrement", - "KeSetEvent", - "InterlockedDecrement", - "RtlUnicodeStringToInteger", - "RtlInitUnicodeString", - "KeInitializeEvent", - "wcsncmp", - "wcscat", - "wcslen", - "wcscpy", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", "IoAllocateMdl", - "strlen", - "RtlCompareUnicodeString", "IoFreeMdl", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmUnmapLockedPages", - "RtlFreeUnicodeString", - "ZwWriteFile", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "strcat", - "ZwReadFile", - "ZwQueryInformationFile", - "strncmp", - "_wcsnicmp", - "strcmp", - "_stricmp", "MmGetSystemRoutineAddress", - "ZwQueryValueKey", - "ZwOpenKey", - "IoCreateFile", - "KeWaitForMultipleObjects", - "strcpy", - "RtlUnwind", - "vsprintf", - "KeWaitForSingleObject", - "KeDelayExecutionThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "ObReferenceObjectByHandle", - "ExFreePool", - "KeInitializeSpinLock", - "KeTickCount", - "memset", - "memcpy", - "MmMapLockedPages", - "ExAllocatePoolWithTag", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "PsGetVersion", - "ZwTerminateProcess", - "ZwOpenProcess", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "RtlLengthSid", - "RtlCreateSecurityDescriptor", - "ZwWaitForSingleObject", - "NtFsControlFile", - "NtWriteFile", - "NtReadFile", - "RtlLengthRequiredSid", - "RtlImageDirectoryEntryToData", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "PsLookupProcessByProcessId", - "KeAttachProcess", - "KeDetachProcess", - "PsLookupThreadByThreadId", - "KeInitializeApc", - "KeInsertQueueApc", - "ZwOpenFile", - "ZwDeviceIoControlFile", - "PsThreadType", - "NtQuerySystemInformation", - "NdisAllocateMemory", - "NdisAllocatePacket", - "NdisCopyFromPacketToPacket", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisDeregisterProtocol", - "NdisRegisterProtocol", - "NdisAllocateBufferPool", - "NdisAllocatePacketPool", - "NdisFreeBufferPool", - "NdisFreePacketPool", - "NdisFreeMemory" - ], - "Signatures": {} - } - ], - "Tags": [ - "daxin_blank3.sys" - ] - }, - { - "Id": "bd7e78db-6fd0-4694-ac38-dbf5480b60b9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsIO.sys binPath=C:\\windows\\temp\\AsIO.sys type=kernel && sc.exe start AsIO.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsIO.sys", - "MD5": "1dc94a6a82697c62a04e461d7a94d0b0", - "SHA1": "b97a8d506be2e7eaa4385f70c009b22adbd071ba", - "SHA256": "2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "9fd03554246c6c74c232919c680d7be8", - "SHA1": "b25550309c902a21b03367ae27694c5a29b891b5", - "SHA256": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoDeleteSymbolicLink", "ZwClose", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", - "IoCreateSymbolicLink", + "ZwSetSecurityObject", + "IoDeviceObjectType", "IoCreateDevice", - "IofCompleteRequest", + "ObOpenObjectByPointer", + "KeLeaveCriticalRegion", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "KeEnterCriticalRegion", "KeDelayExecutionThread", - "HalTranslateBusAddress" + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlGetDaclSecurityDescriptor", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, ST=California, L=Sunnyvale, O=Advanced Micro Devices, Inc., CN=Advanced Micro Devices, Inc.", + "ValidFrom": "2016-06-16 00:00:00", + "ValidTo": "2019-07-16 23:59:59", + "Signature": "a7e55605825dfbd1b68d884b19685d8a578891d427b776f584d93b0ee66a7f2bace57691884dd480e47dceba8506dcf432f8341e99b87c76751ccbf7086d570de39d83b1770c21ba699169bdff0645659289bcf989329ee0e187064e774dc338f9112edc66c104a6237e1687974a89b00e9e6e428b1581a769ca7b1cd017c317509ecdb2ce1ff410e80d91d167437d9d93efe9e103bb0d513bb821ceda37550bfaae4160fa445ba09afe9141bf45b44a28f80e5d32edc5ac63b27139b0264d7c80e58c1d1b12f47f9fe8f8d673d7b2fbf5acd023fe3ff8a3504d5cfe6c89edbbfc819dea2974720785e0463eb7d99aafea40178b942aeea5dcb91dff62610930", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "72dcd35b1dbbf28f0f9848ec766a1bdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "AsIO.sys", - "MD5": "798de15f187c1f013095bbbeb6fb6197", - "SHA1": "92f251358b3fe86fd5e7aa9b17330afa0d64a705", - "SHA256": "436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "AMDRyzenMasterDriver.sys", + "MD5": "0be5c6476dd58072c93af4fca62ee4b3", + "SHA1": "5f8ae70b25b664433c6942d5963acadf2042cfe8", + "SHA256": "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5", "Authentihash": { - "MD5": "7bb2dcc29ba50372d08fea800c190f09", - "SHA1": "e5c090903a20744ba3583a8ea684d035e8cecc34", - "SHA256": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3" + "MD5": "85f5af5f7200c76440823c16a70b2093", + "SHA1": "2f550bc5f89e2291f669b8a2d1910086bbea7532", + "SHA256": "207b6cea0c9f7e94a912b388d5e9f7ace3b6405114f64bcc425042a09170fcac" }, - "InternalName": "", - "Copyright": "", + "Description": "AMD Ryzen Master Service Driver", + "Company": "Advanced Micro Devices", + "InternalName": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AMDRyzenMasterDriver.sys", + "FileVersion": "1.4.0.0", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.4.0.0", + "Copyright": "Copyright © 2019 AMD, Inc.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwClose", + "KeLeaveCriticalRegion", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", - "IoCreateSymbolicLink", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetSystemRoutineAddress", + "ZwClose", + "ZwSetSecurityObject", + "IoDeviceObjectType", "IoCreateDevice", - "IofCompleteRequest", + "KeEnterCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeDelayExecutionThread", - "HalTranslateBusAddress" + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", + "ValidFrom": "2019-02-13 00:00:00", + "ValidTo": "2022-02-13 23:59:59", + "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "Filename": "AsIO.sys", - "MD5": "1392b92179b07b672720763d9b1028a5", - "SHA1": "8b6aa5b2bff44766ef7afbe095966a71bc4183fa", - "SHA256": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], + "Filename": "AMDRyzenMasterDriver.sys", + "MD5": "067166e788da08b77219430484563388", + "SHA1": "cec887f20ab468caa1c99fcbe7fbdfab25fadf39", + "SHA256": "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a", + "Signature": "", "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "Advanced Micro Devices", + "Description": "AMD Ryzen Master Service Driver", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "2.0.0.0", + "FileVersion": "2.0.0.0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "AMDRyzenMasterDriver.sys", "Authentihash": { - "MD5": "1e97ead4c5049f8fefe2b72edd5fa90e", - "SHA1": "2a95f882dd9bafcc57f144a2708a7ec67dd7844c", - "SHA256": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057" + "MD5": "45f319f266b7bb1892bbaa157cebb6bc", + "SHA1": "e37c6aa2630fa3ccb3ee7d219a7332cce95fa11f", + "SHA256": "a076e66065161bdca4680f0f3a3d0767a25c344fa25cc64473f4ef4f926898ef" }, - "InternalName": "", - "Copyright": "", + "InternalName": "AMDRyzenMasterDriver.sys", + "Copyright": "Copyright © 2022 AMD, Inc.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", + "KeLeaveCriticalRegion", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "PsGetCurrentProcessId", + "PsGetProcessImageFileName", + "MmMapIoSpace", + "MmUnmapIoSpace", + "KeEnterCriticalRegion", "ZwClose", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", - "IoCreateSymbolicLink", + "ZwSetSecurityObject", + "IoDeviceObjectType", "IoCreateDevice", - "IofCompleteRequest", + "ObOpenObjectByPointer", + "RtlGetDaclSecurityDescriptor", "KeDelayExecutionThread", - "HalTranslateBusAddress" + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "RtlGetVersion", + "DbgPrint", + "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", + "DbgPrintEx", + "RtlInitUnicodeString", + "strncmp", + "RtlGetGroupSecurityDescriptor", + "strcpy_s", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], "Signatures": [ { @@ -54036,98 +39375,240 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.", + "ValidFrom": "2021-05-11 00:00:00", + "ValidTo": "2024-05-10 23:59:59", + "Signature": "8444e268ff381c9148985f408e5cc1453a560c9dd94d2a6cfa01dd7f2adc8af633053d2c79027db4f185f477b0d5db8b362b37dbd0d258823831ace7058baf3feb80a9eb2de9dd886bcf390fae9b586fc833e63db5c6a07019f35a9fce6899502852737b32d25ea7832c3786df0642d21622e56c0b0171e96f9520d07f73950376ff555bcf9c8a55bf4f86c088b58e2cb625a0ef4680ed7281f09a40c7be9f69cba77a6967030e39b2cfa46692698ced9e5347dd7056b476545c3442f934cb2c30cb986afabd29a9a9e2eb28c5bd6ee47dabf5ef587f850ea49b124eb868aac68de949616d08f875192b93388549c7327a3ef085e287d5a743810c151b250c64", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA", + "ValidFrom": "2018-11-02 00:00:00", + "ValidTo": "2030-12-31 23:59:59", + "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority", + "ValidFrom": "2015-07-22 21:03:49", + "ValidTo": "2025-07-22 21:03:49", + "Signature": "6b22933c3d395471646b0ef2e43c3011c5204a4b860f92f1ff33793ad9e498a70e40a022807e61b2e0a719cf2695312a65d46a4f3186eac0c62ec5648c3d4859cd0b2f743d9426131042d49798275e3c76d278691d1a64e7057275e0eb6640439f8f0c46ff9760a6c867ad10089b62a6e9be3a8ad3074d9f729325bc0611e02c90383e671cfd19d79e90ce3dc2e0e761acc0e504f51e99540c910d01567137ae27d49e4322a5c927cd4de571123924a5415687ffbc55140f25ca89eec797e5d213ff3d7e1aa08f3fc82cd7a370d0c760c0fcd83e51e797c63e3bedcf78be8acae3c4f2a7a7ed9eae08028fa052db721ed53bc34d9f8efa9b70c7f8e3bf6c3f929be4373eec6a8c29f9c1a2bf8b3e1a6966fb1c634f2601c902c43ed2ffc343a81bfd99fad4bca5b9e2932f3b01c5d1f43a2f68c3e064b75a955e46cc078369bb3c05925673357345984e7cd812a5b742e9a263f642601870d13b6f31c087c7e671e1f34616e9f5b872b3e96d1f622649a3498bdd68c78b6856f7defcfa8724b80381178fe5f1676a1daed374f78ca55db30b8e422996ce49c4777e667c01171a6c1424c3b0177705d81a40b7866bd8e47b40ac7edf4e6f24f92080828c33e7e5fa29d89dda8b705d2bc91d824c0b67cb84419ee7067e1183442d8a19eef47f9add791c37191e9f3f8c29ba0d5c1086376c48cd455dcd70bcbcd14d5dd8c5b876", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-03-29 00:00:00", + "ValidTo": "2033-03-14 23:59:59", + "Signature": "0d2d2374a6d1f5f8ea4b993f01e4f60ce4af169dd9b38c9782299c436f012dab38b57011bf84198b3f5de5864fbe933ade2a395a394ed88459a5bc1b98aae86cefd1486919385bcf89391d7070d94edf23226cd5dff659cba1c2ea4c76caa1dca12b96b89b55a91a6b7dd1f502094f82d6a57388c49880dfee4995b7b3ccc5a7ee0ee1ef1e388a9fef11c9314a58b6df387ccbfa5cf7e453bf6e0a7c7ed7de98d52965890fa29cc065f4012265c7ea5e74a65b3592507cf417a687644f3e46891663206bcbf27bd035e34a7048a9b6e71d60bd04221525700672a9443b694711d3eee9c7a03e4f10b93036e4f3aa6909a88b7e64a2659411fb6e32f1f5bb38adcdc09311d532784a4b372a4cf35cdcb685c0bb70305578d698fe546d7f71a9481a78dd46772e1b7ac0338af84a288c12a873cf2df9d323f29e19e00d9428a0ebdb1a51a095828e286ba4ce9d76dea973aa486a5943ae5feaf80f06429ddf066896fe2aa0745b6366de6b2cb878aa4d706df02cf107157e35b4e6b50ca299a5d7156b350e85d6e02ccce00c24b87c520b1e997cefc8c8c58c5869afab3de1cfcc7d15ae14bf8a71dfca97b1d847ea1c85e0454e121c142958cc6fd37fcbbec10e4a6f209caed973325908e72d92a11a11fe3298a65d2b97e08bd39ccc6db50dae47633847175b6f13da6a106e1f49b7445bb4080a875a59047611a1a77702131c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "535091e6cab13af393b51ead0825f627", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" } ] } ] + } + ], + "Tags": [ + "AMDRyzenMasterDriver.sys" + ], + "yara": true + }, + { + "Id": "3e0bf6dc-791b-4170-8c40-427e7299d93d", + "Author": "Paul Michaud", + "Created": "2023-05-12", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create KfeCo10X64.sys binPath=C:\\windows\\temp\\KfeCo10X64.sys type=kernel && sc.exe start KfeCo10X64.sys", + "Description": "Killer exposes COM interfaces that allow non-privileged users 1) to block network for any process 2) to manage any service in the OS. Killer is preinstalled to laptops equipped with Intel Killer NICs (e.g. Dell). Since Intel patched the vulnerability quietly, it's not clear which version is safe. Also, it is unclear which OEMs are affected. Dell is definitely in the list, but it is likely that other vendors with Killer NICs on board, such as Acer and MSI, are affected too. Some users think that Killer suite is required for the NIC to work properly, so they install it even after a fresh Windows install. This version is confirmed vulnerable based on the script usage from zwclose.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://zwclose.github.io/2023/04/18/killer2.html", + "https://twitter.com/zwclose/status/1648441215808049153", + "https://zwclose.github.io/2022/12/18/killer1.html" + ], + "Acknowledgement": { + "Person": "zwclose", + "Handle": "zwclose" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704.yara" }, { - "Filename": "AsIO.sys", - "MD5": "fef9dd9ea587f8886ade43c1befbdafe", - "SHA1": "af6e1f2cfb230907476e8b2d676129b6d6657124", - "SHA256": "dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "KfeCo10X64.sys", + "MD5": "697f698b59f32f66cd8166e43a5c49c7", + "SHA1": "f5d58452620b55c2931cba75eb701f4cde90a9e4", + "SHA256": "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704", + "Signature": "", "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "Rivet Networks, LLC.", + "Description": "Killer Traffic Control Callout Driver", + "Product": "Killer Traffic Control", + "ProductVersion": "9.7.4.11", + "FileVersion": "9.7.4.11", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "KfeCoDrv.sys", "Authentihash": { - "MD5": "9e7fb1f3c75f1f5e6769813c545643fc", - "SHA1": "86f07797273b7f0e0805d2add8c1a0be116eb88c", - "SHA256": "191689c53195dbe828f406b206cb167dcd4671ecdab32b80e01c885f706a6baf" + "MD5": "9085c42a59541dbd2e05fec9c247a189", + "SHA1": "c46323ef4fd5f553003a92fdad0d3059564e481f", + "SHA256": "8bce4a327c9e77631c03057b0e45cdbb2e751194d42995c0310e3ccdd3d33b7c" }, - "InternalName": "", - "Copyright": "", + "InternalName": "KfeCoDrv.sys", + "Copyright": "Copyright (C) 2015-2018 Rivet Networks, LLC.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "NDIS.SYS", + "fwpkclnt.sys", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwClose", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", + "EtwRegister", + "KeInitializeEvent", + "EtwUnregister", + "__C_specific_handler", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "RtlCopyUnicodeString", + "EtwSetInformation", + "EtwWriteTransfer", + "strstr", + "RtlCompareMemory", + "RtlIpv4StringToAddressA", + "KeAcquireInStackQueuedSpinLock", + "KeSetTimer", + "KeCancelTimer", + "KeInitializeTimer", + "KeSetPriorityThread", + "KeSetImportanceDpc", + "KeInsertQueueDpc", + "KeInitializeDpc", + "IoQueueWorkItem", + "IoFreeWorkItem", + "IoAllocateWorkItem", + "PsTerminateSystemThread", + "KeWaitForMultipleObjects", "KeDelayExecutionThread", - "HalTranslateBusAddress" + "KeClearEvent", + "RtlEthernetAddressToStringW", + "RtlRandomEx", + "ZwClose", + "PsCreateSystemThread", + "KeWaitForSingleObject", + "KeSetEvent", + "KeQueryInterruptTimePrecise", + "ExEventObjectType", + "ObReferenceObjectByHandle", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "MmProbeAndLockPages", + "ProbeForWrite", + "ProbeForRead", + "IoFreeMdl", + "IoAllocateMdl", + "MmBuildMdlForNonPagedPool", + "ObfDereferenceObject", + "memchr", + "RtlIpv6StringToAddressA", + "KeReleaseInStackQueuedSpinLockFromDpcLevel", + "KeAcquireInStackQueuedSpinLockAtDpcLevel", + "KeReleaseInStackQueuedSpinLock", + "KeInitializeSpinLock", + "NdisGetDataBuffer", + "NdisRetreatNetBufferDataStart", + "NdisAdvanceNetBufferDataStart", + "NdisCopySendNetBufferListInfo", + "NdisFreeNetBufferListPool", + "NdisAllocateNetBufferListPool", + "NdisFreeNetBufferPool", + "NdisAllocateNetBufferPool", + "NdisFreeGenericObject", + "NdisCopyReceiveNetBufferListInfo", + "NdisAllocateGenericObject", + "FwpsInjectTransportReceiveAsync0", + "FwpsQueryConnectionRedirectState0", + "FwpsRedirectHandleDestroy0", + "FwpsRedirectHandleCreate0", + "FwpsApplyModifiedLayerData0", + "FwpsAcquireWritableLayerDataPointer0", + "FwpsCompleteClassify0", + "FwpsPendClassify0", + "FwpsReleaseClassifyHandle0", + "FwpsAcquireClassifyHandle0", + "FwpsCalloutUnregisterByKey0", + "FwpsConstructIpHeaderForTransportPacket0", + "FwpsDereferenceNetBufferList0", + "FwpsReferenceNetBufferList0", + "FwpsInjectMacSendAsync0", + "FwpsInjectMacReceiveAsync0", + "FwpsAllocateCloneNetBufferList0", + "FwpsFreeNetBufferList0", + "FwpsAllocateNetBufferAndNetBufferList0", + "FwpmFilterDeleteById0", + "FwpsCalloutRegister3", + "FwpmFilterAdd0", + "FwpmCalloutDeleteByKey0", + "FwpmSubLayerDeleteByKey0", + "FwpmProviderContextDeleteByKey0", + "FwpsQueryPacketInjectionState0", + "FwpsInjectTransportSendAsync1", + "FwpsFreeCloneNetBufferList0", + "FwpsGetPacketListSecurityInformation0", + "FwpsFlowRemoveContext0", + "FwpsFlowAssociateContext0", + "FwpsCalloutUnregisterById0", + "FwpmCalloutAdd0", + "FwpmSubLayerAdd0", + "FwpmProviderAdd0", + "FwpmTransactionAbort0", + "FwpmTransactionCommit0", + "FwpmTransactionBegin0", + "FwpmEngineClose0", + "FwpmEngineOpen0", + "FwpsInjectionHandleDestroy0", + "FwpsInjectionHandleCreate0", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass", + "WdfVersionBind" ], "Signatures": [ { @@ -54135,45 +39616,31 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Texas, L=Austin, O=Rivet Networks LLC, CN=Rivet Networks LLC", + "ValidFrom": "2020-06-26 00:00:00", + "ValidTo": "2021-07-01 12:00:00", + "Signature": "abf01f216d547fddd1906d605cee818c112ccb63b4102fe93cd215dcc3a619e51ac0cb95e094bd3f00091bd4c27de102be07fb3bf81da2ac84cecbd127bfa975a0cdf4f4e4b5ccc97a12613fe9c88c3cc71f9ce5e7142833e7ee728cacc9d28bde4c6533dd97f4083d884f5becfcde942a3934cd58f9590defaed7370382d7a318938b941d54b74a5015c1f6cbd69ce717a61e5171c3895ca5a5e5407e8f6aca5088caf373af711a575dc21995e949e2b8a32e91378a4f677a5ca39b6c3ccb2b95f8fe88e9c6437e37096adb5ccb67ac1270d155728de644876bc7571da01cad1b4df2cc3d7a4d4a14bf3082a48ed6feb7fc9180ad2df14aea246bf0bd8154cb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2009-08-03 00:00:00", - "ValidTo": "2012-08-03 23:59:59", - "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0824024fda0b4b1b496eeeddfcff6e16", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" } ] } @@ -54181,90 +39648,217 @@ } ], "Tags": [ - "AsIO.sys" - ] + "KfeCo10X64.sys" + ], + "yara": true + }, + { + "Id": "e6338692-90e0-41b1-9481-a47e0df144ad", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create fidpcidrv.sys binPath=C:\\windows\\temp\\fidpcidrv.sys type=kernel && sc.exe start fidpcidrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "fidpcidrv.sys", + "SHA1": "08596732304351b311970ff96b21f451f23b1e25", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "fidpcidrv.sys", + "SHA1": "7838fb56fdab816bc1900a4720eea2fc9972ef7a", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "fidpcidrv.sys", + "SHA1": "4789b910023a667bee70ff1f1a8f369cffb10fe8", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "fidpcidrv.sys", + "SHA1": "eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "fidpcidrv.sys" + ], + "yara": false }, { - "Id": "d9e00cc7-a8f4-4390-a6dc-0f5423e97da4", + "Id": "d55a5955-6220-4f38-ba7d-91339330fe98", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create mydrivers.sys binPath=C:\\windows\\temp\\mydrivers.sys type=kernel && sc.exe start mydrivers.sys", + "Command": "sc.exe create nvflash.sys binPath=C:\\windows\\temp \\n \\n \\n vflash.sys type=kernel && sc.exe start nvflash.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "mydrivers.sys", - "MD5": "507a649eb585d8d0447eab0532ef0c73", - "SHA1": "7859e75580570e23a1ef7208b9a76f81738043d5", - "SHA256": "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6", + "Filename": "nvflash.sys", + "MD5": "84fb76ee319073e77fb364bbbbff5461", + "SHA1": "a4b2c56c12799855162ca3b004b4b2078c6ecf77", + "SHA256": "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508", "Signature": [ - "Beijing Kingsoft Security software Co.,Ltd", + "NVIDIA Corporation", "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", "Publisher": "", - "Company": "MyDrivers.com", - "Description": "DriverGenius Hardware monitor", - "Product": "DriverGenius", - "ProductVersion": "2016.7.7.1214", - "FileVersion": "9.2.707.1214", - "MachineType": "I386", - "OriginalFilename": "mydrivers.sys", + "Company": "NVIDIA Corporation", + "Description": "NVIDIA Flash Driver, Version 1.8.0", + "Product": "NVIDIA Flash Driver", + "ProductVersion": "1.8.0", + "FileVersion": "1.8.0", + "MachineType": "AMD64", + "OriginalFilename": "nvflash.sys", "Authentihash": { - "MD5": "74a1e675b4fd736298bc24d082684b0e", - "SHA1": "c57e38ce02ba45c3ad886faff98fe346560b1f5e", - "SHA256": "a689804c4e6e9aa07d48f9c99b7a1be6b05cba1c632b1a083b8031f6e1651c28" + "MD5": "aa2051841a882c7080ddf6b224f838da", + "SHA1": "ee9073dedb3f05797de41f79be5cc2e5e5028b61", + "SHA256": "1c8cb72b9a011b60b1b9caea508b26fbbd95a1e3634af66082417381fe6544fb" }, - "InternalName": "HWM", - "Copyright": "Copyright MyDrivers.com all right", + "InternalName": "nvflash", + "Copyright": "(C) 2017 NVIDIA Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_ULONG", + "ExFreePoolWithTag", "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_UCHAR", - "IoCreateDevice", - "KeTickCount", - "MmMapIoSpace", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", - "MmUnmapIoSpace", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", "IoCreateSymbolicLink", "IoDeleteDevice", - "RtlUnwind", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ExAllocatePool", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "KeBugCheckEx", - "HalGetBusDataByOffset", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset" + "ObfDereferenceObject", + "RtlInitUnicodeString", + "MmGetSystemRoutineAddress", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "ZwSetSecurityObject", + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "_snwprintf", + "RtlCreateSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlSetDaclSecurityDescriptor", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "wcschr", + "ZwOpenKey", + "ZwQueryValueKey", + "RtlFreeUnicodeString", + "ZwSetValueKey", + "ZwCreateKey", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -54286,10 +39880,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=BeiJing, L=BeiJing, O=Beijing Kingsoft Security software Co.,Ltd, OU=OPS, CN=Beijing Kingsoft Security software Co.,Ltd", - "ValidFrom": "2015-12-22 00:00:00", - "ValidTo": "2017-02-19 23:59:59", - "Signature": "4eddc641407750a5260530bf6d19afcce9c2b4f8aef8a03486e9622e51669745b3d7d5120b61abac108ede47697e58e0dd0b0d5d688831194584a6a1f3c97096a911e4a1aac543bdb073d20de64425e940f6311a69578bffae7f7499e857c990e07be4126efca2d85f12b01760e6225d1c9e364d8dca8863975c164d84a07716d738ec322c7b37a3945bbf3c5667c71ef27c44da856356f606c067811a11da51647286c76b0519dfa117193d7f9556a8f0a186bafa4755f4eb5b598e04e6756952b7d0a8147f8cc70219bc4ec419cb2af59c3dcff5f935749c6079e6ab47cc7a4008b630c2ece745f71b8767668afaabd57a8706e4500ca53838d7ab098d38b9", + "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=IT,MIS, CN=NVIDIA Corporation", + "ValidFrom": "2018-07-09 00:00:00", + "ValidTo": "2019-07-10 23:59:59", + "Signature": "e16f403e9d4ad4eb92ff8c7cb35f08838ae4c714539398996b0998de180e70e3dc31155318bce5acf29464b2d2f5abec7f8e6d81fac7e99f121f49cd724e930215907f4d7d12acad911d0bfe9f4247b4a9e3cb1644c85d9d4df75f3c8b429b1a0014ddef7701365b60ea013eec2136309e7d918303f87f17d39d64685fddb5ea610e98ef8ac96e503b16634c69eb9aa91dd4b01973e2c54d626e7f6d1096273f04f61c79e0fda32842cc4c313da10ec23032db9e26d4435bff9c4522e82b881cd3ff6b8a587fe017db52b6a1156fd16788c1a585ad141f414c821acf7399440c982b7cbc5345a866303592a977df3df905215f3708692cf44d9f141b789f2f03", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -54309,7 +39903,7 @@ ], "Signer": [ { - "SerialNumber": "6e744ece6b39ec11594755543471d551", + "SerialNumber": "4fbe0a02426ebd20c26244b5eca652a3", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -54318,26 +39912,28 @@ } ], "Tags": [ - "mydrivers.sys" - ] + "nvflash.sys" + ], + "yara": true }, { - "Id": "1ad765f9-6ea7-4c45-a964-6c21ad8a7c08", + "Id": "1bf3b155-752a-4cc7-beb0-f202e525eb1a", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-02-28", "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", + "Category": "malicious", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create WYProxy32.sys binPath=C:\\windows\\temp\\WYProxy32.sys type=kernel && sc.exe start WYProxy32.sys", - "Description": "", + "Command": "sc.exe create daxin_blank1.sys binPath=C:\\windows\\temp\\daxin_blank1.sys type=kernel && sc.exe start daxin_blank1.sys", + "Description": "Driver used in the Daxin malware campaign.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" ], "Acknowledgement": { "Person": "", @@ -54346,317 +39942,82 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "WYProxy32.sys", - "SHA256": "de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa", - "Signature": [], - "Date": "", - "Publisher": "", + "Filename": "daxin_blank1.sys", + "MD5": "a6e9d6505f6d2326a8a9214667c61c67", + "SHA1": "cb3f30809b05cf02bc29d4a7796fb0650271e542", + "SHA256": "5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae", + "Signature": "A certificate was explicitly revoked by its issuer.", + "Date": "4:05 AM 2/6/2021", + "Publisher": "Fuqing Yuntan Network Tech Co.,Ltd.", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "WYProxy32.sys" - ] - }, - { - "Id": "10b1fc3d-c444-4885-8ca9-4b5891885507", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create atillk64.sys binPath=C:\\windows\\temp\\atillk64.sys type=kernel && sc.exe start atillk64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "atillk64.sys", - "MD5": "27d21eeff199ed555a29ca0ea4453cfb", - "SHA1": "1045c63eccb54c8aee9fd83ffe48306dc7fe272c", - "SHA256": "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "75c20227e11024bdfd5fbe23e769bbca", - "SHA1": "2e3cf3678d476420696ec7df46b08d4d24d25644", - "SHA256": "c9b8ecd0657fda14476920fe47783bd8a951d7a4a640935d9199b4a7ae4b8b69" + "MD5": "7c9b3308f3eb98dd7ddb59b2f6b14656", + "SHA1": "6a9693e262ea82a33b6caee0426512f944366577", + "SHA256": "389d04a947be32b43eab5767f548fc193e9ac5fe5225a3b6dc26ddc80c326d7d" }, - "Description": "ATI Diagnostics Hardware Abstraction Sys", - "Company": "ATI Technologies Inc.", - "InternalName": "atillk64.sys", - "OriginalFilename": "atillk64.sys", - "FileVersion": "5.11.9.0", - "Product": "ATI Diagnostics", - "ProductVersion": "5.11.9.0", - "Copyright": "Copyright (C) ATI Technologies Inc., 2003", - "MachineType": "IA64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmMapIoSpace", - "IofCompleteRequest", - "MmUnmapIoSpace", - "IoDeleteSymbolicLink", - "KeTickCount", - "IoAllocateMdl", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "IoFreeMdl", - "RtlInitUnicodeString", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "HalGetBusDataByOffset", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "READ_PORT_UCHAR", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "HalSetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", - "ValidFrom": "2006-03-17 00:00:00", - "ValidTo": "2009-03-21 23:59:59", - "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "atillk64.sys", - "MD5": "26d973d6d9a0d133dfda7d8c1adc04b7", - "SHA1": "eb0d45aa6f537f5b2f90f3ad99013606eafcd162", - "SHA256": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173", - "Authentihash": { - "MD5": "78103f6de4cad64d95a8beda5f8b9112", - "SHA1": "0358bcba83349cb23ea44d5c36b9e22adaec8d94", - "SHA256": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e" - }, - "Description": "ATI Diagnostics Hardware Abstraction Sys", - "Company": "ATI Technologies Inc.", - "InternalName": "atillk64.sys", - "OriginalFilename": "atillk64.sys", - "FileVersion": "5.11.9.0", - "Product": "ATI Diagnostics", - "ProductVersion": "5.11.9.0", - "Copyright": "Copyright (C) ATI Technologies Inc., 2003", - "MachineType": "AMD64", - "Imports": [ + "NDIS.SYS", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", + "_stricmp", + "NdisDeregisterProtocol", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", "IoAllocateMdl", - "IoCreateDevice", - "IofCompleteRequest", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", - "ValidFrom": "2006-03-17 00:00:00", - "ValidTo": "2009-03-21 23:59:59", - "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "atillk64.sys", - "MD5": "26d973d6d9a0d133dfda7d8c1adc04b7", - "SHA1": "eb0d45aa6f537f5b2f90f3ad99013606eafcd162", - "SHA256": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173", - "Authentihash": { - "MD5": "78103f6de4cad64d95a8beda5f8b9112", - "SHA1": "0358bcba83349cb23ea44d5c36b9e22adaec8d94", - "SHA256": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e" - }, - "Description": "ATI Diagnostics Hardware Abstraction Sys", - "Company": "ATI Technologies Inc.", - "InternalName": "atillk64.sys", - "OriginalFilename": "atillk64.sys", - "FileVersion": "5.11.9.0", - "Product": "ATI Diagnostics", - "ProductVersion": "5.11.9.0", - "Copyright": "Copyright (C) ATI Technologies Inc., 2003", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "MmUnmapIoSpace", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "IoCreateDevice", - "IofCompleteRequest", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=CN, ST=Fuzhou, L=Fuqing, O=Fuqing Yuntan Network Tech Co.,Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Fuqing Yuntan Network Tech Co.,Ltd.", + "ValidFrom": "2013-04-09 00:00:00", + "ValidTo": "2014-04-09 23:59:59", + "Signature": "6946a8e63d6d38e19d41b4b5f4a71715c2c03ea0f9775b97dd3bf2d343be21049f4b78a351a0b1b8d30121393af537dfee0828f051ea2a87bed271ccc0e85e7ed9911d1d36d35da6e1141edc77520be857cf00bf3ac9b7e80722dd3580dd9eb7fab6f4134e4f1f1b794f1c28bc521ee4abbf5be4b6f2b149fca0f2beb4ba69616a0a442b06093c04ece1b42b0c121b0703c6a7d7af421a880bf3e45bfe28bcc4da347397d3aa67c89e3656062e9397dec782863abe49df79527e06388885b9d28c4bd078cc002a41206a266bfbe584b35748d6d0526fef478931c7527be7095fc9c7ee088f1c889834bb2533c3f45cfe41d1b19d0b80863ed52bc8a9d1b1d2ea", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", - "ValidFrom": "2006-03-17 00:00:00", - "ValidTo": "2009-03-21 23:59:59", - "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "516ceb03f17e10c24b45ffb6336e5915", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -54664,77 +40025,141 @@ } ], "Tags": [ - "atillk64.sys" - ] + "daxin_blank1.sys" + ], + "yara": false }, { - "Id": "93c84c08-4683-493d-abf7-22dc2d1cb567", + "Id": "32ccd436-eb13-4ab3-83d4-3e5471f4e364", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create PanIOx64.sys binPath=C:\\windows\\temp\\PanIOx64.sys type=kernel && sc.exe start PanIOx64.sys", + "Command": "sc.exe create AsrDrv103.sys binPath=C:\\windows\\temp\\AsrDrv103.sys type=kernel && sc.exe start AsrDrv103.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "PanIOx64.sys", - "MD5": "0d6fef14f8e1ce5753424bd22c46b1ce", - "SHA1": "814200191551faec65b21f5f6819b46c8fc227a3", - "SHA256": "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74", + "Filename": "AsrDrv103.sys", + "MD5": "7c72a7e1d42b0790773efd8700e24952", + "SHA1": "15d1a6a904c8409fb47a82aefa42f8c3c7d8c370", + "SHA256": "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d", "Signature": [ - "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", - "Description": "Temperature and system information driver", - "Product": "PanIO Library", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "PanIOx64.sys", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "7bd56fcd55d1fd188e5200b7db5cd7be", - "SHA1": "519926b0b385e27141d88c5576aa9f86d8d3bb0d", - "SHA256": "13aa698c09a31d642d3e2a9dd03be2363b11b4024689fb6c97234719446dbbd7" + "MD5": "bb59340eceecb279389290775536523a", + "SHA1": "b3410021ea5a46818d9ff05a96c2809a9abe8e4a", + "SHA256": "b6bf2460e023b1005cc60e107b14a3cfdf9284cc378a086d92e5dcdf6e432e2c" }, - "InternalName": "PanIOx64.sys", - "Copyright": "Copyright (c) 2012-2014 Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "cng.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlQueryRegistryValues", "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", "IofCompleteRequest", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", "IoDeleteDevice", + "MmGetSystemRoutineAddress", "IoCreateDevice", - "KeBugCheckEx", + "ZwClose", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "MmFreeContiguousMemorySpecifyCache", + "ExFreePoolWithTag", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor", + "BCryptCloseAlgorithmProvider", + "BCryptGenerateSymmetricKey", + "BCryptOpenAlgorithmProvider", + "BCryptDecrypt", + "BCryptDestroyKey" ], "Signatures": [ { @@ -54742,45 +40167,52 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", - "ValidFrom": "2014-04-15 15:12:40", - "ValidTo": "2015-04-15 10:41:35", - "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2014-03-07 00:00:00", + "ValidTo": "2017-05-05 23:59:59", + "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121506480253469e07e54ee8612041fbb92", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -54788,45 +40220,75 @@ } ], "Tags": [ - "PanIOx64.sys" - ] + "AsrDrv103.sys" + ], + "yara": true }, { - "Id": "3ac0eda2-a844-4a9d-9cfa-c25a9e05d678", + "Id": "4a80da66-f8f1-4af9-ba56-696cfe6c1e10", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create Bs_Def.sys binPath=C:\\windows\\temp\\Bs_Def.sys type=kernel && sc.exe start Bs_Def.sys", + "Command": "sc.exe create BS_Def64.sys binPath=C:\\windows\\temp\\BS_Def64.sys type=kernel && sc.exe start BS_Def64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "Bs_Def.sys", - "MD5": "a9f220b1507a3c9a327a99995ff99c82", - "SHA1": "2c5ff272bd345962ed41ab8869aef41da0dfe697", - "SHA256": "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be", + "Filename": "BS_Def64.sys", + "MD5": "8abbb12e61045984eda19e2dc77b235e", + "SHA1": "609fa1efcf61e26d64a5ceb13b044175ab2b3a13", + "SHA256": "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3", "Signature": [ "ASUSTeK Computer Inc.", "VeriSign Class 3 Code Signing 2004 CA", "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "", + "Publisher": "ASUSTeK Computer Inc.", "Company": "AsusTek Computer Inc.", "Description": "Default BIOS Flash Driver", "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", @@ -54835,9 +40297,9 @@ "MachineType": "AMD64", "OriginalFilename": "Bs_Def64.sys", "Authentihash": { - "MD5": "f27b347b5124473a3a9a46986889e408", - "SHA1": "69ca963ec00bdd2a92a9777e91d0174bbe97e29c", - "SHA256": "410f02303292798ab2a8b3e7d253938b466e83071b15e7d3aaa25f4995b27187" + "MD5": "5c40712c0a854396aa9e8776763f3340", + "SHA1": "45cae96b31928bc5f93381edf6b978534fa24f59", + "SHA256": "57e9de67e908186b3cb8180caa2e5c5d7b6bb31969557b8bd5710d79089e8868" }, "InternalName": "Bs_Def64.sys", "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", @@ -54854,7 +40316,6 @@ "IoFreeMdl", "MmUnmapLockedPages", "KeDelayExecutionThread", - "DbgPrint", "MmUnmapIoSpace", "MmMapIoSpace", "RtlZeroMemory", @@ -54884,13 +40345,6 @@ "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -54898,6 +40352,13 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", "ValidFrom": "2004-07-16 00:00:00", @@ -54914,264 +40375,89 @@ }, { "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2007-07-03 00:00:00", - "ValidTo": "2008-07-26 23:59:59", - "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", + "ValidFrom": "2006-06-27 00:00:00", + "ValidTo": "2007-07-16 23:59:59", + "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", + "SerialNumber": "284649f592786c4851c1138e364185ae", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "Bs_Def.sys" - ] - }, - { - "Id": "05d7cfea-1fb9-4559-8837-d97b713254fe", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create 4.sys binPath=C:\\windows\\temp\\4.sys type=kernel && sc.exe start 4.sys", - "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "4.sys", - "MD5": "6fcf56f6ca3210ec397e55f727353c4a", - "SHA1": "6debce728bcff73d9d1d334df0c6b1c3735e295c", - "SHA256": "8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104", + "Filename": "BS_Def64.sys", + "MD5": "c9a293762319d73c8ee84bcaaf81b7b3", + "SHA1": "7d7c03e22049a725ace2a9812c72b53a66c2548b", + "SHA256": "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5", "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "AsusTek Computer Inc.", + "Description": "Default BIOS Flash Driver", + "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", + "ProductVersion": "1.24", + "FileVersion": "1.24 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "Bs_Def64.sys", "Authentihash": { - "MD5": "72b24aa23f596d91a5596e57b1c306d0", - "SHA1": "60316c8ebadad30d9dd33ae87e8202b6e0c17cb4", - "SHA256": "1716d4c523aeea9703032ca93eb9668b9a16f542c00cec248b0a1c132d80bb15" + "MD5": "7aa4c54af2ef8f71eb5c7976ab741fa3", + "SHA1": "c95b6a13289b6538c7f4b68f791758bda1036cbe", + "SHA256": "3171d7af852e8b6be4651c415ea9490568475c45ecaa02a33dda9babb1643b07" }, - "InternalName": "", - "Copyright": "", + "InternalName": "Bs_Def64.sys", + "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", "Imports": [ - "ntoskrnl.exe", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "rand", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] - } - ], - "Tags": [ - "4.sys" - ] - }, - { - "Id": "579a0516-1177-45ce-ad9e-45f53b28dcdc", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create b.sys binPath=C:\\windows\\temp\\b.sys type=kernel && sc.exe start b.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "b.sys", - "SHA256": "84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "b.sys" - ] - }, - { - "Id": "f3215c19-8053-458c-81a5-90a74c5d2e6d", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create CITMDRV_AMD64.sys binPath=C:\\windows\\temp\\CITMDRV_AMD64.sys type=kernel && sc.exe start CITMDRV_AMD64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "e076dadf37dd43a6b36aeed957abee9e", - "SHA1": "468e2e5505a3d924b14fedee4ddf240d09393776", - "SHA256": "29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", + "MmUnmapLockedPages", + "KeDelayExecutionThread", + "MmUnmapIoSpace", + "MmMapIoSpace", + "RtlZeroMemory", "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmMapLockedPages", + "IofCompleteRequest", "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx" + "ZwUnmapViewOfSection", + "strncpy", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "IoIs32bitProcess", + "strstr", + "strncmp", + "RtlInitUnicodeString", + "MmFreeContiguousMemory", + "HalTranslateBusAddress" ], "Signatures": [ { "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -55180,81 +40466,105 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2006-06-27 00:00:00", + "ValidTo": "2007-07-16 23:59:59", + "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "284649f592786c4851c1138e364185ae", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "aa1ed3917928f04d97d8a217fe9b5cb1", - "SHA1": "2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8", - "SHA256": "45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0", + "Filename": "BS_Def64.sys", + "MD5": "120b5bbb9d2eb35ff4f62d79507ea63a", + "SHA1": "f9519d033d75e1ab6b82b2e156eafe9607edbcfb", + "SHA256": "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb", "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "AsusTek Computer Inc.", + "Description": "Default BIOS Flash Driver", + "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", + "ProductVersion": "1.24", + "FileVersion": "1.24 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "Bs_Def64.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "034aa8df77d5a2815c8f4cf9f1399fd3", + "SHA1": "e62d0712ddfd9fbaf9014cf43e49e2087a3f1ed2", + "SHA256": "eb11a4270a6980a97ea8775422dacbd1e763b7e5898f0a80c71c91449fff7ab4" }, - "InternalName": "", - "Copyright": "", + "InternalName": "Bs_Def64.sys", + "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IoFreeMdl", + "MmUnmapLockedPages", + "KeDelayExecutionThread", + "MmUnmapIoSpace", + "MmMapIoSpace", + "RtlZeroMemory", "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmMapLockedPages", + "IofCompleteRequest", "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx" + "ZwUnmapViewOfSection", + "strncpy", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "IoIs32bitProcess", + "strstr", + "strncmp", + "RtlInitUnicodeString", + "MmFreeContiguousMemory", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -55262,128 +40572,249 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2006-06-27 00:00:00", + "ValidTo": "2007-07-16 23:59:59", + "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "284649f592786c4851c1138e364185ae", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "BS_Def64.sys" + ], + "yara": true + }, + { + "Id": "214654eb-90c4-48c8-a183-0157e50bf07f", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create MsIo64.sys binPath=C:\\windows\\temp\\MsIo64.sys type=kernel && sc.exe start MsIo64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "dd39a86852b498b891672ffbcd071c03", - "SHA1": "c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f", - "SHA256": "50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "MsIo64.sys", + "MD5": "88a6d84f4f1cc188741271ac1999a4e9", + "SHA1": "483e58ed495e4067a7c42ca48e8a5f600b14e018", + "SHA256": "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "404c94935da4ba9eb3d5eea83c68378c", + "SHA1": "086e6e37abad257b753c26e8c9e3e181e46b10c3", + "SHA256": "d55dd56e24df201d1ad2204d565da5e8e6080d895c1ac2873a6afdcbb4c8b8c7" }, - "InternalName": "", - "Copyright": "", + "Description": "MICSYS IO driver", + "Company": "MICSYS Technology Co., LTd", + "InternalName": "MsIo64.sys", + "OriginalFilename": "MsIo64.sys", + "FileVersion": "1.3 x64 built by: WinDDK", + "Product": "MsIo64 Driver Version 1.3", + "ProductVersion": "1.3 x64", + "Copyright": "Copyright (c) 2021 MICSYS", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwWriteFile", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2021-09-09 19:15:59", + "ValidTo": "2022-09-01 19:15:59", + "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "330000004de597a775e3157f7b00000000004d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "MsIo32.sys", + "MD5": "564d84a799db39b381a582a0b2f738c4", + "SHA1": "fbc6d2448739ddec35bb5d6c94b46df4148f648d", + "SHA256": "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6", + "Authentihash": { + "MD5": "d7acc8a58b2163f0b070d647e81c49fd", + "SHA1": "0cb0fd5bea730e4eaaec1426b0c15376ccac6d83", + "SHA256": "0d0962db9dc6879067270134801ad425c1f3e85b0dc39877c02aaa9c54aca14e" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ObfDereferenceObject", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", + "Ke386SetIoAccessMap", + "ZwOpenSection", + "IoGetCurrentProcess", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "ZwClose", + "DbgPrint", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "Ke386IoSetAccessProcess", + "IoDeleteDevice", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalTranslateBusAddress", + "WRITE_PORT_ULONG" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Taiwan, ??=New Taipei, ??=Private Organization, serialNumber=84948057, C=TW, L=New Taipei, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", + "ValidFrom": "2019-05-21 00:00:00", + "ValidTo": "2022-05-20 23:59:59", + "Signature": "0a47cf1ef4f7db7a1839d16d6cf70ab0447bc7a47cc9cf2124024f5f1583c03d411fabd06dddd424db9702178172411dea6503e33b3f488a5d53b30fb4dd2b30456e3880dd32fd4dc39bbb240c450e930c282095d65a061fae6cfd46eb94cdf549d4813cdc468061bc739b76c7a10fe9e8b762727a3a8e440473a1e6b56ac3d92df16ca8331deaf39072ce2a09705bcec87bc508ecea9b274115fff278b15c0e6430ddce6f09311e5d64ca763e70e5cad8eb6127680d12279d78129214cb0857078ab6a1187e112c9b71d1f08fa60e570d9180a901de521222be67be4ad243a9ddbb4af1ef3a5bb1e58556753a8183ed400de32f846e0b49a74de1025d03b7d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -55391,378 +40822,385 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "49f161119a491d2a3faf4220f09db107", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "708ac9f7b12b6ca4553fd8d0c7299296", - "SHA1": "078ae07dec258db4376d5a2a05b9b508d68c0123", - "SHA256": "607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "MsIo64.sys", + "MD5": "55a7c51dc2aa959c41e391db8f6b8b4f", + "SHA1": "bc949bc040333fdc9140b897b0066ef125343ef6", + "SHA256": "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "3cdda257c661f3c1eb256b61dba8147d", + "SHA1": "84a45f83a90b1a695ffeb915ea2a197b186857e6", + "SHA256": "9f3e67f9454cb009716b89c0a296dcde73aa29145b7dcf776b81605932785b91" }, - "InternalName": "", - "Copyright": "", + "Description": "MICSYS IO driver", + "Company": "MICSYS Technology Co., LTd", + "InternalName": "MsIo64.sys", + "OriginalFilename": "MsIo64.sys", + "FileVersion": "1.3 x64 built by: WinDDK", + "Product": "MsIo64 Driver Version 1.3", + "ProductVersion": "1.3 x64", + "Copyright": "Copyright (c) 2021 MICSYS", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwWriteFile", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", + "ValidFrom": "2014-03-04 00:00:00", + "ValidTo": "2024-03-03 23:59:59", + "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Taiwan, ??=New Taipei, ??=Private Organization, serialNumber=84948057, C=TW, L=New Taipei, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", + "ValidFrom": "2019-05-21 00:00:00", + "ValidTo": "2022-05-20 23:59:59", + "Signature": "0a47cf1ef4f7db7a1839d16d6cf70ab0447bc7a47cc9cf2124024f5f1583c03d411fabd06dddd424db9702178172411dea6503e33b3f488a5d53b30fb4dd2b30456e3880dd32fd4dc39bbb240c450e930c282095d65a061fae6cfd46eb94cdf549d4813cdc468061bc739b76c7a10fe9e8b762727a3a8e440473a1e6b56ac3d92df16ca8331deaf39072ce2a09705bcec87bc508ecea9b274115fff278b15c0e6430ddce6f09311e5d64ca763e70e5cad8eb6127680d12279d78129214cb0857078ab6a1187e112c9b71d1f08fa60e570d9180a901de521222be67be4ad243a9ddbb4af1ef3a5bb1e58556753a8183ed400de32f846e0b49a74de1025d03b7d0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "49f161119a491d2a3faf4220f09db107", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" } ] } ] }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "7a16fca3d56c6038c692ec75b2bfee15", - "SHA1": "623cd2abef6c92255f79cbbd3309cb59176771da", - "SHA256": "61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "MsIo64.sys", + "MD5": "de711decdd763a73098372f752bf5a1c", + "SHA1": "663803d7ab5aff28be37c2e7e8c7b98b91c5733e", + "SHA256": "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "a108434c7016659eca85bc755687c9d1", + "SHA1": "5b030639b3e83f945ea610eead115b213bb436f6", + "SHA256": "555ebe7901706dbf801b5dbda6660002d3b36e5c669ec98ccfc6884a7481c56e" }, - "InternalName": "", - "Copyright": "", + "Description": "MICSYS IO driver", + "Company": "MICSYS Technology Co., LTd", + "InternalName": "MsIo64.sys", + "OriginalFilename": "MsIo64.sys", + "FileVersion": "1.2 x64 built by: WinDDK", + "Product": "MsIo64 Driver Version 1.2", + "ProductVersion": "1.2 x64", + "Copyright": "Copyright (c) 2019 MICSYS", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwWriteFile", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "IoDeleteSymbolicLink", + "ZwUnmapViewOfSection", "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "ObfDereferenceObject", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "5970e8de1b337ca665114511b9d10806", - "SHA1": "1f3a9265963b660392c4053329eb9436deeed339", - "SHA256": "74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "MsIo64.sys", + "MD5": "61b068b10abfa0776f3b96a208d75bf9", + "SHA1": "1de9f25d189faa294468517b15947a523538ce9d", + "SHA256": "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "aedaf6ec0809d26c9dc2f41754095790", + "SHA1": "2c7e97bafd3bc518778d78cfc5157d069714bc18", + "SHA256": "5f39b84cb5132d4facff213c630b05ec97ef9d83b93579530152310d63945762" }, - "InternalName": "", - "Copyright": "", + "Description": "MICSYS IO driver", + "Company": "MICSYS Technology Co., LTd", + "InternalName": "MsIo64.sys", + "OriginalFilename": "MsIo64.sys", + "FileVersion": "1.3 x64 built by: WinDDK", + "Product": "MsIo64 Driver Version 1.3", + "ProductVersion": "1.3 x64", + "Copyright": "Copyright (c) 2021 MICSYS", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", "RtlInitUnicodeString", - "ZwWriteFile", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "ObfDereferenceObject", + "IoDeleteSymbolicLink", + "__C_specific_handler", "IofCompleteRequest", + "ProbeForWrite", + "ProbeForRead", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "ZwUnmapViewOfSection", + "IoDeleteDevice", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:05", + "ValidTo": "2023-06-01 18:08:05", + "Signature": "0915e1bc394d6afd2453e27c2cb0907bb3a569ca2f39bc8e430a355013bd29a2aa0f8d724499e05b94f919195e917a198a754a790c8f4f49ebeea699d62e4b97b18055d6872b13e5c3866e8617fafb65a59cf0c463f75b45f870595677ecdda4ae3562b0f4a30d09626cef7f4e20e77385bd4e4db94fc77088d698236e92e1440cef351a1f3bff256df13c1a14b5c6787dad23e1e28d4148b69b3a92fe692bed7db3feb760db45fe1700983b834ab7805ba6105fdf94d5e0833679fae2fc051d745c6fab49c8aa9044d92da8c26fe7c87a9268bd1211117298b391752c08f98ffaa3731bbca891a83a0bdb9d94546d1bab380ade386213b3833327f48b9ff29971732bfe5810b51569da90676b459f8f6341ef9ff11f96f44f58181ef7ffe3ff19ba7874ad2e8c4faa9f8d1c5cd698bbdab1658f5f234f64a0063ecaa346f16e58690dea8c52e02733560027155457863b38775e24f30176cadd0d2738b4d90f2e4f688e25bc908a5fb1057be8372e58dc7c018b4663588fb1ab36855c09e54924951cff3b29810339efca415995a577e7db9d8b43c79b0bcb888b3647c7b28b9599bf0cbc7683e0e68c610d0071e79a3f1b4160dcfcb3002478ccc6bbf0c6dd27893169825f7b50356e01ea77aeae1b534d8c8801eda6bc60682a7b3a78b8b74eddb75044a789e7c4fd8f27ac8050196a7b1de4b5ac2e2b268c568534f75ca9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "330000005635887ede1882ef76000000000056", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - }, + } + ], + "Tags": [ + "MsIo64.sys" + ], + "yara": true + }, + { + "Id": "974de971-1f78-47b9-8049-6c34f294acd5", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create bwrsh.sys binPath=C:\\windows\\temp\\bwrsh.sys type=kernel && sc.exe start bwrsh.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "2509a71a02296aa65a3428ddfac22180", - "SHA1": "4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c", - "SHA256": "76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], + "Filename": "bwrsh.sys", + "SHA256": "37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e", + "Signature": [], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", + "Publisher": "", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "bwrsh.sys" + ], + "yara": false + }, + { + "Id": "3ac0eda2-a844-4a9d-9cfa-c25a9e05d678", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create Bs_Def.sys binPath=C:\\windows\\temp\\Bs_Def.sys type=kernel && sc.exe start Bs_Def.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Bs_Def.sys", + "MD5": "a9f220b1507a3c9a327a99995ff99c82", + "SHA1": "2c5ff272bd345962ed41ab8869aef41da0dfe697", + "SHA256": "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "AsusTek Computer Inc.", + "Description": "Default BIOS Flash Driver", + "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", + "ProductVersion": "1.24", + "FileVersion": "1.24 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "Bs_Def64.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "f27b347b5124473a3a9a46986889e408", + "SHA1": "69ca963ec00bdd2a92a9777e91d0174bbe97e29c", + "SHA256": "410f02303292798ab2a8b3e7d253938b466e83071b15e7d3aaa25f4995b27187" }, - "InternalName": "", - "Copyright": "", + "InternalName": "Bs_Def64.sys", + "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IoFreeMdl", + "MmUnmapLockedPages", + "KeDelayExecutionThread", "DbgPrint", - "ZwCreateFile", - "vsprintf", + "MmUnmapIoSpace", + "MmMapIoSpace", + "RtlZeroMemory", "IoDeleteDevice", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmMapLockedPages", + "IofCompleteRequest", "IoDeleteSymbolicLink", + "ZwClose", "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", + "ObReferenceObjectByHandle", "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx" + "ZwUnmapViewOfSection", + "strncpy", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "IoIs32bitProcess", + "strstr", + "strncmp", + "RtlInitUnicodeString", + "MmFreeContiguousMemory", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -55770,102 +41208,241 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2007-07-03 00:00:00", + "ValidTo": "2008-07-26 23:59:59", + "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "Bs_Def.sys" + ], + "yara": true + }, + { + "Id": "fe2f68e1-e459-4802-9a9a-23bb3c2fd331", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create kEvP64.sys binPath=C:\\windows\\temp\\kEvP64.sys type=kernel && sc.exe start kEvP64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "296bde4d0ed32c6069eb90c502187d0d", - "SHA1": "ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d", - "SHA256": "81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "kEvP64.sys", + "MD5": "20125794b807116617d43f02b616e092", + "SHA1": "f3db629cfe37a73144d5258e64d9dd8b38084cf4", + "SHA256": "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c", "Signature": [ - "IBM Polska Sp. z o.o.", + "北京华林保软件技术有限公司", "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "PowerTool", + "Description": "PowerTool", + "Product": "PowerTool", + "ProductVersion": "1.0.1.0", + "FileVersion": "1.0.1.0 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "kEvP64.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "89184d56336f62fecc67f644b1ec4219", + "SHA1": "cd773a4b5aef78bda651069b9304e4d5e2033cb9", + "SHA256": "c7ba2720675aada538c47fa9e8950a81b6df23f63fa181680e6232651abffbef" }, - "InternalName": "", - "Copyright": "", + "InternalName": "kEvP64.sys", + "Copyright": "PowerTool", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "ProbeForRead", + "KeClearEvent", + "PsProcessType", + "IoReuseIrp", + "ObRegisterCallbacks", + "IoBuildDeviceIoControlRequest", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "ObUnRegisterCallbacks", + "PsGetProcessImageFileName", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "SeCreateAccessState", + "KeInitializeApc", + "IoGetRelatedDeviceObject", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", + "KeSetEvent", + "ExGetPreviousMode", + "ProbeForWrite", + "IoGetFileObjectGenericMapping", + "swprintf", + "ObCreateObject", + "ObGetFilterVersion", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "KeInitializeEvent", + "RtlInitAnsiString", + "RtlUnicodeStringToAnsiString", + "RtlGetVersion", + "ZwQuerySystemInformation", + "ExReleaseRundownProtection", + "PsSetCreateProcessNotifyRoutine", + "MmUnmapIoSpace", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "ZwOpenSymbolicLinkObject", "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "KeUnstackDetachProcess", + "ExInitializeRundownProtection", + "ZwOpenDirectoryObject", + "IoVolumeDeviceToDosName", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ExEnumHandleTable", + "ObQueryNameString", + "ExAllocatePoolWithTag", + "IoDriverObjectType", + "ZwCreateFile", + "wcsstr", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "IoStopTimer", + "ExAllocatePool", + "IoUnregisterShutdownNotification", + "IoGetCurrentProcess", + "MmMapIoSpace", + "NtClose", + "ZwClose", "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "ZwQueryDirectoryObject", + "PsRemoveLoadImageNotifyRoutine", + "IoFreeIrp", + "MmProbeAndLockPages", + "PsThreadType", + "RtlCompareUnicodeString", + "IoAllocateIrp", + "ObSetHandleAttributes", + "MmUnlockPages", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "ObReferenceObjectByName", "IoCreateDevice", - "KeBugCheckEx" + "ZwTerminateProcess", + "RtlAssert", + "KeCancelTimer", + "CmUnRegisterCallback", + "ObOpenObjectByPointer", + "DbgPrint", + "KeStackAttachProcess", + "PsGetProcessWow64Process", + "IoAllocateMdl", + "IofCallDriver", + "KeBugCheckEx", + "IoThreadToProcess", + "ExAcquireRundownProtection", + "sprintf", + "PsGetProcessPeb", + "ExWaitForRundownProtectionRelease", + "_wcsicmp", + "_stricmp", + "IoFileObjectType", + "__C_specific_handler", + "HalSetBusDataByOffset", + "KeStallExecutionProcessor", + "HalGetBusDataByOffset", + "FltUnregisterFilter", + "FltEnumerateFilters", + "FltObjectDereference", + "FltRegisterFilter" ], "Signatures": [ { @@ -55887,10 +41464,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=???????????????????????????????????????, OU=RD, CN=???????????????????????????????????????", + "ValidFrom": "2015-07-27 00:00:00", + "ValidTo": "2016-08-25 23:59:59", + "Signature": "cb382c80e762f190213e6d4d24123b8e2851f2775f1df964e29655c927f1395c81bd01aa4106ceba3895b1db2744a41d4b0bc9b4305f7f5826764c038808d14dd7d3429ffbf6cbac8462d86c176c36ca145a8b9298eed05a55f84731eff3f5e98f6d4d0d7bda39e2a1e8854362dff3bd1b9be33f4f34f97e1e74354f5afd2689260230c61481f8cc6bbba9659f47dd114e9991e9c0d9cb91453001dd604edd328454ecb389c37ebbfb4ed2477a9abbca65723363ffd0814ddff8248ff33129df16bcd5a47c4140d1ff4d245c2b3f2cbf39ca68fcba6377cfb455d3a564ebe8af38855b4482176763e1d9a63777a1112972edf7f0b7ebaecde68653b23acd229d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -55910,161 +41487,139 @@ ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "SerialNumber": "195c5f9885214bfb4f88dd2ad1f0be8c", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "kEvP64.sys" + ], + "yara": true + }, + { + "Id": "618fbf89-f4e3-4b2a-a4b4-cc4bf7c180e0", + "Author": "Michael Haag", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create POORTRY2.sys binPath=C:\\windows\\temp\\POORTRY2.sys type=kernel && sc.exe start POORTRY2.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "d1bac75205c389d6d5d6418f0457c29b", - "SHA1": "4268f30b79ce125a81d0d588bef0d4e2ad409bbb", - "SHA256": "9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b", + "Filename": "POORTRY2.sys", + "MD5": "b164daf106566f444dfb280d743bc2f7", + "SHA1": "7e836dadc2e149a0b758c7e22c989cbfcce18684", + "SHA256": "9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87", "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", + "Publisher": "", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "AMD64", + "MachineType": "I386", "OriginalFilename": "", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "ffbbaeada1f7507faca4ef59c6e3e577", + "SHA1": "56f9aa37f099409170b4656079edbf52e464b700", + "SHA256": "29bf8618816bce5fa2845409d98b7b96915e0763bb04719535ca885e4713cfaf" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "RtlTimeToTimeFields", + "ExAllocatePoolWithTag", + "ZwCreateKey", + "ExFreePoolWithTag", + "NtQuerySystemInformation", + "ZwReadFile", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", + "IoCreateFile", + "RtlUnicodeStringToAnsiString", + "_wcslwr", + "IoFileObjectType", "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "b2a9ac0600b12ec9819e049d7a6a0b75", - "SHA1": "c834c4931b074665d56ccab437dfcc326649d612", - "SHA256": "9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "wcsstr", + "ZwQueryValueKey", + "ExAllocatePool", + "PsTerminateSystemThread", "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "RtlFreeAnsiString", + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", "ZwWriteFile", + "_vsnprintf", + "KeBugCheck", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx" + "PsGetCurrentProcessId", + "memmove", + "ZwAllocateVirtualMemory", + "atoi", + "_strlwr", + "NtQueryInformationProcess", + "DbgBreakPoint", + "ZwOpenProcess", + "KeServiceDescriptorTable", + "strrchr", + "ObQueryNameString", + "NtOpenThread", + "NtClose", + "NtOpenProcess", + "ExSystemTimeToLocalTime", + "RtlFreeUnicodeString", + "KeQuerySystemTime", + "RtlInitAnsiString", + "MmGetSystemRoutineAddress", + "RtlAnsiStringToUnicodeString", + "sprintf", + "swprintf_s", + "ObfDereferenceObject", + "KeSetEvent", + "KeWaitForSingleObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeInitializeEvent", + "PsSetCreateProcessNotifyRoutineEx", + "_except_handler3", + "memcpy", + "memset", + "FltStartFiltering", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor", + "FltCloseCommunicationPort", + "FltUnregisterFilter", + "FltFreeSecurityDescriptor", + "FltCreateCommunicationPort", + "FltCloseClientPort" ], "Signatures": [ { @@ -56072,95 +41627,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "POORTRY2.sys" + ], + "yara": false + }, + { + "Id": "d819bee2-3bff-481f-a301-acc3d1f5fe58", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Se64a.sys binPath=C:\\windows\\temp\\Se64a.sys type=kernel && sc.exe start Se64a.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "79f7e6f98a5d3ab6601622be4471027f", - "SHA1": "8f5cd4a56e6e15935491aa40adb1ecad61eafe7c", - "SHA256": "aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Se64a.sys", + "MD5": "0a6a1c9a7f80a2a5dcced5c4c0473765", + "SHA1": "33285b2e97a0aeb317166cce91f6733cf9c1ad53", + "SHA256": "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc", "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1)" + "EnTech Taiwan", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "EnTech Taiwan", + "Description": "EnTech softEngine x64 kernel-mode driver", + "Product": "softEngine-x64", + "ProductVersion": "2.1", + "FileVersion": "1.1", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "se64a.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "46f46abcb9e3ba747c2a2904babe38c0", + "SHA1": "a4e8e3268569acc0a0b3f6eada713c0fa8825463", + "SHA256": "04cfb452e1ac73fb2f3b8a80d9f27e19a344a6bf0f74c7f9cae3ae82d3770195" }, - "InternalName": "", - "Copyright": "", + "InternalName": "se64a.sys", + "Copyright": "Copyright (c) EnTech Taiwan, 2004-2006.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "ZwOpenSection", "RtlInitUnicodeString", - "ZwWriteFile", "DbgPrint", - "ZwCreateFile", - "vsprintf", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "RtlCopyMemory", + "ObReferenceObjectByHandle", + "KeEnterCriticalRegion", "IoDeleteDevice", "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "ZwMapViewOfSection", + "KeLeaveCriticalRegion", + "ZwClose", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -56168,10 +41758,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=TW, O=EnTech Taiwan, CN=EnTech Taiwan, emailAddress=support@entechtaiwan.com", + "ValidFrom": "2006-09-25 13:13:42", + "ValidTo": "2007-09-25 13:13:42", + "Signature": "739a954688a5bb20b2eb536c3f48cd6e12268b1f20d7c8919b33fe01a7bce0f1b635aa818464902885ff85b54359fc618e27daed7251ddd7b69aadfa93934e4984a4df006169520d8153e467cdda6346d13de5534c458dc65d8cee53d40449ddf07c0141baaf5c5027a3ffa82282697be813b8bfd97f2ba1ca2cfb12a20c6962e5bd556fb794d67bd6d3d6f8db113a64833073294431ed9bfa94dd7d62ec07c6093c7fbdba8663fcff1b5d8c6f6322d236abfacc681f9aaf5711fb415e1622d125175ea225f785983e05f56cd7f3dede31c4faea8272570ea3079a8085a8333d348780b35d671479caef0f7d1c23da8bf317ca12b50da33f87f24a4c1b9766b5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -56182,81 +41772,155 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0100000000010de51c0971", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] + } + ], + "Tags": [ + "Se64a.sys" + ], + "yara": true + }, + { + "Id": "e7c958da-fd5d-40d6-975e-582c6fee7f69", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_RCIO64.sys binPath=C:\\windows\\temp\\BS_RCIO64.sys type=kernel && sc.exe start BS_RCIO64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Biostar.yar#L54", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "2d465b4487dc81effaa84f122b71c24f", - "SHA1": "51b60eaa228458dee605430aae1bc26f3fc62325", - "SHA256": "af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BS_RCIO64.sys", + "MD5": "b10b210c5944965d0dc85e70a0b19a42", + "SHA1": "5db61d00a001fd493591dc919f69b14713889fc5", + "SHA256": "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e", "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "BIOSTAR Group", + "Description": "I/O Interface driver file", + "Product": "BIOSTAR I/O driver", + "ProductVersion": "10.0.1901.1100", + "FileVersion": "10.0.1901.1100", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "BS_RCIO64.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "380a4fd97d795fec244add19a9c21fd6", + "SHA1": "6832acd68bcf08f8ced63023b5f7da36824cc596", + "SHA256": "6991be9952aa08c0d2ac9fa728410ebdb44988b496ed01b8b7f478785ebb30c4" }, - "InternalName": "", - "Copyright": "", + "InternalName": "I/O driver", + "Copyright": "Copyright (c) 2018-2019 BIOSTAR Group", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", + "KeInitializeSemaphore", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "KeSetEvent", + "MmUnmapIoSpace", + "KeDelayExecutionThread", + "PsCreateSystemThread", + "IoStartNextPacket", + "PsTerminateSystemThread", + "ExEventObjectType", + "MmMapIoSpace", + "IoDeleteDevice", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeReleaseSemaphore", + "ObfDereferenceObject", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "IoStartPacket", + "IofCompleteRequest", + "KeRemoveEntryDeviceQueue", + "KeBugCheckEx", + "RtlInitUnicodeString", + "ZwClose", + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -56264,95 +41928,190 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-09-06 21:30:32", + "ValidTo": "2019-09-06 21:30:32", + "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000253a2738690a3451c1000000000025", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "BS_RCIO64.sys" + ], + "yara": true + }, + { + "Id": "aa687f89-4f3b-4b59-b64e-fee5e2ae2310", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create wantd_2.sys binPath=C:\\windows\\temp\\wantd_2.sys type=kernel && sc.exe start wantd_2.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "4d17b32be70ef39eae5d5edeb5e89877", - "SHA1": "3270720a066492b046d7180ca6e60602c764cac7", - "SHA256": "d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "wantd_2.sys", + "MD5": "8636fe3724f2bcba9399daffd6ef3c7e", + "SHA1": "3b6b35bca1b05fafbfc883a844df6d52af44ccdc", + "SHA256": "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f", + "Signature": "Signed", + "Date": "7:52 AM 4/30/2014", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "WAN Transport Driver", + "Product": "Microsoft Windows Operating System", + "ProductVersion": "6.1.7600.938", + "FileVersion": "6.1.7600.938", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "wantd.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "4b7d15fe072cc44bb427206b295f861d", + "SHA1": "2edc9b891f72f204bee80618058f921a3f6fb5a1", + "SHA256": "25d16b2b53fc7b52a65616ab7fc04a503946c20fe96556681bfaddd589401f4a" }, - "InternalName": "", - "Copyright": "", + "InternalName": "wantd.sys", + "Copyright": "Microsoft Corporation. All rights reserved.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", + "IoAllocateMdl", + "_stricmp", + "sprintf", + "RtlLengthRequiredSid", + "ExAllocatePoolWithTag", "vsprintf", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "NtWriteFile", + "RtlCreateAcl", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "_wcsnicmp", + "ZwReadFile", + "RtlSetDaclSecurityDescriptor", + "KeInitializeApc", + "IoDeleteDevice", + "NtFsControlFile", + "KeInsertQueueApc", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", + "RtlAddAccessAllowedAce", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "KeDelayExecutionThread", + "wcsncmp", + "ZwCreateFile", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "ZwFreeVirtualMemory", + "KeQueryTimeIncrement", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeAttachProcess", + "PsGetVersion", + "PsThreadType", + "RtlCompareUnicodeString", + "ZwOpenProcess", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "ObfDereferenceObject", "IoCreateDevice", - "KeBugCheckEx" + "ZwTerminateProcess", + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", + "ZwWriteFile", + "NtReadFile", + "DbgPrint", + "PsLookupThreadByThreadId", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "ZwOpenFile", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "MmUserProbeAddress", + "MmBuildMdlForNonPagedPool", + "memchr", + "ZwWaitForSingleObject", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisCopyFromNetBufferToNetBuffer", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" ], "Signatures": [ { @@ -56374,81 +42133,151 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "wantd_2.sys" + ], + "yara": true + }, + { + "Id": "9e87b6b0-00ed-4259-bcd7-05e2c924d58c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BSMEMx64.sys binPath=C:\\windows\\temp\\BSMEMx64.sys type=kernel && sc.exe start BSMEMx64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "c1d3a6bb423739a5e781f7eee04c9cfd", - "SHA1": "2a6e6bd51c7062ad24c02a4d2c1b5e948908d131", - "SHA256": "d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BSMEMx64.sys", + "MD5": "49fe3d1f3d5c2e50a0df0f6e8436d778", + "SHA1": "9d07df024ec457168bf0be7e0009619f6ac4f13c", + "SHA256": "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65", "Signature": [ - "IBM Polska Sp. z o.o.", + "BIOSTAR MICROTECH INT'L CORP", "VeriSign Class 3 Code Signing 2009-2 CA", "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "BIOSTAR Group", + "Description": "I/O Interface driver file", + "Product": "BIOSTAR I/O driver fle", + "ProductVersion": "1, 1, 0, 0", + "FileVersion": "1, 1, 0, 0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "BS_I2cIo.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "464c033940c536ca2b627ba616f33fd0", + "SHA1": "59e1a1abd37be9c1e33dd7d47526394d6ecb9c49", + "SHA256": "20c87381f8f0bf953cb109a5d50a2184c0104cc8ab30e2f94dfba89a5d19b9d8" }, - "InternalName": "", - "Copyright": "", + "InternalName": "I/O driver", + "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "KeInitializeEvent", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "ExInterlockedInsertTailList", + "RtlTimeToTimeFields", + "PsTerminateSystemThread", "ZwWriteFile", - "DbgPrint", + "ExInterlockedRemoveHeadList", + "KeSetPriorityThread", "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IofCompleteRequest", + "RtlInitUnicodeString", + "PsCreateSystemThread", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "IoDeleteSymbolicLink", + "IoStartNextPacket", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeRemoveEntryDeviceQueue", + "IoStartPacket", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "ZwClose", + "IoDeleteDevice", + "KeSetEvent", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -56469,82 +42298,137 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", "ValidFrom": "2009-05-21 00:00:00", "ValidTo": "2019-05-20 23:59:59", "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2010-09-19 00:00:00", + "ValidTo": "2013-10-19 23:59:59", + "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] + } + ], + "Tags": [ + "BSMEMx64.sys" + ], + "yara": true + }, + { + "Id": "a33de377-d2c2-4c71-98ca-cd0be8d284f9", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_I2cIo.sys binPath=C:\\windows\\temp\\BS_I2cIo.sys type=kernel && sc.exe start BS_I2cIo.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Biostar.yar#L30", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a.yara" }, { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "054299e09cea38df2b84e6b29348b418", - "SHA1": "19bd488fe54b011f387e8c5d202a70019a204adf", - "SHA256": "e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BS_I2cIo.sys", + "MD5": "83601bbe5563d92c1fdb4e960d84dc77", + "SHA1": "dc55217b6043d819eadebd423ff07704ee103231", + "SHA256": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a", "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Publisher": "", + "Company": "BIOSTAR Group", + "Description": "I/O Interface driver file", + "Product": "BIOSTAR I/O driver fle", + "ProductVersion": "1, 1, 0, 0", + "FileVersion": "1, 1, 0, 0", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "BS_I2cIo.sys", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "bcc1ae726001fdbabb8159e3b333f3fd", + "SHA1": "7885fb33d8800fa3c036252af70e0a8391ab367d", + "SHA256": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4" }, - "InternalName": "", - "Copyright": "", + "InternalName": "I/O driver", + "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "__C_specific_handler", - "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", + "IoStartNextPacket", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "KeRemoveEntryDeviceQueue", "IofCompleteRequest", - "IoCreateSymbolicLink", + "IoStartPacket", "IoCreateDevice", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -56552,55 +42436,92 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2007-10-16 00:00:00", + "ValidTo": "2010-10-20 23:59:59", + "Signature": "bd6d9abbee60d79e542436d85a6a1ee7cf79e08e0947e5c74d227cdf7e710069e4a5ea9faf821e4e8a98fc8619b24ec41be8cd2d54b65778405c0b1a159184f671bacc976999c08a1df6013408976dbc9ba5dc5001e7da5ca2eef4109b4f57b700d897913a855e00ccf5a96de2b8fa9878e8353e0b7a7753d01cb7b9b47504a9f28629acc9643e4c35f2133362bbfb5adc633501cac7d6553cf553c52998f600043e4030fcc5740ad575b0820f4a0088e77c78e1b5e64b48c2553c362e3a771c2ebe604f28c42db392098e120af5fe67fe7d8b241213f418800a43ecd1759d1c68e54e20cd6ba2cc2ccbb4b189a9a9920b146e8855239a91dd3e01cd640dbadc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "4d3675c15944120a97b4ae294ec73245", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - }, + } + ], + "Tags": [ + "BS_I2cIo.sys" + ], + "yara": true + }, + { + "Id": "6d4b0025-7910-483a-ba73-03970995edc3", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create amifldrv64.sys binPath=C:\\windows\\temp\\amifldrv64.sys type=kernel && sc.exe start amifldrv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "CITMDRV_AMD64.sys", - "MD5": "0ba6afe0ea182236f98365bd977adfdf", - "SHA1": "a6fe4f30ca7cb94d74bc6d42cdd09a136056952e", - "SHA256": "f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57", + "Filename": "amifldrv64.sys", + "MD5": "6ab7b8ef0c44e7d2d5909fdb58d37fa5", + "SHA1": "bb962c9a8dda93e94fef504c4159de881e4706fe", + "SHA256": "42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00", "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", + "American Megatrends, Inc.", + "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", + "Publisher": "\"American Megatrends, Inc.\"", "Company": "", "Description": "", "Product": "", @@ -56609,38 +42530,43 @@ "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "6df250bd96e46a522bd7536100737f13", - "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", - "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + "MD5": "fc9e48051c2b957ed1cc7b69a29a66c8", + "SHA1": "716bce2ce697883eba0c051ed487de6304d73cd3", + "SHA256": "d7841ee6dac956cc0923368d6722063a19c9fa131e55c6f3b7484cce78d826f0" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", "ZwUnmapViewOfSection", - "__C_specific_handler", + "MmFreeContiguousMemory", "IoFreeMdl", - "MmUnlockPages", - "ZwOpenSection", - "MmProbeAndLockPages", + "MmMapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsGetVersion", + "MmUnmapIoSpace", "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx" + "MmBuildMdlForNonPagedPool", + "MmMapIoSpace", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -56662,24 +42588,31 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2012-06-26 00:00:00", + "ValidTo": "2015-06-26 23:59:59", + "Signature": "5460beb703f166c9e6162d718f8e007272cb4311c796179a1d9f961bf90afd5019666505230d293cec6536bdeb283d167d4aa10d10e1693a9203ac123052e9a85dd70e698e1d4d27609892c789a423afb9f4db6063873df482e41c4533931ba6e85bf70f6ba1ffeed4dbb4a9d8d64698eca2b119fdb150d1d371cf7bf66f91ee76c743a8da01a13748dcd300def65d094ea4c9298d897e7c2e35c1445445b8570fd3cf14e966c35206d738b2074cc4e1a09e467e4d817a4bb8ba5c4ae69e30682ce55df79f9bc796dc0fc60fba1b5ecca4c3b963e7b666cd1b7eddc0dd4f0f1ec95e1c77aeb4081e4d0e44ff28c243945a6e6e14eaf39b76856e93b0f4843384", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "5ba2905d11f5cfbbc53ab21bfd39defe", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -56687,28 +42620,27 @@ } ], "Tags": [ - "CITMDRV_AMD64.sys" - ] + "amifldrv64.sys" + ], + "yara": false }, { - "Id": "e7c958da-fd5d-40d6-975e-582c6fee7f69", + "Id": "010870ad-c19b-498a-9018-70dc0c7ac3bd", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create BS_RCIO64.sys binPath=C:\\windows\\temp\\BS_RCIO64.sys type=kernel && sc.exe start BS_RCIO64.sys", + "Command": "sc.exe create AsUpIO.sys binPath=C:\\windows\\temp\\AsUpIO.sys type=kernel && sc.exe start AsUpIO.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/elastic/protections-artifacts/blob/932baf346cc8a743f1963ad3d4565b42ed17bebe/yara/rules/Windows_VulnDriver_Biostar.yar#L54", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", @@ -56717,64 +42649,53 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "BS_RCIO64.sys", - "MD5": "b10b210c5944965d0dc85e70a0b19a42", - "SHA1": "5db61d00a001fd493591dc919f69b14713889fc5", - "SHA256": "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e", + "Filename": "AsUpIO.sys", + "MD5": "6d4159694e1754f262e326b52a3b305a", + "SHA1": "d5fd9fe10405c4f90235e583526164cd0902ed86", + "SHA256": "b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf", "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "", - "Company": "BIOSTAR Group", - "Description": "I/O Interface driver file", - "Product": "BIOSTAR I/O driver", - "ProductVersion": "10.0.1901.1100", - "FileVersion": "10.0.1901.1100", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "BS_RCIO64.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "380a4fd97d795fec244add19a9c21fd6", - "SHA1": "6832acd68bcf08f8ced63023b5f7da36824cc596", - "SHA256": "6991be9952aa08c0d2ac9fa728410ebdb44988b496ed01b8b7f478785ebb30c4" + "MD5": "3e6db96f242c0c3115075add7d7847a0", + "SHA1": "c5da546e0af6119f033a5d4ed79e7f5d90c004ff", + "SHA256": "70870e20f563899e4f05be2d0049cb495552b409ca7f4729a335bcbfffc3f47c" }, - "InternalName": "I/O driver", - "Copyright": "Copyright (c) 2018-2019 BIOSTAR Group", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeSemaphore", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeSetEvent", - "MmUnmapIoSpace", - "KeDelayExecutionThread", - "PsCreateSystemThread", - "IoStartNextPacket", - "PsTerminateSystemThread", - "ExEventObjectType", - "MmMapIoSpace", - "IoDeleteDevice", + "ZwClose", "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "ObfDereferenceObject", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "IoStartPacket", - "IofCompleteRequest", - "KeRemoveEntryDeviceQueue", - "KeBugCheckEx", + "ZwOpenSection", "RtlInitUnicodeString", - "ZwClose", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwMapViewOfSection", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -56782,24 +42703,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-09-06 21:30:32", - "ValidTo": "2019-09-06 21:30:32", - "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000253a2738690a3451c1000000000025", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -56807,112 +42749,104 @@ } ], "Tags": [ - "BS_RCIO64.sys" - ] + "AsUpIO.sys" + ], + "yara": false }, { - "Id": "a005e057-c84f-47cd-9b4b-5b1e51a06ab4", + "Id": "137daca4-0d7b-48aa-8574-f7eb6ad02526", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create fidpcidrv64.sys binPath=C:\\windows\\temp\\fidpcidrv64.sys type=kernel && sc.exe start fidpcidrv64.sys", - "Description": "", + "Command": "sc.exe create speedfan.sys binPath=C:\\windows\\temp\\speedfan.sys type=kernel && sc.exe start speedfan.sys", + "Description": "speedfan.sys is a vulnerable driver. CVE-2007-5633.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "fidpcidrv64.sys", - "MD5": "2fed983ec44d1e7cffb0d516407746f2", - "SHA1": "eb93d2f564fea9b3dc350f386b45de2cd9a3e001", - "SHA256": "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46", + "Filename": "speedfan.sys", + "MD5": "5f9785e7535f8f602cb294a54962c9e7", + "SHA1": "bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b", + "SHA256": "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c", "Signature": [ - "Intel(R) Processor Identification Utility", - "Intel External Basic Issuing CA 3A", - "Intel External Basic Policy CA", - "GeoTrust" + "Sokno S.R.L.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", + "Company": "Windows (R) Server 2003 DDK provider", + "Description": "SpeedFan Device Driver", + "Product": "Windows (R) Server 2003 DDK driver", + "ProductVersion": "5.2.3790.0", + "FileVersion": "5.2.3790.0 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "", + "OriginalFilename": "speedfan.sys", "Authentihash": { - "MD5": "66e3da88d9b3b4637474d0da27a523a6", - "SHA1": "4789b910023a667bee70ff1f1a8f369cffb10fe8", - "SHA256": "7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7" + "MD5": "af368f76c059d1e07aa884e86d29bbab", + "SHA1": "9c08d169b0f59a411c5b51f481622bc78bdf9c84", + "SHA256": "641490e28b2a1ee223238f5d969b5abf60a1089afe597c4251b285449e6b3b04" }, - "InternalName": "", - "Copyright": "", + "InternalName": "speedfan.sys", + "Copyright": "© Microsoft Corporation. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmGetSystemRoutineAddress", - "IoGetDeviceAttachmentBaseRef", - "KeInitializeEvent", - "KeWaitForSingleObject", - "IoFreeIrp", - "ExAllocatePoolWithTag", - "RtlCompareUnicodeString", - "ObfReferenceObject", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "ExFreePoolWithTag", + "MmUnmapIoSpace", + "MmMapIoSpace", "IofCompleteRequest", - "ObReferenceObjectByName", - "IoCreateDevice", - "IoDriverObjectType", - "IoEnumerateDeviceObjectList", - "IoBuildSynchronousFsdRequest", - "IoGetDeviceProperty", - "DbgPrint", - "IofCallDriver", - "KeBugCheckEx", "IoDeleteDevice", - "ObfDereferenceObject", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "HalGetBusData", - "HalGetBusDataByOffset" + "IoCreateSymbolicLink", + "PsGetVersion", + "IoCreateDevice", + "RtlUnwindEx", + "KeBugCheckEx" ], "Signatures": [ { "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2006-02-16 18:01:30", - "ValidTo": "2016-02-19 18:01:30", - "Signature": "131038ada454a5489545b02d3772c09f9ed8ef8f0bfb9096d2b6177951cab3df067ebdb4e9083f84a00c939fb31ca86c8acf2deef99012f0f83a26d773810e9fc4319259d4282541f555f1ca3d993dda64c8d21864223209092d1de331fafdd347d764a8f95dea8227e24fd2612124611d54263e145964b098d5f3a7c3aead50", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -56921,31 +42855,38 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", - "ValidFrom": "2006-05-23 17:01:15", - "ValidTo": "2016-05-23 17:11:15", - "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "CN=Intel(R) Processor Identification Utility", - "ValidFrom": "2009-03-19 00:29:29", - "ValidTo": "2012-03-18 00:29:29", - "Signature": "86c24504c2f46f4eb6f3dc997172bd94eecd17fe47c54e3be9e7d9c6a1dfb0158bbee32ab23b4e48d4c889e91edbde24cd5753feb01ac761e3c236ab02ef21345a0afe54a61cc5587f89484170d6bdd703606685ee22539b68c84201a0ac746ff98a719d7b8a358d0109d599d46bc8dc15392b3f9ed67a5092665aa4c0ece1c1591915ed5479a123c9a2da0aafa79b69dee0e16d89949c2139f73174e914ac0ac224660c083684ff56d29df499539b701e80a45b69107f7dc25e031fb9f491475e0d0ff6c7a2127caad2978c4a292d3e126ff06f841183fea1a4a66e831fd7ecce3132413239db87e78850d743953f73d140b22d7d2a50b468be4662ec2a06a6", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3A", - "ValidFrom": "2006-03-22 22:22:42", - "ValidTo": "2012-03-22 22:32:42", - "Signature": "ae3429de709faf0e95f3b073b3304cb3e0a8133436c944e1da83c1ff65581aeeca1ca09c82f872aa0df420c627d5a2b6d36d26a3081100c6a83a6db356049eaa28e1479de06b5e410d7f959d0f9d1e093085591577108b0710e43590fd1e35857911de21a7dcbac00495eb3db3f3a3b8faaa2e2c98a8c3800886808a0fcac4c83ece0e04ef8ef2c22a9b15c8f946d633954ac392205d95526b9e0262b74455389e9f37cdeacafe3d06dfba308678840d3e998709147745cbe399edd66ef20293046e75d44c735a5e713e3fdf249379c35dd5b6e6c07ee7159c611dc6a6031d4226603ff7f4299fb264a344ee0729dc8fcee295ea50d588b0b4984e2deca00476", + "Subject": "C=IT, ST=Marche, L=Ancona, O=Sokno S.R.L., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software Development, CN=Sokno S.R.L.", + "ValidFrom": "2007-02-07 00:00:00", + "ValidTo": "2008-02-07 23:59:59", + "Signature": "b572f3fe7b0c6aa1ee05ba9510b50345f5ccb72b55b1354fa3e0a5aaf8006302089153d52ebf69112781c7674e84d1646d4d08a04d554aa4428f801f4b4e6f467a35e2b464bb0878e7ca33d346f252d3f77a412ccb6d36fbd0c4d53cb14830362f8646cca976eb8ee66e6659d833a49643b947fe797d205ab717517d6af336669f6c1af45198d7ca0d621f0909098543353bcc39c256131db08f9abfe37f840636f8385e5ece017eff20e74d6363223dfc9948b66959ab5604a9d04ef2a459c03dd2cc4ac19bb1bf7b44b8bf1af9b5c996fd26e0e1b017a224c727a5986557397ceb4684353c85dabeaf102a15c45133baacff9eaa967342dda58442c0fe7a52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "13fd5f58000000002ea3", - "Issuer": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3A" + "SerialNumber": "7b12cd12b82d7758c4d7c3e398845b3c", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -56953,92 +42894,145 @@ } ], "Tags": [ - "fidpcidrv64.sys" - ] + "speedfan.sys" + ], + "yara": true }, { - "Id": "0e8da43d-92e0-43f9-bc34-50a7d15b34bd", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-11", + "Id": "de003542-80e1-4aa0-9b99-ed8647a93a6e", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create etdsupp binPath=C:\\windows\\temp\\etdsupp.sys type=kernel && sc.exe start etdsupp.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create cpuz_x64.sys binPath=C:\\windows\\temp\\cpuz_x64.sys type=kernel && sc.exe start cpuz_x64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { - "Person": "Michael Alfaro", - "Handle": "@_mmpte_software" + "Person": "", + "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "etdsupp.sys", - "MD5": "a92bf3c219a5fa82087b6c31bdf36ff3", - "SHA1": "a57eefa0c653b49bd60b6f46d7c441a78063b682", - "SHA256": "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145", + "Filename": "cpuz_x64.sys", + "MD5": "7d46d0ddaf8c7e1776a70c220bf47524", + "SHA1": "d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57", + "SHA256": "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3", + "Signature": [ + "CPUID", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "CPUID", + "Company": "Windows (R) Server 2003 DDK provider", + "Description": "CPUID Driver", + "Product": "Windows (R) Server 2003 DDK driver", + "ProductVersion": "5.2.3790.0", + "FileVersion": "5.2.3790.0 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "cpuz.sys", "Authentihash": { - "MD5": "bcc13f939e945b7395681cc6299a45bb", - "SHA1": "96faa975feb28588372a98a1e77d98af7fc90e41", - "SHA256": "c9532a354c24fd256c24534c554bca5a126414eb496dbd3223fe9486418df2ea" + "MD5": "68dbbf7551556cc1f85b2bb03549cc7a", + "SHA1": "21dcf78975dc9df6628e8624a56408ac66dd5218", + "SHA256": "539aa921b5352ab385430e1608ac5c0ae36f35e678d471b7a5994ec7c02eadea" }, - "Description": "ETDi Support Driver", - "Company": "HP Development Company", - "InternalName": "etdsupp.sys", - "OriginalFilename": "etdsupp.sys", - "FileVersion": "18.0.0.0", - "Product": "HP ETDi Driver DLL", - "ProductVersion": "18.0.0.0", - "Copyright": "(C) Copyright 1991-2022 Hewlett-Packard Development Company, L.P.", - "MachineType": "AMD64", + "InternalName": "cpuz.sys", + "Copyright": "© Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IofCompleteRequest", - "MmGetPhysicalAddress", - "__C_specific_handler", - "KeBugCheckEx", - "DbgPrint", "IoDeleteSymbolicLink", - "RtlAppendUnicodeToString", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "RtlInitUnicodeString", + "MmMapIoSpace", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlUnwindEx", + "MmUnmapIoSpace", + "PsGetVersion", + "IofCompleteRequest", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=US, ??=California, serialNumber=C2895304, C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", - "ValidFrom": "2022-01-19 00:00:00", - "ValidTo": "2024-01-19 23:59:59", - "Signature": "9500d1da5fadfef36a40966dce1ca0cee421500966b33f49f4c10f8acfea86f00dffde1f543367816b85f0ff09bc7f4767f7ca4533ea1b94c8eb026cd04936cd558ae73815b87a5e7a5b25a8b8aa9fb309f20a455067b17f1648d46a46f1f714b6f7c3df658545a43513e08b23828fa4e2180bf7356ab845318358cb4655b3c2c5efbf3ef01ebf6a172a271d714da3b844a184412a57d7e36e52480f8d3ced0fb1fa5c42257b05904820138acaea141a50294d827b92ef804d25d7cb36426edb915c90e97b8461df38f47ecb905b29b40ecf54dea2b060276444740357f2e8557a5fe064a03426c9408652e88a9b253f7bd37334199ce81b866b73b897217dcf019c8c7e5be66905b528a9eda563bca9b4922ea972df2e68c06d3396ac1bb76e4551f750ebd66d1c68edb6ecffdd8f9f492b7630e4a0591867edccec6d5cb6d58c35b89a8aebdc12c210b38289ecf419f8e82c1a03e2c8761b984bafafa502db482659a1ff256eee72175bc1a3d5dd5afa71fedbd7a8f4ad1cf6e569e382775ed6828dedeea6bf8689ee18dbe380140949cdc4a827622f23841731bb062941226d030e3873a425b078fe4926ef1985d8aecfce1140848b565dc0b5b722bf11fe129f6caee67af3e1c797562224849cfecbeda2f6c801d727f93a53e8b01cf475c541f3f4e26cf4c34e7b28cdb059f46880d92c6aab7d15eca050c395e4035fa5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", + "ValidFrom": "2007-02-08 00:00:00", + "ValidTo": "2009-02-07 23:59:59", + "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ec67729a8c3327b1b23804ce24719bd", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" + "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -57046,120 +43040,109 @@ } ], "Tags": [ - "etdsupp.sys" - ] + "cpuz_x64.sys" + ], + "yara": true }, { - "Id": "40a78fac-5aea-4bc5-afc6-24f877f3e7e5", + "Id": "5af9abf0-d8de-4e9b-8141-e9e97a31901a", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create AMDRyzenMasterDriver.sys binPath=C:\\windows\\temp\\AMDRyzenMasterDriver.sys type=kernel && sc.exe start AMDRyzenMasterDriver.sys", + "Command": "sc.exe create AsrDrv102.sys binPath=C:\\windows\\temp\\AsrDrv102.sys type=kernel && sc.exe start AsrDrv102.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "AMDRyzenMasterDriver.sys", - "MD5": "13ee349c15ee5d6cf640b3d0111ffc0e", - "SHA1": "4f7a8e26a97980544be634b26899afbefb0a833c", - "SHA256": "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433", + "Filename": "AsrDrv102.sys", + "MD5": "76bb1a4332666222a8e3e1339e267179", + "SHA1": "9923c8f1e565a05b3c738d283cf5c0ed61a0b90f", + "SHA256": "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc", "Signature": [ - "Advanced Micro Devices INC.", - "Symantec Class 3 SHA256 Code Signing CA", + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Advanced Micro Devices", - "Description": "AMD Ryzen Master Service Driver", - "Product": "AMD Ryzen Master Service Driver", - "ProductVersion": "1.3.0.0", - "FileVersion": "1.3.0.0", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "AMDRyzenMasterDriver.sys", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "aa6e3970343cb83f7c924e98aeaf0c85", - "SHA1": "c29a625c02bf49f3f055db90b280a1f201c59975", - "SHA256": "001cd8b2ce1932d1a8c32bc2d643ee4fa6f67626d1b6895beea916285450566c" + "MD5": "c36c748b4297cedfdc5f38de22a40b5a", + "SHA1": "5f9c7d3552ffa98c9dcf9a9b7ad1263d2ab24a2f", + "SHA256": "11eecf9e6e2447856ed4cf86ee1cb779cfe0672c808bbd5934cf2f09a62d6170" }, - "InternalName": "AMDRyzenMasterDriver.sys", - "Copyright": "Copyright © 2018 AMD, Inc.", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "MmMapIoSpace", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", "IofCompleteRequest", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "ZwClose", - "ZwSetSecurityObject", - "IoDeviceObjectType", "IoCreateDevice", - "KeEnterCriticalRegion", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeExports", - "RtlCreateSecurityDescriptor", - "_wcsnicmp", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "IoIsWdmVersionAvailable", - "RtlSetDaclSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "ExFreePoolWithTag", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "strncmp", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -57181,31 +43164,38 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", - "ValidFrom": "2019-02-13 00:00:00", - "ValidTo": "2022-02-13 23:59:59", - "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2014-03-07 00:00:00", + "ValidTo": "2017-05-05 23:59:59", + "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -57213,103 +43203,103 @@ } ], "Tags": [ - "AMDRyzenMasterDriver.sys" - ] + "AsrDrv102.sys" + ], + "yara": true }, { - "Id": "080ff223-f8e0-49c0-a7b5-e97349cf81a0", + "Id": "d2806397-9ceb-47c8-b5f3-3aabec182ff5", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create HpPortIox64.sys binPath=C:\\windows\\temp\\HpPortIox64.sys type=kernel && sc.exe start HpPortIox64.sys", + "Command": "sc.exe create NCHGBIOS2x64.SYS binPath=C:\\windows\\temp\\NCHGBIOS2x64.SYS type=kernel && sc.exe start NCHGBIOS2x64.SYS", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "HpPortIox64.sys", - "MD5": "a641e3dccba765a10718c9cb0da7879e", - "SHA1": "8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f", - "SHA256": "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5", + "Filename": "NCHGBIOS2x64.SYS", + "MD5": "d9ce18960c23f38706ae9c6584d9ac90", + "SHA1": "d0d39e1061f30946141b6ecfa0957f8cc3ddeb63", + "SHA256": "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073", "Signature": [ - "HP Inc.", - "DigiCert SHA2 Assured ID Code Signing CA", - "DigiCert" + "TOSHIBA CORPORATION", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "HP Inc.", - "Description": "HpPortIo", - "Product": "HpPortIo", - "ProductVersion": "1.2.0.9", - "FileVersion": "1.2.0.9", + "Company": "TOSHIBA Corporation", + "Description": "BIOS Update Driver For Windows x64 Edition", + "Product": "TOSHIBA BIOS Package", + "ProductVersion": "4.2.4.0", + "FileVersion": "4.2.4.0 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "HpPortIox64.sys", + "OriginalFilename": "NCHGBIOS2x64.SYS", "Authentihash": { - "MD5": "986877a0cf596be97155e9469f3c4b40", - "SHA1": "98807d9e11bad4feed54d0d2c1abadeb95ca997c", - "SHA256": "35b31c96194d78cbb98b3223bf810f78f53fc0e4601f49169938ca883586e4e9" + "MD5": "188d9708ba2de146c555d484668decee", + "SHA1": "bb209301f3785febdd7bdeb717cbd66340ad5c65", + "SHA256": "c4031eb0a40137c4ab6d2dbdd2755135c63ab137a0aeb74a7bbea6617b96f0a7" }, - "InternalName": "HpPortIox64.sys", - "Copyright": "Copyright (C) 2020-2021 HP Inc. All rights reserved.", + "InternalName": "NCHGBIOS2x64.SYS", + "Copyright": "Copyright (C) 1999-2012 TOSHIBA Corporation. All Rights Reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmGetSystemRoutineAddress", - "RtlUnicodeStringToAnsiString", - "ExAllocatePool", - "ZwClose", - "RtlAppendUnicodeStringToString", - "ObReferenceObjectByHandle", - "RtlCopyUnicodeString", - "MmIsAddressValid", - "ExFreePoolWithTag", - "ZwOpenFile", - "DbgPrint", - "RtlEqualUnicodeString", - "ZwCreateFile", - "KeBugCheckEx", - "RtlVolumeDeviceToDosName", - "ExAllocatePoolWithTag", - "DbgPrintEx", - "IoCreateDevice", - "IoCreateSymbolicLink", - "RtlFreeAnsiString", - "IofCompleteRequest", - "RtlFreeUnicodeString", - "RtlInitString", + "MmFreeContiguousMemory", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", "IoDeleteDevice", + "RtlCompareMemory", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemory", + "KeBugCheckEx", "RtlInitUnicodeString", - "strstr", - "RtlAnsiStringToUnicodeString", - "ObfDereferenceObject", + "IofCompleteRequest", "IoDeleteSymbolicLink", - "ZwReadFile", - "RtlUTF8ToUnicodeN", - "RtlTimeFieldsToTime", - "RtlCharToInteger", - "RtlCompareMemory", - "RtlAssert", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -57317,24 +43307,52 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=JP, ST=Tokyo, L=1,1 Shibaura, 1,chome, Minato,ku, O=TOSHIBA CORPORATION, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=TOSHIBA CORPORATION, CN=TOSHIBA CORPORATION", + "ValidFrom": "2012-04-05 00:00:00", + "ValidTo": "2013-04-05 23:59:59", + "Signature": "d34cb4523367a2f1c3ac6cd7b60573565e4fb4408ebcd1b7b81a8c550df4c0cf8c5e4866f934b8cdc853c990a24134f098d4429befd62b07fdbfac78fec80ddb218b3a9311dec9d98fdba32ce0c2db6a40564212794311eaeb7459f19b355721a28e16c9e8d859983ce0d4c090baa076662d30e34385fea849917de462ced4be80e7b08b9a50493a5f59c84cc5f3258c8c85722cb2146e8470fe3f2a3ef9ad35a2e0ddd1227cdcc25b14e51d3eadea817412652ed9af9812fa86110376c487d0fc7370fdf9f9a5ad214e4c9e0ce464137965f8b6ef1c63a0743c1f127a910da444a05415b072ce6d3ce64e82368ac06a66d6d0a53a343ce06fe248cbb70d465a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", - "ValidFrom": "2020-05-14 00:00:00", - "ValidTo": "2021-05-19 12:00:00", - "Signature": "f2d1a458df5efa9cd81a8ee531f040d22d4a0ddd4c3ee66272cd114b9f0f399243a7d3c810ada729d8677d7adebfb7f3d8c98160d8ef936a372cf095f8f3407153e4dc4dfe899b9cacd1c3169869da98a3a90a8933c2f04acf67572f25259adb3670b4cfb30c1916f690f4f771bb68bcbcfb6e8a9a8bf4c0948f2397fd570a4281b25978e1da0c01e4460f9d8f4c7df28724d196a256aba21081a3de98aae12cf34ea26eefd79adf1866d2898011da1b626dcb18e384b30edc7ff8703f7bec19b197da6494c435b98a5fad01b9885c3d43726d1d69c55283f950d8e9b267dd4cbd0c8d8879bbb1347025571710a63fed825e67ed93dc0ef58fb8d0ed87f1bd14", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0449edef08b987f05203c4e0f2356499", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" + "SerialNumber": "4dfa235fb8e4e89715cc62facb68438d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -57342,18 +43360,19 @@ } ], "Tags": [ - "HpPortIox64.sys" - ] + "NCHGBIOS2x64.SYS" + ], + "yara": true }, { - "Id": "067589f2-4f29-4dc4-bd50-a2e2ee57b25f", + "Id": "30d6c39c-1d93-4101-8dd3-322ff0ab7fb3", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create GameTerSafe.sys binPath=C:\\windows\\temp\\GameTerSafe.sys type=kernel type=kernel && sc.exe start GameTerSafe.sys", + "Command": "sc.exe create NetFlt.sys binPath=C:\\windows\\temp\\NetFlt.sys type=kernel && sc.exe start NetFlt.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -57370,8 +43389,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "GameTerSafe.sys", - "SHA256": "3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c", + "Filename": "NetFlt.sys", + "SHA256": "f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13", "Signature": [], "Date": "", "Publisher": "", @@ -57385,205 +43404,324 @@ } ], "Tags": [ - "GameTerSafe.sys" - ] + "NetFlt.sys" + ], + "yara": false }, { - "Id": "30d6c39c-1d93-4101-8dd3-322ff0ab7fb3", - "Author": "Michael Haag", - "Created": "2023-01-09", + "Id": "76b5dfae-b384-45ce-8646-b2eec6b76a1e", + "Author": "Paul Michaud", + "Created": "2023-05-12", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create NetFlt.sys binPath=C:\\windows\\temp\\NetFlt.sys type=kernel && sc.exe start NetFlt.sys", - "Description": "", + "Command": "sc.exe create KfeCo11X64.sys binPath=C:\\windows\\temp\\KfeCo11X64.sys type=kernel && sc.exe start KfeCo11X64.sys", + "Description": "Killer exposes COM interfaces that allow non-privileged users 1) to block network for any process 2) to manage any service in the OS. Killer is preinstalled to laptops equipped with Intel Killer NICs (e.g. Dell). Since Intel patched the vulnerability quietly, it's not clear which version is safe. Also, it is unclear which OEMs are affected. Dell is definitely in the list, but it is likely that other vendors with Killer NICs on board, such as Acer and MSI, are affected too. Some users think that Killer suite is required for the NIC to work properly, so they install it even after a fresh Windows install. This version is confirmed vulnerable based on the script usage from zwclose.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + "https://zwclose.github.io/2023/04/18/killer2.html", + "https://twitter.com/zwclose/status/1648441215808049153", + "https://zwclose.github.io/2022/12/18/killer1.html" ], "Acknowledgement": { - "Person": "", - "Handle": "" + "Person": "zwclose", + "Handle": "zwclose" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "NetFlt.sys", - "SHA256": "f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13", - "Signature": [], + "Filename": "KfeCo11X64.sys", + "MD5": "c901887f28bbb55a10eb934755b47227", + "SHA1": "2540205480ea3d59e4031de3c6632e3ce2596459", + "SHA256": "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba", + "Signature": "", "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Company": "Rivet Networks, LLC.", + "Description": "Killer Traffic Control Callout Driver", + "Product": "Killer Traffic Control", + "ProductVersion": "9.8.4.59", + "FileVersion": "9.8.4.59", + "MachineType": "AMD64", + "OriginalFilename": "KfeCoDrv.sys", + "Authentihash": { + "MD5": "758090532f58b19865d76a41389c2d58", + "SHA1": "6aa5070d7346f164d618915d32ddb9cfe1c1fecc", + "SHA256": "a7047cee090ddbd150d7337a9357e03ccea56f004a2d29ddb7b8a0636a396240" + }, + "InternalName": "KfeCoDrv.sys", + "Copyright": "Copyright (C) 2015-2018 Rivet Networks, LLC.", + "Imports": [ + "ntoskrnl.exe", + "NDIS.SYS", + "fwpkclnt.sys", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExFreePoolWithTag", + "KeReleaseInStackQueuedSpinLockFromDpcLevel", + "RtlCopyUnicodeString", + "DbgPrintEx", + "KeInitializeEvent", + "strstr", + "RtlCompareMemory", + "RtlIpv4StringToAddressA", + "RtlIpv6StringToAddressA", + "memchr", + "ObfDereferenceObject", + "MmBuildMdlForNonPagedPool", + "KeInitializeSpinLock", + "KeSetTimer", + "KeCancelTimer", + "KeInitializeTimer", + "KeSetPriorityThread", + "KeSetImportanceDpc", + "KeInsertQueueDpc", + "KeInitializeDpc", + "IoQueueWorkItem", + "IoFreeWorkItem", + "IoAllocateWorkItem", + "PsTerminateSystemThread", + "KeWaitForMultipleObjects", + "KeDelayExecutionThread", + "KeClearEvent", + "RtlEthernetAddressToStringW", + "RtlRandomEx", + "ZwClose", + "PsCreateSystemThread", + "KeWaitForSingleObject", + "KeSetEvent", + "KeQueryInterruptTimePrecise", + "ExEventObjectType", + "__C_specific_handler", + "ObReferenceObjectByHandle", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "MmProbeAndLockPages", + "ProbeForWrite", + "ProbeForRead", + "IoFreeMdl", + "ExAllocatePool2", + "IoAllocateMdl", + "KeAcquireInStackQueuedSpinLockAtDpcLevel", + "KeReleaseInStackQueuedSpinLock", + "KeAcquireInStackQueuedSpinLock", + "KeGetCurrentIrql", + "NdisRetreatNetBufferDataStart", + "NdisAdvanceNetBufferDataStart", + "NdisGetDataBuffer", + "NdisCopySendNetBufferListInfo", + "NdisFreeNetBufferPool", + "NdisAllocateNetBufferPool", + "NdisFreeNetBufferListPool", + "NdisAllocateNetBufferListPool", + "NdisFreeGenericObject", + "NdisCopyReceiveNetBufferListInfo", + "NdisAllocateGenericObject", + "FwpsInjectTransportReceiveAsync0", + "FwpsQueryConnectionRedirectState0", + "FwpsRedirectHandleDestroy0", + "FwpsRedirectHandleCreate0", + "FwpsApplyModifiedLayerData0", + "FwpsAcquireWritableLayerDataPointer0", + "FwpsCompleteClassify0", + "FwpsPendClassify0", + "FwpsReleaseClassifyHandle0", + "FwpsAcquireClassifyHandle0", + "FwpsCalloutUnregisterByKey0", + "FwpsConstructIpHeaderForTransportPacket0", + "FwpsDereferenceNetBufferList0", + "FwpsReferenceNetBufferList0", + "FwpsInjectMacSendAsync0", + "FwpsInjectMacReceiveAsync0", + "FwpsAllocateCloneNetBufferList0", + "FwpsFreeNetBufferList0", + "FwpsAllocateNetBufferAndNetBufferList0", + "FwpmFilterDeleteById0", + "FwpsCalloutRegister3", + "FwpmFilterAdd0", + "FwpmCalloutDeleteByKey0", + "FwpmSubLayerDeleteByKey0", + "FwpmProviderContextDeleteByKey0", + "FwpsInjectTransportSendAsync1", + "FwpsFreeCloneNetBufferList0", + "FwpsFlowRemoveContext0", + "FwpsFlowAssociateContext0", + "FwpsCalloutUnregisterById0", + "FwpmCalloutAdd0", + "FwpmSubLayerAdd0", + "FwpmProviderAdd0", + "FwpmTransactionAbort0", + "FwpmTransactionCommit0", + "FwpmTransactionBegin0", + "FwpmEngineClose0", + "FwpmEngineOpen0", + "FwpsInjectionHandleDestroy0", + "FwpsInjectionHandleCreate0", + "FwpsQueryPacketInjectionState0", + "FwpsGetPacketListSecurityInformation0", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass", + "WdfVersionBind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=California, L=Santa Clara, O=Intel Corporation, OU=Intel(R) Connectivity Innovation, CN=Intel Corporation", + "ValidFrom": "2021-04-01 00:00:00", + "ValidTo": "2023-04-01 23:59:59", + "Signature": "1b7cfebb08c68ed60abcba3a04dbad328d046911c5325ffe46fb569e1d0c3c9f3413ff65a1d8ec402ac7c08f375ce9f48eb9212e1cb9ae1d4460e6c6e680d2553c47885c2119915d8401830970df37563b1a1649f0485848b55617a993a59612fb47cfeb541b0fa464fb781e87f4e8c1557600774719a502f23f4197963127c78a0d4641b34e0bcb8f86faacecfbd4c9798bdf92797bb629240970d04cd9267566d9e8226e41e6b2fe167dde6e3a471340982eb23969e27769a60d2f802d31601d6152c64019662357278b43a3965359050bca6ff45466d65fd54ba05a1f8eacc08660cdd55050249b001237f0fa9c6e28779f310b7de38a994f1637d8b387ec", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA", + "ValidFrom": "2018-11-02 00:00:00", + "ValidTo": "2030-12-31 23:59:59", + "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority", + "ValidFrom": "2015-07-22 21:03:49", + "ValidTo": "2025-07-22 21:03:49", + "Signature": "6b22933c3d395471646b0ef2e43c3011c5204a4b860f92f1ff33793ad9e498a70e40a022807e61b2e0a719cf2695312a65d46a4f3186eac0c62ec5648c3d4859cd0b2f743d9426131042d49798275e3c76d278691d1a64e7057275e0eb6640439f8f0c46ff9760a6c867ad10089b62a6e9be3a8ad3074d9f729325bc0611e02c90383e671cfd19d79e90ce3dc2e0e761acc0e504f51e99540c910d01567137ae27d49e4322a5c927cd4de571123924a5415687ffbc55140f25ca89eec797e5d213ff3d7e1aa08f3fc82cd7a370d0c760c0fcd83e51e797c63e3bedcf78be8acae3c4f2a7a7ed9eae08028fa052db721ed53bc34d9f8efa9b70c7f8e3bf6c3f929be4373eec6a8c29f9c1a2bf8b3e1a6966fb1c634f2601c902c43ed2ffc343a81bfd99fad4bca5b9e2932f3b01c5d1f43a2f68c3e064b75a955e46cc078369bb3c05925673357345984e7cd812a5b742e9a263f642601870d13b6f31c087c7e671e1f34616e9f5b872b3e96d1f622649a3498bdd68c78b6856f7defcfa8724b80381178fe5f1676a1daed374f78ca55db30b8e422996ce49c4777e667c01171a6c1424c3b0177705d81a40b7866bd8e47b40ac7edf4e6f24f92080828c33e7e5fa29d89dda8b705d2bc91d824c0b67cb84419ee7067e1183442d8a19eef47f9add791c37191e9f3f8c29ba0d5c1086376c48cd455dcd70bcbcd14d5dd8c5b876", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "00bfcce9854e3f154ff8e62c2ce2fde84d", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" + } + ] + } + ] } ], "Tags": [ - "NetFlt.sys" - ] + "KfeCo11X64.sys" + ], + "yara": true }, { - "Id": "9c3c6e89-3916-498f-81e5-da057ab3ed42", + "Id": "be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc", "Author": "Michael Haag", - "Created": "2023-04-22", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create windbg.sys binPath=C:\\windows\\temp\\windbg.sys type=kernel && sc.exe start windbg.sys", - "Description": "Kernel driver seen in a recent CopperStealer campaign.", + "Command": "sc.exe create PhlashNT.sys binPath=C:\\windows\\temp\\PhlashNT.sys type=kernel && sc.exe start PhlashNT.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft", - "https://twitter.com/jaydinbas/status/1642898531445886978?s=20", - "https://twitter.com/jaydinbas/status/1646475092006785027?s=20" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "windbg.sys", - "MD5": "88bea56ae9257b40063785cf47546024", - "SHA1": "b5a8e2104d76dbb04cd9ffe86784113585822375", - "SHA256": "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d", - "Signature": "", + "Filename": "PhlashNT.sys", + "MD5": "e9e786bdba458b8b4f9e93d034f73d00", + "SHA1": "c6d349823bbb1f5b44bae91357895dba653c5861", + "SHA256": "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890", + "Signature": [ + "Phoenix Technology Ltd.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], "Date": "", "Publisher": "", - "Company": "Microsoft Corporation", - "Description": "Windows GUI symbolic debugger", - "Product": "Microsoft? Windows? Operating System", - "ProductVersion": "10.0.19041.685", - "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", - "MachineType": "I386", - "OriginalFilename": "windbg.sys", + "Company": "Phoenix Technologies, Ltd.", + "Description": "SWinFlash Driver for Windows NT", + "Product": "WinPhlash", + "ProductVersion": "1.6.1.0", + "FileVersion": "1.6.1.0", + "MachineType": "AMD64", + "OriginalFilename": "PHLASHNT.SYS", "Authentihash": { - "MD5": "265462dbda175886e0c02257f2385753", - "SHA1": "0e45b675fec76249e64f8a2d4bd5483886b91169", - "SHA256": "37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c" + "MD5": "5cf72ecb15ffea87586783893b02c43d", + "SHA1": "ef2d7210b761f158a0832083a8407b3ec2f99db9", + "SHA256": "cde02c7db90626bcfbfbbc1315d4ce18d4f15667fa57c16b9ac2b060507c62ad" }, - "InternalName": "windbg.sys", - "Copyright": "? Microsoft Corporation. All rights reserved.", + "InternalName": "PHLASHNT", + "Copyright": "(c) Phoenix Technologies, Ltd. 2000-2003", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ "IoDeleteDevice", - "IoDetachDevice", - "memcpy", - "memset", - "ZwClose", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "PsProcessType", - "PsLookupProcessByProcessId", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "IofCallDriver", - "PsGetCurrentProcessId", - "IoGetLowerDeviceObject", - "ObfDereferenceObject", - "IoGetAttachedDeviceReference", - "IoUnregisterShutdownNotification", - "KeDelayExecutionThread", - "IoAttachDeviceToDeviceStackSafe", + "IoCreateSymbolicLink", "IoCreateDevice", - "IoEnumerateDeviceObjectList", - "IoRegisterShutdownNotification", - "IoUnregisterFsRegistrationChange", - "IoRegisterFsRegistrationChange", - "_vsnwprintf", - "PsGetVersion", - "ZwAllocateVirtualMemory", - "MmUnmapLockedPages", - "IoFreeMdl", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCompleteRequest", "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "ZwReadFile", - "ZwQueryInformationFile", - "IoCreateFile", - "_wcsicmp", - "_wcsnicmp", - "RtlEqualUnicodeString", - "ZwWriteFile", - "ZwFlushKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "RtlRandom", - "KeQuerySystemTime", - "ZwDeleteKey", - "ZwOpenKey", - "ZwEnumerateKey", - "IoFreeIrp", - "KeSetEvent", - "KeWaitForSingleObject", - "KeGetCurrentThread", - "KeInitializeEvent", - "IoAllocateIrp", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "IoFileObjectType", - "ObQueryNameString", - "RtlCopyUnicodeString", - "MmIsAddressValid", - "PsGetProcessPeb", - "RtlCreateUnicodeString", - "ZwDeleteValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "ZwDeleteFile", - "PsRemoveLoadImageNotifyRoutine", - "CmUnRegisterCallback", - "PsSetLoadImageNotifyRoutine", - "CmRegisterCallback", - "ObReferenceObjectByName", - "ZwFreeVirtualMemory", - "ZwWaitForSingleObject", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "ZwDuplicateObject", - "PsGetProcessSessionId", - "_strnicmp", - "RtlSubAuthoritySid", - "RtlSubAuthorityCountSid", - "ZwQueryInformationToken", - "ZwOpenProcessTokenEx", - "PsTerminateSystemThread", - "PsThreadType", - "PsCreateSystemThread", - "KeTickCount", - "KeBugCheckEx", - "_vsnprintf", - "strncmp", - "strchr", - "strncpy", - "strstr", - "ExAllocatePool", - "_stricmp", - "rand", - "ZwCreateFile", - "IoBuildDeviceIoControlRequest", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_allshl", - "RtlUnwind" + "RtlAssert", + "DbgPrint", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag" ], "Signatures": [ { @@ -57591,164 +43729,168 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", - "ValidFrom": "2020-11-17 00:00:00", - "ValidTo": "2023-11-12 23:59:59", - "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", + "ValidFrom": "2008-11-14 00:00:00", + "ValidTo": "2009-11-14 23:59:59", + "Signature": "addfb0156ef6ad5c431dffc5ef41cefa457136306d15d84146668cbe5be0f54450614be60c40f7b9ecf7b16b10fe5bcaeff5e31433abd8e218e5cfac8ecb246b3d59d8b3aa0b5ae88feab0b12dd24dc2f4cb51fec3a2a302f67903a652d52197b07e77410d4e480d0f2c3003e150f5da93bd09c91977fbc8d7652f4f5bb7c06d672dbda83f7458f6cb52719cd7f393395e1b036a9701608eccb8c1d2f42ccbee6e53e5fc342b9d5b65aac07d35b2d3b69fb8f51184699a46ac6d3ce7de8fa73353f74f58572f5d982d0d56ce29321d35633de97a04f99d73969c4c0b3bce7cdb95ec67c0b78deee1c5af17e49e9d4978db7f4063c9670adf5094c3e5a730d4fe", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "012eab44fa8853d913e7107c89406432", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "55272d7780471b989f3def09bb221c53", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "PhlashNT.sys" + ], + "yara": true + }, + { + "Id": "40bfb01b-d251-4c2c-952e-052a89a76f5b", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create PanMonFltX64.sys binPath=C:\\windows\\temp\\PanMonFltX64.sys type=kernel && sc.exe start PanMonFltX64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf.yara" }, { - "Filename": "windbg.sys", - "MD5": "b6b530dd25c5eb66499968ec82e8791e", - "SHA1": "9c1c9032aa1e33461f35dbf79b6f2d061bfc6774", - "SHA256": "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5", - "Signature": "", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "PanMonFltX64.sys", + "MD5": "0067c788e1cb174f008c325ebde56c22", + "SHA1": "12d38abbc5391369a4c14f3431715b5b76ac5a2a", + "SHA256": "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf", + "Signature": [ + "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], "Date": "", "Publisher": "", - "Company": "Microsoft Corporation", - "Description": "Windows GUI symbolic debugger", - "Product": "Microsoft? Windows? Operating System", - "ProductVersion": "10.0.19041.685", - "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", - "MachineType": "I386", - "OriginalFilename": "windbg.sys", + "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "Description": "PanCafe Manager File Monitor", + "Product": "PanCafe Manager", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "PanMonFltX64.sys", "Authentihash": { - "MD5": "dbc72430b48b0ca636a84b9e5ed0d534", - "SHA1": "58ca196bfd54c6166aae0f8000fa8a1a66a0073e", - "SHA256": "45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff" + "MD5": "fb2c77030c99606abb5d78bd51d6637d", + "SHA1": "cc0f86949ee6261f8c3de046112b99595db14c00", + "SHA256": "9544fbc011638cbc168f6ea4740cc6ed6fd331769e191fd64bdf9113eb64fde1" }, - "InternalName": "windbg.sys", - "Copyright": "? Microsoft Corporation. All rights reserved.", + "InternalName": "PanMonFltX64.sys", + "Copyright": "Copyright (c) 2012-2014 Pan Yazılım Bilisim Teknolojileri Tic. Ltd. Sti.", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "IoDetachDevice", - "memcpy", - "memset", - "ZwClose", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "ObOpenObjectByPointer", - "PsProcessType", - "PsLookupProcessByProcessId", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "IofCallDriver", - "PsGetCurrentProcessId", - "IoGetLowerDeviceObject", - "ObfDereferenceObject", - "IoGetAttachedDeviceReference", - "IoUnregisterShutdownNotification", - "KeDelayExecutionThread", - "IoAttachDeviceToDeviceStackSafe", - "IoCreateDevice", - "IoEnumerateDeviceObjectList", - "IoRegisterShutdownNotification", - "IoUnregisterFsRegistrationChange", - "IoRegisterFsRegistrationChange", - "_vsnwprintf", - "PsGetVersion", - "ZwAllocateVirtualMemory", - "MmUnmapLockedPages", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "ZwReadFile", - "ZwQueryInformationFile", - "IoCreateFile", - "_wcsicmp", - "_wcsnicmp", + "KeBugCheckEx", + "KeAcquireSpinLockRaiseToDpc", + "ExInterlockedRemoveHeadList", + "ExInterlockedInsertTailList", "RtlEqualUnicodeString", - "ZwWriteFile", - "ZwFlushKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "RtlRandom", - "KeQuerySystemTime", - "ZwDeleteKey", - "ZwOpenKey", - "ZwEnumerateKey", - "IoFreeIrp", - "KeSetEvent", - "KeWaitForSingleObject", - "KeGetCurrentThread", - "KeInitializeEvent", - "IoAllocateIrp", - "IoGetRelatedDeviceObject", - "ObReferenceObjectByHandle", - "IoFileObjectType", - "ObQueryNameString", + "KeReleaseSpinLock", + "IoQueryFileDosDeviceName", + "RtlAppendUnicodeStringToString", + "IoVolumeDeviceToDosName", + "RtlAppendUnicodeToString", + "DbgPrint", "RtlCopyUnicodeString", - "MmIsAddressValid", - "PsGetProcessPeb", - "RtlCreateUnicodeString", - "ZwDeleteValueKey", - "ZwCreateKey", - "RtlFreeUnicodeString", - "ZwDeleteFile", - "PsRemoveLoadImageNotifyRoutine", - "CmUnRegisterCallback", - "PsSetLoadImageNotifyRoutine", - "CmRegisterCallback", - "ObReferenceObjectByName", - "ZwFreeVirtualMemory", - "ZwWaitForSingleObject", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "ZwDuplicateObject", - "PsGetProcessSessionId", - "_strnicmp", - "RtlSubAuthoritySid", - "RtlSubAuthorityCountSid", - "ZwQueryInformationToken", - "ZwOpenProcessTokenEx", - "PsTerminateSystemThread", - "PsThreadType", - "PsCreateSystemThread", - "KeTickCount", - "KeBugCheckEx", - "_vsnprintf", - "strncmp", - "strchr", - "strncpy", - "strstr", - "ExAllocatePool", - "_stricmp", - "rand", - "ZwCreateFile", - "IoBuildDeviceIoControlRequest", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_allshl", - "RtlUnwind" + "PsGetCurrentThreadId", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "__C_specific_handler", + "FltSendMessage", + "FltQueryInformationFile", + "FltStartFiltering", + "FltParseFileName", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor", + "FltCloseCommunicationPort", + "FltUnregisterFilter", + "FltAllocateContext", + "FltReleaseContext", + "FltIsDirectory", + "FltFreeSecurityDescriptor", + "FltSetInformationFile", + "FltCreateCommunicationPort", + "FltDeleteContext", + "FltCloseClientPort", + "FltSetStreamHandleContext", + "FltGetStreamHandleContext" ], "Signatures": [ { @@ -57756,479 +43898,919 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2023-01-12 19:14:51", - "ValidTo": "2023-12-15 19:14:51", - "Signature": "04d1261b735b38b551b427cf9a295d4eb18edd92de14079aa33a10511ee6d262938b29ae208f96be64a80e2967fb8d7aa5750613901a9da6a82935398175482096430c9acecb55ee2c5468d119f467378c18251a8fe01e9d7b79bce903ccb7afb227e2d0abee00bd9fd6bbbbd67c014888dc46f3efa912d4576f7ca9980957609cd21fbd51815cb11bee95fa780498d905e866bc1a604e407ee0d97a105bcc8e600200b19b9c3a56cb3918047f21ba9ee2228b46b8e5c8b456ba65e6f0c40d28294b654761660e9d14948866c3f0f65f028e47641059d3f195812e871362128bcefb901d5aeace862e3d683b291d65c138138ea1335fe3552f4c46a7f7b0c6e5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "ValidFrom": "2014-04-15 15:12:40", + "ValidTo": "2015-04-15 10:41:35", + "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000f3158ea57d1c559f290000000000f3", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "1121506480253469e07e54ee8612041fbb92", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] + } + ], + "Tags": [ + "PanMonFltX64.sys" + ], + "yara": true + }, + { + "Id": "043773c5-120a-4c6b-8485-8f1f5c47fd3e", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create aswArPot.sys binPath=C:\\windows\\temp\\aswArPot.sys type=kernel && sc.exe start aswArPot.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d.yara" }, { - "Filename": "windbg.sys", - "MD5": "40b968ecdbe9e967d92c5da51c390eee", - "SHA1": "b8b123a413b7bccfa8433deba4f88669c969b543", - "SHA256": "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Microsoft Corporation", - "Description": "Windows GUI symbolic debugger", - "Product": "Microsoft? Windows? Operating System", - "ProductVersion": "10.0.19041.685", - "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", - "MachineType": "AMD64", - "OriginalFilename": "windbg.sys", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "aswArPot.sys", + "MD5": "c61876aaca6ce822be18adb9d9bd4260", + "SHA1": "186b6523e8e2fa121d6d3b8cb106e9a5b918af4f", + "SHA256": "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d", "Authentihash": { - "MD5": "98a3ab2b723de48256701b417ff87a65", - "SHA1": "ff80d6663a92ff454526e88847cbb4d9bd00e21e", - "SHA256": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47" + "MD5": "18893a7dd0bc23f4f4aa7b8350f0e75e", + "SHA1": "27021d09730a1d7694137e123ba3a63cd0b9e040", + "SHA256": "fab3f1dbc49bd9f0219156fe49d4423c311f529f7d3653f5f69d2b10b9b0bc98" }, - "InternalName": "windbg.sys", - "Copyright": "? Microsoft Corporation. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.7.4031.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "18.7.4031.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "PsProcessType", - "IoGetLowerDeviceObject", - "ExFreePoolWithTag", - "IoRegisterShutdownNotification", - "IoAttachDeviceToDeviceStackSafe", - "PsLookupProcessByProcessId", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "IoDetachDevice", - "KeDelayExecutionThread", - "IoUnregisterShutdownNotification", - "ZwClose", - "IoGetAttachedDeviceReference", - "PsGetCurrentProcessId", - "ObfDereferenceObject", - "IoCreateDevice", - "IoEnumerateDeviceObjectList", - "IoUnregisterFsRegistrationChange", - "ObOpenObjectByPointer", - "IoRegisterFsRegistrationChange", - "IofCallDriver", + "wcschr", "MmUnmapLockedPages", + "_stricmp", "_wcsicmp", - "PsGetProcessPeb", - "ZwCreateKey", - "RtlCreateUnicodeString", - "MmMapLockedPages", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", "_wcsnicmp", "ZwReadFile", - "IoGetRelatedDeviceObject", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "IoDeleteDevice", "KeSetEvent", - "IoCreateFile", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", "KeInitializeEvent", - "ZwDeleteValueKey", - "ZwSetValueKey", - "RtlEqualUnicodeString", - "MmBuildMdlForNonPagedPool", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", "IoFreeMdl", - "RtlFreeUnicodeString", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", "ObQueryNameString", + "strncpy", "IoFileObjectType", - "ZwQueryValueKey", - "_vsnwprintf", - "RtlRandom", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", "ObReferenceObjectByHandle", "KeWaitForSingleObject", "PsRemoveLoadImageNotifyRoutine", - "ZwFlushKey", - "MmCreateMdl", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", "IoFreeIrp", - "ZwDeleteFile", - "PsGetVersion", "IoAllocateIrp", - "CmRegisterCallback", - "RtlCopyUnicodeString", - "MmIsAddressValid", - "CmUnRegisterCallback", - "ZwQueryInformationFile", - "ZwWriteFile", - "ZwDeleteKey", - "ZwEnumerateKey", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "KeUnstackDetachProcess", - "ZwWaitForSingleObject", - "ZwFreeVirtualMemory", - "PsGetProcessSessionId", - "ZwDuplicateObject", - "ObReferenceObjectByName", - "KeStackAttachProcess", - "RtlSubAuthoritySid", - "_strnicmp", - "ZwOpenProcessTokenEx", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "PsThreadType", - "RtlSubAuthorityCountSid", - "ZwQueryInformationToken", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "strncmp", - "strstr", - "strchr", - "strncpy", - "_vsnprintf", - "rand", - "_stricmp", - "ExAllocatePool", - "IoBuildDeviceIoControlRequest", - "ZwCreateFile", - "MmProbeAndLockPages", - "IoAllocateMdl", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2023-01-12 19:14:52", - "ValidTo": "2023-12-15 19:14:52", - "Signature": "5548d9042f4a8d4776b5fccbacda2e58d5161fb7932287aa5da1c9afaca15c230908ed96adeb0f6a86dc3972a85de00fb4d4db0a52394116887998fd673f57a0520fa1e39806b348e555cfe5a419c501a0fbfbdb79e88d37656735fa6cd56d5c465fe3871f5157e357d73956d4586bd50508522be7e24d2357d7ab53e3ae46d2d168e52d0d15761eaab962c36ee0791cabd33869f11f9512772261cda6249f16f85772116cc0585975600e5fe949e1a2bb85820ddf901b9e48ee805aacd1c826a1304916e2180de5d3ecc2fc0375d3a877ab8a058dda7e05aa91727523e579d17ce0dce414612d9b638b1ff5ad74d654c5b7e638a3cca372c5f51db638794ed6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000f5e8773b206b1ccd610000000000f5", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "windbg.sys" - ] - }, - { - "Id": "0d0d204b-f6ce-4ce4-8d76-1724a1676c3f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create Proxy32.sys binPath=C:\\windows\\temp\\Proxy32.sys type=kernel && sc.exe start Proxy32.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Proxy32.sys", - "SHA256": "49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "Proxy32.sys" - ] - }, - { - "Id": "f8bddc8b-49b9-41f7-a877-d15ec3f174f9", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create daxin_blank4.sys binPath=C:\\windows\\temp\\daxin_blank4.sys type=kernel && sc.exe start daxin_blank4.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "daxin_blank4.sys", - "MD5": "491aec2249ad8e2020f9f9b559ab68a8", - "SHA1": "8692274681e8d10c26ddf2b993f31974b04f5bf0", - "SHA256": "8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e", - "Signature": "Unsigned", - "Date": "8:42 AM 4/20/2010", - "Publisher": "n/a", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "aswArPot.sys", + "MD5": "56a9e9b5334f8698a0ede27c64140982", + "SHA1": "762a5b4c7beb2af675617dca6dcd6afd36ce0afd", + "SHA256": "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917", "Authentihash": { - "MD5": "f66f4d6b97b9e7b0e467daed2ed69bed", - "SHA1": "c8f227b45d27c43db4b661ef610efbfacfda8a75", - "SHA256": "15b081ec83a89182b5bb0a642d56513f40810b5b0a42e904ab6d3fa8f34c0446" + "MD5": "a75fd1dc0e0b04ba483ab56147868c5f", + "SHA1": "aad76f7285cc00fffce801147036331610943062", + "SHA256": "1faa125c9442b20c646411f629dd48afe2d962554c45fc4a8e2d45c1fc611b6c" }, - "InternalName": "", - "Copyright": "", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.8.130.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.8.130.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "NTOSKRNL.EXE", - "HAL.DLL", - "ntoskrnl.exe", - "NDIS.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strlen", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "ZwClose", - "IofCompleteRequest", - "KeResetEvent", - "InterlockedIncrement", - "KeSetEvent", - "InterlockedDecrement", - "RtlUnicodeStringToInteger", - "RtlInitUnicodeString", - "KeInitializeEvent", - "wcsncmp", - "wcscat", - "wcslen", - "wcscpy", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "strncmp", - "MmMapLockedPages", - "MmProbeAndLockPages", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", "MmUnlockPages", - "MmUnmapLockedPages", - "RtlFreeUnicodeString", - "ZwWriteFile", - "ZwCreateFile", + "ExAllocatePool", "RtlAnsiStringToUnicodeString", - "strcat", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", "ZwReadFile", - "ZwQueryInformationFile", - "_wcsnicmp", - "strcmp", - "_stricmp", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", "MmGetSystemRoutineAddress", - "ZwQueryValueKey", - "ZwOpenKey", - "IoCreateFile", - "KeWaitForMultipleObjects", - "strcpy", - "RtlUnwind", - "vsprintf", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", "KeWaitForSingleObject", - "KeDelayExecutionThread", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", "PsTerminateSystemThread", - "PsCreateSystemThread", - "ObReferenceObjectByHandle", - "ExFreePool", - "KeInitializeSpinLock", - "KeTickCount", - "memset", - "memcpy", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", "RtlCompareUnicodeString", - "ExAllocatePoolWithTag", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "PsGetVersion", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", "ZwTerminateProcess", - "ZwOpenProcess", - "RtlSetDaclSecurityDescriptor", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", "RtlAddAccessAllowedAce", - "RtlCreateAcl", "RtlLengthSid", - "RtlCreateSecurityDescriptor", - "ZwWaitForSingleObject", - "NtFsControlFile", - "NtWriteFile", - "NtReadFile", - "RtlLengthRequiredSid", - "RtlImageDirectoryEntryToData", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "PsLookupProcessByProcessId", - "KeAttachProcess", - "KeDetachProcess", - "PsLookupThreadByThreadId", - "KeInitializeApc", - "KeInsertQueueApc", - "ZwOpenFile", - "ZwDeviceIoControlFile", - "PsThreadType", - "NtQuerySystemInformation", - "NdisAllocateMemory", - "NdisAllocatePacket", - "NdisCopyFromPacketToPacket", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisDeregisterProtocol", - "NdisRegisterProtocol", - "NdisAllocateBufferPool", - "NdisAllocatePacketPool", - "NdisFreeBufferPool", - "NdisFreePacketPool", - "NdisFreeMemory" - ], - "Signatures": {} - } - ], - "Tags": [ - "daxin_blank4.sys" - ] - }, - { - "Id": "e86f7700-01c4-47be-a625-36b2dfe4bdc6", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rtkiow10x64.sys binPath=C:\\windows\\temp\\rtkiow10x64.sys type=kernel && sc.exe start rtkiow10x64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "rtkiow10x64.sys", - "MD5": "b5ada7fd226d20ec6634fc24768f9e22", - "SHA1": "947db58d6f36a8df9fa2a1057f3a7f653ccbc42e", - "SHA256": "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993", - "Signature": [ - "Realtek Semiconductor Corp.", - "DigiCert EV Code Signing CA", - "DigiCert" + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], - "Date": "", - "Publisher": "", - "Company": "Realtek ", - "Description": "Realtek IO Driver", - "Product": "Realtek IO Driver ", - "ProductVersion": "1.008.0823.2017", - "FileVersion": "1.008.0823.2017", - "MachineType": "AMD64", - "OriginalFilename": "rtkiow10x64.sys ", + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + }, + { + "FileName": "aswArPot.sys", + "MD5": "94999245e9580c6228b22ac44c66044c", + "SHA1": "4a04596acf79115f15add3921ce30a96f594d7ce", + "SHA256": "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c", "Authentihash": { - "MD5": "4d01000bdb93d60aa1ff5700b4b0a9a2", - "SHA1": "5e85fc1f7ef1c3c2745c842739c0ab596f87f9f9", - "SHA256": "bc65d8ade2e72475a585307311e3058b3dbc4a7d2be6740c2c53a5902e698e7f" + "MD5": "bd9f1ccc35bd6f7b1b10f29e34167f2d", + "SHA1": "e6822211c3f40414dd0d8ec6416db8b050859cd5", + "SHA256": "a801e12c32c0eb197b3cc507d096afc16a32dca6bc71d080e1ae2c17ad13b2ca" }, - "InternalName": "rtkiow10x64.sys ", - "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.3.68.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.3.68.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KfRaiseIrql", - "MmUnmapIoSpace", - "MmMapIoSpaceEx", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", "MmGetSystemRoutineAddress", - "RtlCompareMemory", - "KeSetSystemAffinityThreadEx", - "KeQueryActiveProcessors", + "IoFreeWorkItem", + "_stricmp", "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", "ExFreePoolWithTag", - "ExCreateCallback", - "ExRegisterCallback", - "ExUnregisterCallback", - "MmBuildMdlForNonPagedPool", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", "MmMapLockedPagesSpecifyCache", - "KeLowerIrql", - "IoAllocateMdl", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", "IofCompleteRequest", - "IoCreateDevice", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoRegisterShutdownNotification", - "IoUnregisterShutdownNotification", - "IoWMIRegistrationControl", - "ObfDereferenceObject", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", "ZwQueryValueKey", - "__C_specific_handler", - "MmUnmapLockedPages", - "_vsnprintf", - "KeStallExecutionProcessor" + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -58239,10 +44821,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2016-06-13 00:00:00", - "ValidTo": "2019-01-24 12:00:00", - "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -58253,10 +44835,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -58269,311 +44851,690 @@ ], "Signer": [ { - "SerialNumber": "0320be3eb866526927f999b97b04346e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "rtkiow10x64.sys" - ] - }, - { - "Id": "91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create inpoutx64.sys binPath=C:\\windows\\temp\\inpoutx64.sys type=kernel && sc.exe start inpoutx64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "inpoutx64.sys", - "MD5": "4d487f77be4471900d6ccbc47242cc25", - "SHA1": "cc0e0440adc058615e31e8a52372abadf658e6b1", - "SHA256": "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d", - "Signature": [ - "RISINTECH INC.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Highresolution Enterprises [www.highrez.co.uk]", - "Description": "Kernel level port access driver", - "Product": "inpoutx64 Driver Version 1.2", - "ProductVersion": "1.2 x64", - "FileVersion": "1.2 x64 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "inpoutx64.sys", + "FileName": "aswArPot.sys", + "MD5": "93a23503e26773c27ed1da06bb79e7a4", + "SHA1": "da03799bb0025a476e3e15cc5f426e5412aeef02", + "SHA256": "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8", "Authentihash": { - "MD5": "c21e45ae33d6b1f864a276a13ba3aaeb", - "SHA1": "94b9b91a2acc786b54e8dbc11b759b05bc15fc3f", - "SHA256": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8" + "MD5": "c53ff2c139c291d9afe0a4831d0ca8b3", + "SHA1": "e6fb86d4de7362af1e3cd957bcc4e2e887aa5016", + "SHA256": "29a560a11292c4224a401392e091a8f08230fdfea35521035e2bfda0b3d1f952" }, - "InternalName": "inpoutx64.sys", - "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.8.4057.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "18.8.4057.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", "ZwClose", "IofCompleteRequest", - "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", - "ZwOpenSection", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taoyuan, O=RISINTECH INC., CN=RISINTECH INC.", - "ValidFrom": "2014-08-18 00:00:00", - "ValidTo": "2016-09-16 23:59:59", - "Signature": "6a61ffd5f53a7447d463fc322233c8e9acc481ddd0b6572729c3e6968ecd5a27f5eddc35572c842f2cba648295c49480e90fe888b910491b25a35a70f477a011ec32434e21a3b4b7c6a430d0ef5d701fc1c6e3e7e40ba18eb6c4daeb54fc93fb074c79f09fc363e70ea74e0f6be6473af423c1d1e38ae26367fbc9fa4d3cefcc8edb1b83fa230e2a41c90236315486abbdd2b9ca62d59e3669444d4ad6ce3fd68a430d7a70544720c880d31e59a12fd66352cd15fa30808db554c407423c92ea6a20e7bb75a01b3f4691df49da583f679126c60b4bb154296ff09fefe146b907c4f7fe4ecca86944ad3acf06638fcc029c443ab009878fb6129776e0694e78bd", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "08aa09e04443e946331fd1cfe085f12d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "inpoutx64.sys", - "MD5": "5ca1922ed5ee2b533b5f3dd9be20fd9a", - "SHA1": "5520ac25d81550a255dc16a0bb89d4b275f6f809", - "SHA256": "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af", - "Signature": [ - "RISINTECH INC.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Highresolution Enterprises [www.highrez.co.uk]", - "Description": "Kernel level port access driver", - "Product": "inpoutx64 Driver Version 1.2", - "ProductVersion": "1.2 x64", - "FileVersion": "1.2 x64 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "inpoutx64.sys", + "FileName": "aswArPot.sys", + "MD5": "25190f667f31318dd9a2e36383d5709f", + "SHA1": "6dac7a8fa9589caae0db9d6775361d26011c80b2", + "SHA256": "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf", "Authentihash": { - "MD5": "c21e45ae33d6b1f864a276a13ba3aaeb", - "SHA1": "94b9b91a2acc786b54e8dbc11b759b05bc15fc3f", - "SHA256": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8" + "MD5": "7d20fc4bf882c254e43049b35c40abe5", + "SHA1": "38ec7b2b736b7544fae9891c066a3f7231145ba2", + "SHA256": "9e51062d4249945e77c7d3fdecc9797ffc38017465c8068a5f1296bf85ae558c" }, - "InternalName": "inpoutx64.sys", - "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.3.4224.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.3.4224.0", + "Copyright": "Copyright (c) 2019 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", "ZwClose", "IofCompleteRequest", - "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", - "ZwOpenSection", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taoyuan, O=RISINTECH INC., CN=RISINTECH INC.", - "ValidFrom": "2014-08-18 00:00:00", - "ValidTo": "2016-09-16 23:59:59", - "Signature": "6a61ffd5f53a7447d463fc322233c8e9acc481ddd0b6572729c3e6968ecd5a27f5eddc35572c842f2cba648295c49480e90fe888b910491b25a35a70f477a011ec32434e21a3b4b7c6a430d0ef5d701fc1c6e3e7e40ba18eb6c4daeb54fc93fb074c79f09fc363e70ea74e0f6be6473af423c1d1e38ae26367fbc9fa4d3cefcc8edb1b83fa230e2a41c90236315486abbdd2b9ca62d59e3669444d4ad6ce3fd68a430d7a70544720c880d31e59a12fd66352cd15fa30808db554c407423c92ea6a20e7bb75a01b3f4691df49da583f679126c60b4bb154296ff09fefe146b907c4f7fe4ecca86944ad3acf06638fcc029c443ab009878fb6129776e0694e78bd", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "08aa09e04443e946331fd1cfe085f12d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "inpoutx64.sys", - "MD5": "9321a61a25c7961d9f36852ecaa86f55", - "SHA1": "6afc6b04cf73dd461e4a4956365f25c1f1162387", - "SHA256": "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b", - "Signature": [ - "Red Fox UK Limited", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "Highresolution Enterprises [www.highrez.co.uk]", - "Description": "Kernel level port access driver", - "Product": "inpoutx64 Driver Version 1.2", - "ProductVersion": "1.2 x64", - "FileVersion": "1.2 x64 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "inpoutx64.sys", + "FileName": "aswArPot.sys", + "MD5": "e7273e17ac85dc4272c4c4400091a19e", + "SHA1": "94b014123412fbe8709b58ec72594f8053037ae9", + "SHA256": "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4", "Authentihash": { - "MD5": "ad4eff45cdb0b12af3990945afff9a8f", - "SHA1": "8e1f51761f21148f68ac925cc5f9e9c78f3d5ec4", - "SHA256": "d61ce5874adb89b4e992df8df879b568d9c4136df568718a768cd807d789a726" + "MD5": "8c2b0e47a2de7bd04758041782b1b2a7", + "SHA1": "a7f1025ab664dd61800687724fce31fd3b765d1f", + "SHA256": "60ae64ade82e9364e95f779bbf950571484aa833ece6837489329517012c7757" }, - "InternalName": "inpoutx64.sys", - "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.1.3800.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "18.1.3800.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ZwClose", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", "ZwMapViewOfSection", - "ObReferenceObjectByHandle", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "ZwOpenSection", - "IofCompleteRequest", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=London, L=London, O=Red Fox UK Limited, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Development, CN=Red Fox UK Limited", - "ValidFrom": "2008-10-09 00:00:00", - "ValidTo": "2009-10-09 23:59:59", - "Signature": "bd4734f0a0a645fcf8cd628a4f2753ec55afe90ba7866f0643a1258c751d29e4e9ba97907778c9628bae1540f78f459a7b8a8e5dc233f214ef0763f1d45625f34fc6cf4a91ce42a8e5bf46e368145d6853a384b40f1f1c6f8a26b91c43214d7b3027141e149bfa308f500c5ad2e9c252d9fb298abd6b7bc79ed8a4458588ec67fbaa20d5dec8dcc29576ad8206b73dc75963d6f8bb48eeb825f6eecdc785b16cafb933bf4de8f0b7d608fc3d68cf7f65b672c58fd7a40928917c42488aea98b0939a03d52a86edd8ea6419b52e2e9682e3682b6dcaaefa7c01f2db8f1ef8863b064cab07faf45b8a47f72e6b45785baee08886f7d0a965ed3368565be63321d9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -58582,253 +45543,217 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "620cbcba5648e27b80aef5226ee67fce", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "inpoutx64.sys" - ] - }, - { - "Id": "7a5fe570-3b35-4fad-b7d6-7518bd5436a0", - "Author": "Michael Haag", - "Created": "2023-03-02", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create NodeDriver.sys binPath=C:\\windows\\temp\\NodeDriver.sys type=kernel && sc.exe start NodeDriver.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "NodeDriver.sys", - "MD5": "ee6b1a79cb6641aa44c762ee90786fe0", - "SHA1": "3ef30c95e40a854cc4ded94fc503d0c3dc3e620e", - "SHA256": "05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "cb01e86f3c5a26629d53856c5e4990ec", - "SHA1": "fbbb429de5458a274b4a4ab44ed6785139f4a7e4", - "SHA256": "43374fd68dc06c8491b16d177156444ee44f497bbceafd0165f40ba48bf6802f" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "NETIO.SYS", - "ntoskrnl.exe", - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "WskCaptureProviderNPI", - "ExAllocatePoolWithTag", - "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", - "DbgPrint", - "KeQueryPerformanceCounter" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ + }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", + "ValidFrom": "2015-07-28 00:00:00", + "ValidTo": "2018-09-25 23:59:59", + "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "NodeDriver.sys" - ] - }, - { - "Id": "75a933b4-82d8-4eb8-8ed5-a0a2178630a3", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create fiddrv.sys binPath=C:\\windows\\temp\\fiddrv.sys type=kernel && sc.exe start fiddrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "fiddrv.sys", - "SHA1": "8cc8974a05e81678e3d28acfe434e7804abd019c", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" }, { - "Filename": "fiddrv.sys", - "SHA1": "282bb241bda5c4c1b8eb9bf56d018896649ca0e1", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "fiddrv.sys" - ] - }, - { - "Id": "eb07ef7e-0402-48eb-8e06-8fb76eda5b84", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create LHA.sys binPath=C:\\windows\\temp\\LHA.sys type=kernel && sc.exe start LHA.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "LHA.sys", - "MD5": "1d768959aaa194d60e4524ce47708377", - "SHA1": "3fd55927d5997d33f5449e9a355eb5c0452e0de3", - "SHA256": "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade", + "FileName": "aswArPot.sys", + "MD5": "812e960977116bf6d6c1ccf8b5dd351f", + "SHA1": "3eea0f5fb180c6f865fc83ac75ef3ad5b1376775", + "SHA256": "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c", "Authentihash": { - "MD5": "e8daeb4eae6a46b46de0e42fcfeece79", - "SHA1": "87c155d933ca3513e29d235562d96b88d3913cde", - "SHA256": "dcd5404c83f74f0b7a8d0735174af78782aaa99d2b5b5b24f44c48b295a2ba31" + "MD5": "69e30d791a1b6a41c1ddd2d7394e5a86", + "SHA1": "a3c5c7127cd7376ddd3571edccfe8d9ecdc8b623", + "SHA256": "59e004cd839611cbc5f7c061827587dbb120d7aab8d0e44191c0c01aeed9e168" }, - "Description": "LHA", - "Company": "LG Electronics Inc.", - "InternalName": "LHA.sys", - "OriginalFilename": "LHA.sys", - "FileVersion": "6.1.7600.16385 built by: WinDDK", - "Product": "Microsoft® Windows® Operating System", - "ProductVersion": "6.1.7600.16385", - "Copyright": "ultrabios@hotmail.com", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.3.4239.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.3.4239.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", "KeReleaseSpinLock", - "MmUnmapIoSpace", - "MmFreeNonCachedMemory", - "MmGetPhysicalAddress", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "MmAllocateNonCachedMemory", - "IoCreateDevice", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", "KeAcquireSpinLockRaiseToDpc", - "DbgPrint", - "IoWMIQueryAllData", - "MmGetSystemRoutineAddress", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -58836,194 +45761,233 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=KR, ST=????????? ?????????, L=????????? ?????????, O=LG Electronics Inc., CN=LG Electronics Inc.", - "ValidFrom": "2014-07-30 00:00:00", - "ValidTo": "2017-09-27 23:59:59", - "Signature": "e5240868f932855b412fcfb55a2d2e6a117e180f2c1ace813e5d234bce408b042a504dbade9c7586a4d54149845acde53075e86e0d739e4a3d1c891834beb37785f0c08c043488dc70c3290e652f0a24836354692556ad87b4eceb24d91348a7becbb7854185e8fc135c01577c182b600d76865a11382f89ccc2ca73d56c4a15a6d43f57c2dcd007639aaab4902b1b0c06242ad6e138c7499a3fb6aa3483454aac67a5ba6cadb29cbeb453921b3f1f9d54dd7660305846e376c5811e0b9d129a0fe079a00cd0e20c90934042bf320b952a75a9e3080c1b35b2213a406e3f2255f45cf0d9933e16b78a222f7e62b554d1f210a520f1ca97680a5d8530573d2780", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4bad88265909f29eb7827157954a75a5", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "LHA.sys" - ] - }, - { - "Id": "9f8f2324-d867-4211-842a-122b93946445", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create mhyprot.sys binPath=C:\\windows\\temp\\mhyprot.sys type=kernel && sc.exe start mhyprot.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "mhyprot.sys", - "MD5": "8b779fe1d71839ad361226f66f1b3fe5", - "SHA1": "175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a", - "SHA256": "0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467", - "Authentihash": { - "MD5": "a74fbda962fe6aa9701b1af91f74675a", - "SHA1": "f1f4cfa7c5b4a882ff4c107e72977edcd7128855", - "SHA256": "7bfa54943180e34aea390a8f63a2cb007cf53c336dff697c60a79103f3c0c19d" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "FileName": "aswArPot.sys", + "MD5": "595363661db3e50acc4de05b0215cc6f", + "SHA1": "ec8c0b2f49756b8784b3523e70cd8821b05b95eb", + "SHA256": "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1", + "Authentihash": { + "MD5": "7890348aaadad057268d7273afd85c2f", + "SHA1": "276a8ba9fddb74586e3f50d49a784c0180619a86", + "SHA256": "68043583bc2f3fc1ca11458e8b921dce2573afdc04bd20ba85eeb806d884eb6f" + }, + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.5.3926.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.5.3926.0", + "Copyright": "Copyright (c) 2018 AVAST Software", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "NtQuerySystemInformation", - "RtlInitUnicodeString", - "ExAllocatePool", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "_wcsicmp", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", "RtlInitString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", + "ObfDereferenceObject", + "ZwCreateSection", "ObReferenceObjectByName", - "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "ZwQueryVirtualMemory", - "MmProbeAndLockPages", - "PsLookupProcessByProcessId", - "MmMapLockedPagesSpecifyCache", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", "IoAllocateMdl", - "IoGetCurrentProcess", - "MmCopyVirtualMemory", - "KeClearEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", - "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", "IoThreadToProcess", - "strcmp", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", "PsProcessType", - "PsThreadType", - "RtlGetVersion", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "DbgPrint", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmBuildMdlForNonPagedPool", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -59031,17 +45995,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -59052,10 +46016,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", "ValidFrom": "2011-02-11 12:00:00", "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -59068,132 +46032,194 @@ ], "Signer": [ { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "FileName": "mhyprot.sys", - "MD5": "67e3b720cee8184c714585a85f8058a0", - "SHA1": "254dce914e13b90003b0ae72d8705d92fe7c8dd0", - "SHA256": "69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2", + "FileName": "aswArPot.sys", + "MD5": "6212832f13b296ddbc85b24e22edb5ec", + "SHA1": "492a47426b04f00c0d5b711ad8c872aad3aa3a1d", + "SHA256": "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8", "Authentihash": { - "MD5": "19c86f21ca10d68738fac94bb43e7861", - "SHA1": "c771ea59f075170e952c393cfd6fc784b265027c", - "SHA256": "39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df" + "MD5": "4031a1ee3682bcfb0b50423708cffc54", + "SHA1": "6f4648a7e5aba2e64d62f00d72da0d5735ebea8a", + "SHA256": "e5183eda50e2c42d2ed10c015be87dff774da180928c076e99888b0d6a931df5" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "17.9.3754.0", + "Product": "Avast Antivirus ", + "ProductVersion": "17.9.3754.0", + "Copyright": "Copyright (c) 2014 AVAST Software", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", "PsLookupProcessByProcessId", - "NtQuerySystemInformation", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "_wcsicmp", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", "RtlInitString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", + "ObfDereferenceObject", + "ZwCreateSection", "ObReferenceObjectByName", - "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ZwQueryObject", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "ExReleaseFastMutex", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", "IoAllocateMdl", - "MmCopyVirtualMemory", - "KeClearEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", - "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", - "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "PsGetProcessId", - "IoThreadToProcess", - "strcmp", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "IoCreateDevice", "PsProcessType", - "PsThreadType", - "RtlGetVersion", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "PsAcquireProcessExitSynchronization", - "PsReleaseProcessExitSynchronization", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ExAcquireFastMutex", - "ExFreePoolWithTag", - "ExAllocatePool", - "MmProbeAndLockPages", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -59201,170 +46227,240 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", - "ValidFrom": "2019-05-02 00:00:00", - "ValidTo": "2038-01-18 23:59:59", - "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", - "ValidFrom": "2020-10-23 00:00:00", - "ValidTo": "2032-01-22 23:59:59", - "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "FileName": "mhyprot2.sys", - "MD5": "8f47af49c330c9fcf3451ad2252b9e04", - "SHA1": "be797c91768ac854bd3b82a093e55db83da0cb11", - "SHA256": "ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058", + "FileName": "aswArPot.sys", + "MD5": "cc8855fe30a9cdef895177a4cf1a3dad", + "SHA1": "07c244739803f60a75d60347c17edc02d5d10b5d", + "SHA256": "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca", "Authentihash": { - "MD5": "5908564f34ef8fd94e9420c8f1af19bc", - "SHA1": "bd2c5fdae29b39de9f862455fb2fb07fbf99ece2", - "SHA256": "df3fd9fa267e12d7c6b65028373e21978041f0c94375b5c7316498fbad6f4ae0" + "MD5": "3e14e8314e37d819e12a94610e0c7efc", + "SHA1": "c9e2da8df3086536c3fb8973c1848a39b9074bd1", + "SHA256": "a465cfa7a0bd76dfe8f261661d348e25d1a6a3975673336f90878618f2e6c21b" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Avast Anti Rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.8.137.0", + "Product": "Avast Antivirus ", + "ProductVersion": "20.8.137.0", + "Copyright": "Copyright (c) 2020 AVAST Software", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "NtQuerySystemInformation", - "RtlInitUnicodeString", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", "ExAllocatePool", - "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "_wcsicmp", - "RtlInitString", "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ZwClose", - "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ObReferenceObjectByName", + "KeAcquireSpinLockRaiseToDpc", "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ZwQueryObject", - "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", "MmProbeAndLockPages", - "PsLookupProcessByProcessId", - "MmMapLockedPagesSpecifyCache", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", "IoAllocateMdl", - "MmCopyVirtualMemory", - "KeClearEvent", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "PsGetProcessId", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", "IoThreadToProcess", - "strcmp", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", "PsProcessType", - "PsThreadType", - "RtlEqualUnicodeString", - "RtlGetVersion", - "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "PsAcquireProcessExitSynchronization", - "PsReleaseProcessExitSynchronization", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmBuildMdlForNonPagedPool", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { @@ -59372,169 +46468,240 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", - "ValidFrom": "2019-05-02 00:00:00", - "ValidTo": "2038-01-18 23:59:59", - "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", - "ValidFrom": "2020-10-23 00:00:00", - "ValidTo": "2032-01-22 23:59:59", - "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "FileName": "mhyprot2.sys", - "MD5": "89c7bd12495e29413038224cb61db02e", - "SHA1": "16c6bcef489f190a48e9d3b1f35972db89516479", - "SHA256": "b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418", + "FileName": "aswArPot.sys", + "MD5": "f83c61adbb154d46dd8f77923aa7e9c3", + "SHA1": "804013a12f2f6ba2e55c4542cbdc50ca01761905", + "SHA256": "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0", "Authentihash": { - "MD5": "d5a852a9cb4c81cba921aaf523bcabf4", - "SHA1": "a3fd0d15889398830a61eed9dfac17dfbde792ef", - "SHA256": "8ced17d1ee92ae72749afdfe40f5029223d97f0f977e718bd5ab1242d1ff7cb5" + "MD5": "42a26c6ef3e814bccfb68b994460aa0d", + "SHA1": "a8258d25d074281391109908b94130f39f7dbfbf", + "SHA256": "968258fe6b307a7887465c7fb0a0b7b45f973b91deb8638af1428d247430d777" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.7.113.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.7.113.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "NtQuerySystemInformation", - "RtlInitUnicodeString", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", "ExAllocatePool", - "ExFreePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "_wcsicmp", - "RtlInitString", "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "IoGetDeviceObjectPointer", - "ZwClose", - "MmIsAddressValid", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ObReferenceObjectByName", + "KeAcquireSpinLockRaiseToDpc", "ZwQuerySystemInformation", - "__C_specific_handler", - "MmHighestUserAddress", - "IoDriverObjectType", - "KeQueryTimeIncrement", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsGetProcessWow64Process", - "PsGetProcessPeb", - "MmUnlockPages", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", "MmUnmapLockedPages", - "IoFreeMdl", - "ZwTerminateProcess", - "PsGetProcessImageFileName", - "ZwQueryObject", - "ObOpenObjectByPointer", - "PsReferenceProcessFilePointer", - "IoQueryFileDosDeviceName", - "PsLookupProcessByProcessId", - "MmBuildMdlForNonPagedPool", "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "MmCopyVirtualMemory", - "KeClearEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "MmMapLockedPages", - "ObReferenceObjectByHandle", - "PsSetCreateProcessNotifyRoutineEx", "PsSetCreateThreadNotifyRoutine", - "PsRemoveCreateThreadNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", "ExEventObjectType", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ObGetFilterVersion", - "PsGetProcessId", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", "IoThreadToProcess", - "strcmp", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", "PsProcessType", - "PsThreadType", - "RtlGetVersion", - "ObfReferenceObject", - "ObGetObjectType", - "ExEnumHandleTable", - "ExfUnblockPushLock", - "PsAcquireProcessExitSynchronization", - "PsReleaseProcessExitSynchronization", - "_snprintf", - "vsprintf_s", - "ZwCreateFile", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", "ZwWriteFile", - "PsLookupThreadByThreadId", - "NtQueryInformationThread", - "PsGetThreadProcess", - "KeDelayExecutionThread", - "KdDisableDebugger", - "KdChangeOption", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KdDebuggerEnabled", - "PsGetVersion", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "ObfDereferenceObject", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "MmProbeAndLockPages", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { @@ -59542,349 +46709,249 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", - "ValidFrom": "2019-04-08 00:00:00", - "ValidTo": "2022-04-08 12:00:00", - "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", "ValidFrom": "2011-02-11 12:00:00", "ValidTo": "2026-02-10 12:00:00", - "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "05a7559541e0fdc678d79e3272468907", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" - } - ] - } - ] - } - ], - "Tags": [ - "mhyprot.sys" - ] - }, - { - "Id": "a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BS_HWMIO64_W10.sys binPath=C:\\windows\\temp\\BS_HWMIO64_W10.sys type=kernel && sc.exe start BS_HWMIO64_W10.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "BS_HWMIO64_W10.sys", - "MD5": "d2588631d8aae2a3e54410eaf54f0679", - "SHA1": "cb3de54667548a5c9abf5d8fa47db4097fcee9f1", - "SHA256": "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "BIOSTAR Group", - "Description": "I/O Interface driver file", - "Product": "BIOSTAR I/O driver", - "ProductVersion": "10, 0, 1806, 2200", - "FileVersion": "10, 0, 1806, 2200", - "MachineType": "AMD64", - "OriginalFilename": "BS_HWMIO64_W10.sys", - "Authentihash": { - "MD5": "88704eaf268ad2d72eb099de209873c6", - "SHA1": "2d8499e9b45d7ae198cab59c7435bc83cd4162a0", - "SHA256": "c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa" - }, - "InternalName": "I/O driver", - "Copyright": "Copyright (c) 2018-2019 BIOSTAR Group", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeInitializeSemaphore", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeSetEvent", - "MmUnmapIoSpace", - "KeDelayExecutionThread", - "PsCreateSystemThread", - "IoStartNextPacket", - "PsTerminateSystemThread", - "ExEventObjectType", - "MmMapIoSpace", - "IoDeleteDevice", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "ObfDereferenceObject", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "IoStartPacket", - "IofCompleteRequest", - "KeRemoveEntryDeviceQueue", - "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwClose", - "IoDeleteSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2017-10-05 17:44:16", - "ValidTo": "2018-10-05 17:44:16", - "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000001f9800c911029569be00000000001f", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "BS_HWMIO64_W10.sys" - ] - }, - { - "Id": "a1d35b93-e97f-4ddd-a465-2405e804e754", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create windows-xp-64.sys binPath=C:\\windows\\temp\\windows-xp-64.sys type=kernel type=kernel && sc.exe start windows-xp-64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "windows-xp-64.sys", - "SHA256": "dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "windows-xp-64.sys" - ] - }, - { - "Id": "edd29861-6984-4dbe-8e7c-22e9b6cf68d0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create krpocesshacker.sys binPath=C:\\windows\\temp\\krpocesshacker.sys type=kernel && sc.exe start krpocesshacker.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/312791-bypaph-process-hackers-bypass-read-write-process-virtual-memory-kernel-mem.html#post2315763", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "krpocesshacker.sys", - "MD5": "bbbc9a6cc488cfb0f6c6934b193891eb", - "SHA1": "d8498707f295082f6a95fd9d32c9782951f5a082", - "SHA256": "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c", - "Signature": [ - "Wen Jia Liu", - "DigiCert High Assurance Code Signing CA-1", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "wj32", - "Description": "KProcessHacker", - "Product": "KProcessHacker", - "ProductVersion": "2.8", - "FileVersion": "2.8", - "MachineType": "AMD64", - "OriginalFilename": "kprocesshacker.sys", + "FileName": "aswArPot.sys", + "MD5": "a3af4a4fa6cba27284f8289436c2f074", + "SHA1": "ed3f11383a47710fa840e13a7a9286227fa1474c", + "SHA256": "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0", "Authentihash": { - "MD5": "a9ccdbae433c4377abce8f514e4fe43e", - "SHA1": "61b55bb7c111f93bd3ea9ac71591e1a6b89feee1", - "SHA256": "c7b1bb39dcd7f0331989f16fcc7cd29a9ae126bee47746a4be385160da3c5a29" + "MD5": "7f6e8583009bec91a51d479a2eb8b0e4", + "SHA1": "85a0622ec6c77df0ce26c11380044039d908869d", + "SHA256": "d92b2f58c8fca3d3634b0c20578edd5004df571b29790690c97255e6096442c6" }, - "InternalName": "", - "Copyright": "Licensed under the GNU GPL, v3.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.3.4239.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.3.4239.0", + "Copyright": "Copyright (c) 2019 AVAST Software", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", "IoDeleteDevice", - "ProbeForWrite", - "ZwQuerySystemInformation", - "ZwQueryValueKey", - "ZwClose", - "IofCompleteRequest", - "PsGetCurrentProcessId", - "IoCreateDevice", - "SePrivilegeCheck", - "ZwOpenKey", - "ProbeForRead", - "RtlGetVersion", - "RtlCompareMemory", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", "MmGetSystemRoutineAddress", - "PsProcessType", - "ObOpenObjectByName", - "ZwQueryObject", - "RtlEqualUnicodeString", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", "KeUnstackDetachProcess", - "ExEnumHandleTable", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", "ObQueryNameString", + "strncpy", "IoFileObjectType", "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", "ObReferenceObjectByHandle", - "ObCloseHandle", - "PsInitialSystemProcess", - "ObSetHandleAttributes", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", "ObfDereferenceObject", - "ExAllocatePoolWithQuotaTag", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", "ZwQueryInformationThread", "ObOpenObjectByPointer", "KeStackAttachProcess", - "ExAcquireRundownProtection", - "PsLookupProcessByProcessId", - "PsJobType", - "PsReferencePrimaryToken", - "SeTokenObjectType", - "ExReleaseRundownProtection", - "ZwSetInformationProcess", - "PsGetProcessJob", - "PsLookupProcessThreadByCid", - "ZwTerminateProcess", - "PsDereferencePrimaryToken", - "IoThreadToProcess", - "RtlWalkFrameChain", - "KeInitializeApc", - "KeSetEvent", - "KeInsertQueueApc", - "KeInitializeEvent", - "PsSetContextThread", - "PsGetThreadWin32Thread", - "ZwSetInformationThread", - "KeWaitForSingleObject", - "PsThreadType", - "PsAssignImpersonationToken", - "PsGetContextThread", "PsLookupThreadByThreadId", - "MmUnmapLockedPages", - "ExRaiseStatus", - "MmHighestUserAddress", - "MmMapLockedPagesSpecifyCache", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmIsAddressValid", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", "ValidFrom": "2011-04-15 19:45:33", @@ -59899,13 +46966,6 @@ "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu", - "ValidFrom": "2013-10-30 00:00:00", - "ValidTo": "2015-11-04 12:00:00", - "Signature": "bbc031b3dd6b1c6ebec77b8dc1ecfa938149c64e0c959e5857db5c28ef549ddf0be920ccb7ec515aaeb180a28d64a1f4065d38cb997db59295f123851392903c673ed6d1db930ec1618add9989f0f1fc8d06ec5a945242cd7432d6838e33b4c3e4784e754b64dce078686ab2e6626848ff7dcd6fb7efebffdfdad1eefc1e98f9c338ff2565f05039176b24148a841614635157da5f61a17bbd6d479815714e8d3067f0320d5e8bfaa6e35731804925df9b85ba32c0d9f4ccd484d6d1b279bad0ef22b0da375826ea2e119d5c848d9a9275b93abb084c02af9f1b46c5357652f113f556fdb9d1900223341503f4e89b98bae134f7cc9d6409fcf72d2c746c714a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", "ValidFrom": "2011-02-11 12:00:00", @@ -59923,201 +46983,219 @@ ], "Signer": [ { - "SerialNumber": "03e9017d54cd93f094d0a2ab7fc0e3f5", + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "krpocesshacker.sys" - ] - }, - { - "Id": "be4843ef-a2a8-4a0d-91c6-42e165800bb0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create TestBone.sys binPath=C:\\windows\\temp\\TestBone.sys type=kernel && sc.exe start TestBone.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "TestBone.sys", - "SHA256": "0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "TestBone.sys" - ] - }, - { - "Id": "ce2d41fd-908f-414c-b6b5-338298f425b8", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create DirectIo.sys binPath=C:\\windows\\temp\\DirectIo.sys type=kernel && sc.exe start DirectIo.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "DirectIo.sys", - "MD5": "a785b3bc4309d2eb111911c1b55e793f", - "SHA1": "19f3343bfad0ef3595f41d60272d21746c92ffca", - "SHA256": "4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9", - "Signature": [ - "PassMark Software Pty Ltd", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", + "FileName": "aswArPot.sys", + "MD5": "88d5fc86f0dd3a8b42463f8d5503a570", + "SHA1": "d0452363b41385f6a6778f970f3744dde4701d8f", + "SHA256": "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2", "Authentihash": { - "MD5": "c6fbe703bcefd3a5a191dce9cd2bf71d", - "SHA1": "7d24a5e3a9bb0eba2a4cf19f516384c7a0c95eb7", - "SHA256": "129fa1795cffca9973f59df59f880a9f2bdb3aa9873363f8e2f598ccc6e32542" + "MD5": "beaca8c2a09b87bf9c63febf94f1de1c", + "SHA1": "3a74bc87abd401e34b291f5118358fef7173af46", + "SHA256": "2cd8e9eb8e4754f07fdfc8c3aae4d7fc0d25b346884c3474db35c757d2994b34" }, - "InternalName": "", - "Copyright": "", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.3.3860.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "18.3.3860.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", - "ZwWriteFile", - "PsGetProcessId", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", "NtBuildNumber", - "RtlFillMemoryUlong", - "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "ObfDereferenceObject", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", "KeInitializeEvent", - "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", "IoGetDeviceObjectPointer", - "IoCreateDevice", - "KeQueryActiveProcessors", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", "KeSetSystemAffinityThread", - "KeTickCount", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", "ZwQueryValueKey", - "ExFreePoolWithTag", - "RtlIntegerToUnicodeString", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -60126,218 +47204,456 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", + "ValidFrom": "2015-07-28 00:00:00", + "ValidTo": "2018-09-25 23:59:59", + "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "DirectIo.sys" - ] - }, - { - "Id": "b51c441a-12c7-407d-9517-559cc0030cf6", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create capcom.sys binPath=C:\\windows\\temp\\capcom.sys type=kernel && sc.exe start capcom.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "capcom.sys", - "MD5": "73c98438ac64a68e88b7b0afd11ba140", - "SHA1": "c1d5cf8c43e7679b782630e93f5e6420ca1749a7", - "SHA256": "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24", - "Signature": [ - "CAPCOM Co.,Ltd.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + }, + { + "FileName": "aswArPot.sys", + "MD5": "e4d4a22cbf94e6b0a92fc36d46741f56", + "SHA1": "1013d5a0fd6074a8c40dbf3a88e3e06fbf3bcf41", + "SHA256": "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c", "Authentihash": { - "MD5": "37458813b5115cbf06552da28fefbbbb", - "SHA1": "1d1cafc73c97c6bcd2331f8777d90fdca57125a3", - "SHA256": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4" + "MD5": "19758f499cc41d3fecb06ee83152e7d6", + "SHA1": "bfbb65d893f45a289417b6d45a060759ad4478d5", + "SHA256": "62b89fab85cf77b1e6730d2b55b4f9458f368f89d3ca5672d450e3c3365d8c37" }, - "InternalName": "", - "Copyright": "", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.1.4132.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.1.4132.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", - "IofCompleteRequest", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", - "IoDeleteDevice" + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=JP, ST=Osaka, L=Chuo,ku, O=CAPCOM Co.,Ltd., OU=R&D Asset Management Section, CN=CAPCOM Co.,Ltd.", - "ValidFrom": "2016-05-02 00:00:00", - "ValidTo": "2017-05-02 23:59:59", - "Signature": "6b29c609e5a3bc4d2e3b59a22b42cfdcf409104be6cc7767624c4f96d585ef8243554de2513754867f64e7fdd39b00956903eee7ac6087641b82d8d49548202b8349085d9298c8e2498f2094190aa46cdda0510d937d4ab73ba469229672407822b47c4f1312475a14adcb291a101f0360acdcfa64a6aac9147b034fcea762c2a68a103885208922461990ef0bf3e602ba942257b36604ef4832c715d5320b99d5fd5ba7a76128ed6d0ba7cf90c4362ee2a96422fa4a69d5af070babf4ad786adfa43a21d1ae93fedfcef13b7e2f56b7c619f7d40bcaf8756e09797a9928daa90a582c8e7180cdb62f47c0873cc708f3e396820a7fdef929190fe86dea0b2566", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7e59408d3c99c511a853fb2f73c03dc4", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "capcom.sys" - ] - }, - { - "Id": "66be9e0a-9246-4404-b5b5-7fbde351668f", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create BS_I2cIo.sys binPath=C:\\windows\\temp\\BS_I2cIo.sys type=kernel && sc.exe start BS_I2cIo.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "BS_I2cIo.sys", - "MD5": "3c4154866f3d483fdc9f4f64ef868888", - "SHA1": "f7ce71891738a976cd8d4b516c8d7a8e2f6b0ad6", - "SHA256": "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb", + "FileName": "aswArPot.sys", + "MD5": "a22626febc924eb219a953f1ee2b9600", + "SHA1": "f61e56359c663a769073782a0a3ffd3679c2694a", + "SHA256": "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1", "Authentihash": { - "MD5": "2e6a361506f00fc7de30642776c8d3be", - "SHA1": "862fef3d6a6d7488ef4d6f7799ac296cd96256b7", - "SHA256": "21af8e034ca42ab24a5d1623f70de9c66eeea63d72aeb0f1846b1e04dbdf4f51" + "MD5": "dbff97e1c14c4c58e54ab1c0a5bfb5dc", + "SHA1": "8b374284e8269100798b4471a0dae9a70a2f906c", + "SHA256": "5512aea158c30e4f52c1e27136c1c803c98388d1d8c7269e497728fd0b57d9f5" }, - "Description": "I/O Interface driver file", - "Company": "BIOSTAR Group", - "InternalName": "I/O driver", - "OriginalFilename": "BS_I2cIo.sys", - "FileVersion": "1, 1, 0, 0", - "Product": "BIOSTAR I/O driver fle", - "ProductVersion": "1, 1, 0, 0", - "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.10.171.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.10.171.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeEvent", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "IoDetachDevice", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", "ObfDereferenceObject", - "KeWaitForSingleObject", - "ExInterlockedInsertTailList", - "RtlTimeToTimeFields", - "PsTerminateSystemThread", - "ZwWriteFile", - "ExInterlockedRemoveHeadList", - "KeSetPriorityThread", - "ZwCreateFile", - "RtlInitUnicodeString", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "IoAttachDeviceToDeviceStackSafe", + "PsGetProcessId", "PsCreateSystemThread", - "IoCreateSymbolicLink", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", "IoCreateDevice", - "IoDeleteSymbolicLink", - "IoStartNextPacket", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeRemoveEntryDeviceQueue", - "IoStartPacket", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", "IofCompleteRequest", - "ObReferenceObjectByHandle", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", "ZwClose", - "IoDeleteDevice", - "KeSetEvent", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoThreadToProcess", + "PsInitialSystemProcess", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { @@ -60345,444 +47661,494 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2006-09-25 00:00:00", - "ValidTo": "2007-10-20 23:59:59", - "Signature": "0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "49a570277854e9481d38e34c081226ee", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "BS_I2cIo.sys" - ] - }, - { - "Id": "9889da50-3908-4499-a729-187295a60a0e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create asrdrv104.sys binPath=C:\\windows\\temp\\asrdrv104.sys type=kernel && sc.exe start asrdrv104.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "asrdrv104.sys", - "SHA1": "6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "asrdrv104.sys", - "SHA1": "e039c9dd21494dbd073b4823fc3a17fbb951ec6c", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "asrdrv104.sys", - "SHA1": "7eec3a1edf3b021883a4b5da450db63f7c0afeeb", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "asrdrv104.sys", - "SHA1": "e5021a98e55d514e2376aa573d143631e5ee1c13", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" }, { - "Filename": "asrdrv104.sys", - "MD5": "de1cc5c266140bff9d964fab87a29421", - "SHA1": "729a8675665c61824f22f06c7b954be4d14b52c4", - "SHA256": "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "I386", - "OriginalFilename": "AsrDrv.sys", + "FileName": "aswArPot.sys", + "MD5": "66e0db8a5b0425459d0430547ecbb3db", + "SHA1": "7cee31d3aaee8771c872626feedeeb5d09db008c", + "SHA256": "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf", "Authentihash": { - "MD5": "6b214126743cbf8efdfae0a4fb7d78eb", - "SHA1": "efc91a1317eb086196fa1a2f94fbf96258b5ec2e", - "SHA256": "5b08d996938a0ab9a3b7a65e3049482dff819028102d41f7c5924af467b0a3e4" + "MD5": "b8a542fc08dd527ce67d711ff876a3db", + "SHA1": "47edc88c38f2abfbc06a5d7d1b54d14ac93acc22", + "SHA256": "f6cb70c945e7b3723de1d334aa2fb97bb8ddb9f68e409deeb9988f446546a57c" }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.5.96.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.5.96.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "cng.sys" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "memset", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemorySpecifyCache", - "IoFreeIrp", - "IoFreeMdl", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", "IofCallDriver", - "IoBuildAsynchronousFsdRequest", - "RtlQueryRegistryValues", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", - "KeTickCount", - "KeBugCheckEx", - "RtlCompareMemory", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", "MmMapIoSpace", "MmUnmapIoSpace", - "memcpy", - "MmGetSystemRoutineAddress", - "ZwClose", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", - "IoCreateDevice", "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", "RtlAddAccessAllowedAce", "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", "RtlFreeUnicodeString", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCompleteRequest", - "KeStallExecutionProcessor", - "BCryptGenerateSymmetricKey", - "BCryptCloseAlgorithmProvider", - "BCryptOpenAlgorithmProvider", - "BCryptDestroyKey", - "BCryptDecrypt" + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2014-03-07 00:00:00", - "ValidTo": "2017-05-05 23:59:59", - "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "Filename": "asrdrv104.sys", - "SHA1": "2b4d0dead4c1a7cc95543748b3565cfa802e5256", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "asrdrv104.sys", - "SHA1": "4a7d66874a0472a47087fabaa033a85d47413379", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "asrdrv104.sys" - ] - }, - { - "Id": "f1dcb0e4-aa53-4e62-ab09-fb7b4a356916", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create netfilterdrv.sys binPath=C:\\windows\\temp \\n \\n \\n etfilterdrv.sys type=kernel type=kernel && sc.exe start netfilterdrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "netfilterdrv.sys", - "SHA1": "e74b6dda8bc53bc687fc21218bd34062a78d8467", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "netfilterdrv.sys", - "SHA1": "2c27abbbbcf10dfb75ad79557e30ace5ed314df8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "netfilterdrv.sys" - ] - }, - { - "Id": "1b98a160-2e7a-4969-8c8a-4e44949191bf", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rtkio.sys binPath=C:\\windows\\temp\\rtkio.sys type=kernel && sc.exe start rtkio.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "rtkio.sys", - "MD5": "daf800da15b33bf1a84ee7afc59f0656", - "SHA1": "166759fd511613414d3213942fe2575b926a6226", - "SHA256": "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82", - "Signature": [ - "Realtek Semiconductor Corp.", - "DigiCert EV Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "Windows (R) Codename Longhorn DDK provider", - "Description": "Realtek IODriver", - "Product": "Windows (R) Codename Longhorn DDK driver", - "ProductVersion": "6.0.6000.16386", - "FileVersion": "6.0.6000.16386 built by: WinDDK", - "MachineType": "I386", - "OriginalFilename": "rtkio.sys", + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + }, + { + "FileName": "aswArPot.sys", + "MD5": "cb31f1b637056a3d374e22865c41e6d9", + "SHA1": "24b47ba7179755e3b12a59d55ae6b2c3d2bd1505", + "SHA256": "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289", "Authentihash": { - "MD5": "d543d754cbb1d404d62b6c574a1aa3cd", - "SHA1": "daca8d39b72bbe8a5b6d5fa35bbb4ecef198a359", - "SHA256": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b" + "MD5": "0f3a942c946055cb40ee138ceb5f57d9", + "SHA1": "2989078f9ab5fc078bf801fcdc49674e3fc1d187", + "SHA256": "5af59d6ca109b5cae3350b48b85274ce181e45be4c7f7156bdf58ca3ca7f4188" }, - "InternalName": "rtkio.sys", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "Description": "Avast Anti Rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.3.68.0", + "Product": "Avast Antivirus ", + "ProductVersion": "20.3.68.0", + "Copyright": "Copyright (c) 2020 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", "KeQueryActiveProcessors", - "ExAllocatePool", - "DbgPrint", - "MmMapLockedPagesSpecifyCache", + "RtlEqualSid", + "IoQueueWorkItem", "MmUnmapLockedPages", - "IoAllocateMdl", - "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", "IoCreateDevice", - "KeTickCount", - "IoFreeMdl", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", "MmUnmapIoSpace", - "ExFreePoolWithTag", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "MmBuildMdlForNonPagedPool", - "IofCompleteRequest", - "RtlUnwind", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeBugCheckEx", - "WRITE_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "READ_PORT_UCHAR", - "KeStallExecutionProcessor", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT" + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", "ValidFrom": "2011-04-15 19:45:33", @@ -60790,13 +48156,6 @@ "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", - "ValidFrom": "2016-06-13 00:00:00", - "ValidTo": "2019-01-24 12:00:00", - "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", "ValidFrom": "2014-10-22 00:00:00", @@ -60805,10 +48164,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -60821,241 +48180,437 @@ ], "Signer": [ { - "SerialNumber": "0320be3eb866526927f999b97b04346e", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "rtkio.sys" - ] - }, - { - "Id": "69b924ab-2e4a-4eae-8091-4151c238136e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create b1.sys binPath=C:\\windows\\temp\\b1.sys type=kernel && sc.exe start b1.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "b1.sys", - "SHA256": "a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "b1.sys" - ] - }, - { - "Id": "0c0198a3-5c63-4a9b-abe9-88a810602329", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create 2.sys binPath=C:\\windows\\temp\\2.sys type=kernel && sc.exe start 2.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "2.sys", - "MD5": "bd25be845c151370ff177509d95d5add", - "SHA1": "10115219e3595b93204c70eec6db3e68a93f3144", - "SHA256": "88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "aswArPot.sys", + "MD5": "d0a5b98788e480c12afc65ad3e6d4478", + "SHA1": "6c445ceb38d5b1212ce2e7498888dd9562a57875", + "SHA256": "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b", "Authentihash": { - "MD5": "887c566bdc8ed5231f45a37845d5ee89", - "SHA1": "e6ab2bbad89502d8985381b33d7351eb97cb2b78", - "SHA256": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb" + "MD5": "8bbe86720ded843c4a0023310a403879", + "SHA1": "2035334476f2c5f82a5e71c04bbf82aa51b2f41b", + "SHA256": "4e89a5a25969953961db2a2a1a5c73c8af48f7af169ac3fd098171556bf0854d" }, - "InternalName": "", - "Copyright": "", + "Description": "Avast Anti Rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.7.113.0", + "Product": "Avast Antivirus ", + "ProductVersion": "20.7.113.0", + "Copyright": "Copyright (c) 2020 AVAST Software", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", "IoDeleteDevice", - "IoCreateFile", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", "RtlInitString", - "RtlFreeUnicodeString", - "ZwQueryDirectoryFile", - "ZwClose", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", "IofCompleteRequest", - "IoIsWdmVersionAvailable", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", "IoCreateDevice", - "DbgPrint", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeBugCheckEx", - "__chkstk" + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "2.sys" - ] - }, - { - "Id": "8d97bb7f-e009-4dc7-ab9d-fde293e679dc", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create AsUpIO.sys binPath=C:\\windows\\temp\\AsUpIO.sys type=kernel && sc.exe start AsUpIO.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "AsUpIO.sys", - "MD5": "9ba7c30177d2897bb3f7b3dc2f95ae0a", - "SHA1": "7115929de6fc6b9f09142a878d1a1bf358af5f24", - "SHA256": "8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2", + "FileName": "aswArPot.sys", + "MD5": "84c4d8ae023ca9bb60694fa467141247", + "SHA1": "79f1a6f5486523e6d8dcfef696bc949fc767613d", + "SHA256": "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba", "Authentihash": { - "MD5": "a0bb761aa5957303141a7186d0ae717b", - "SHA1": "44638264cb1804ae17757f1336c19613de2f6e20", - "SHA256": "d12acedc9a2702a18499b77dc8ae9e6b2d1eb557eb08c8a14b2ab3a984edec01" + "MD5": "739b545edae1f711d7c566f740cdc018", + "SHA1": "a3eb3e15e851a8744781889ca4e728bb9c67070f", + "SHA256": "cd3b38875c8b727f18cec382698624679d6413f02cf33d82a7c93b9595860b6d" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.7.4016.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.7.4016.0", + "Copyright": "Copyright (c) 2018 AVAST Software", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlCopyUnicodeString", - "DbgPrint", - "KeDelayExecutionThread", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", "ExFreePoolWithTag", - "MmAllocateContiguousMemory", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", "MmGetSystemRoutineAddress", - "ObReferenceObjectByHandle", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "RtlCompareUnicodeString", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", "ZwQueryInformationFile", - "ZwReadFile", - "__C_specific_handler", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -61063,18 +48618,18 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2031-11-10 00:00:00", - "Signature": "1c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", @@ -61084,11 +48639,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", @@ -61100,65 +48655,203 @@ ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "FileName": "AsUpIO.sys", - "MD5": "f8dce1eb0f9fcaf07f68fe290aa629e4", - "SHA1": "d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9", - "SHA256": "bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0", + "FileName": "aswArPot.sys", + "MD5": "14add4f16d80595e6e816abf038141e5", + "SHA1": "218e4bbdd5ce810c48b938307d01501c442b75f4", + "SHA256": "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c", "Authentihash": { - "MD5": "62c8f650e44fbd061ce3bc90a011758c", - "SHA1": "d5f525a3f525aa2dc3459781c249896468e576ed", - "SHA256": "a7c6f397f1fb230627bb537e1cf59283be04d17d050a384661e00aba6877b145" + "MD5": "d81a508b30f8107d9b43c7eef68821b9", + "SHA1": "c1c619cdc11eecf093afe9d9a96a3236d1dab348", + "SHA256": "0bc755f3e24023d931c637b4c734ae3a4d50567c87fd025114e0520413721751" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.6.107.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.6.107.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", + "__C_specific_handler", "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "MmAllocateContiguousMemory", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", "IofCompleteRequest", - "IoCreateDevice", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlCopyUnicodeString", - "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", + "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", "RtlCompareUnicodeString", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwReadFile", - "__C_specific_handler", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeBugCheckEx", - "IoIs32bitProcess", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { @@ -61173,11 +48866,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", @@ -61187,11 +48880,11 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", @@ -61203,136 +48896,202 @@ ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "AsUpIO.sys" - ] - }, - { - "Id": "f4126206-564f-49f5-a942-2138a3131e0e", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create NICM.sys binPath=C:\\windows\\temp\\NICM.SYS type=kernel && sc.exe start NICM.SYS", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "NICM.SYS", - "MD5": "52b7cd123f6d1b9ed76b08f2ee7d9433", - "SHA1": "4d6e532830058fadd861ff9eac16de8cfc6974ce", - "SHA256": "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0", + "FileName": "aswArPot.sys", + "MD5": "53bb10742e10991af4ad280fcb134151", + "SHA1": "d6b1b3311263bfb170f2091d22f373c2215051b7", + "SHA256": "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3", "Authentihash": { - "MD5": "cd820a2aee5e475a92f3860b20a3fc1a", - "SHA1": "db97af81d295f3f7f7777d3805635ab8cc40ab44", - "SHA256": "98636f857235fb66122296db147cd29440de681a29bbd631fc94373da31f99fa" + "MD5": "04a76d94db489fdaf72161aa467b2acb", + "SHA1": "57d45edbab6745991e54c3e50f768eb5714a76cd", + "SHA256": "9d736f624a306d6e2399778dd92ab7f4f7ab33c6ca0528657bc026214f990a4f" }, - "Description": "Novell Client Portability Layer", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "NICM.SYS", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.5.4220.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.5.4220.0", + "Copyright": "Copyright (c) 2019 AVAST Software", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", - "ZwCreateKey", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", "ExFreePoolWithTag", + "KeResetEvent", "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwEnumerateValueKey", - "ZwClose", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "ZwDeleteKey", - "ZwEnumerateKey", - "ZwOpenKey", - "DbgPrintEx", - "RtlUpcaseUnicodeString", - "RtlAnsiStringToUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", "RtlUnicodeStringToAnsiString", - "RtlUnicodeStringToOemString", - "RtlFreeUnicodeString", - "RtlOemStringToUnicodeString", - "RtlFreeAnsiString", - "DbgPrint", - "KeReleaseSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", "RtlInitString", - "RtlEqualUnicodeString", - "RtlCompareString", - "RtlCopyString", - "KeReleaseMutex", - "RtlEqualString", - "RtlUnicodeStringToInteger", - "ExAcquireResourceExclusiveLite", - "KeResetEvent", - "KeInitializeMutex", - "KeLeaveCriticalRegion", - "KeSetEvent", - "ExIsResourceAcquiredSharedLite", - "ExIsResourceAcquiredExclusiveLite", - "KeEnterCriticalRegion", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "ExDeleteResourceLite", - "ExInitializeResourceLite", - "KeWaitForMultipleObjects", - "KeSetPriorityThread", - "IoDeleteDevice", - "IoCreateDevice", + "KeReleaseSpinLock", + "PsGetThreadId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", "PsTerminateSystemThread", - "RtlCompareMemory", - "IoUninitializeWorkItem", - "IoFreeWorkItem", - "KeInitializeDpc", - "KeInitializeTimer", - "KeDelayExecutionThread", + "IoGetCurrentProcess", + "ExEventObjectType", "IoAllocateWorkItem", - "KeSetTimer", - "IoInitializeWorkItem", + "ZwClose", + "IofCompleteRequest", + "PsGetThreadProcess", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", "IoQueueWorkItem", - "KeCancelTimer", - "KeBugCheckEx", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsGetProcessId", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", "RtlCompareUnicodeString", - "KeInitializeEvent", - "NicmCreateInstance" + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -61340,136 +49099,239 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", - "ValidFrom": "2021-09-02 18:32:59", - "ValidTo": "2022-09-01 18:32:59", - "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", - "ValidFrom": "2011-07-08 20:59:09", - "ValidTo": "2026-07-08 21:09:09", - "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000002528b33aaf895f339db000000000252", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "FileName": "NICM.SYS", - "MD5": "f690bfc0799e51a626ba3931960c3173", - "SHA1": "d3a6f86245212e1ef9e0e906818027ec14a239cb", - "SHA256": "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a", + "FileName": "aswArPot.sys", + "MD5": "045ef7a39288ba1f4b8d6eca43def44f", + "SHA1": "a0bf00e4ef2b1a79ccf2361c6b303688641ed94c", + "SHA256": "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf", "Authentihash": { - "MD5": "2e72873429bed4886fe76aeba274283e", - "SHA1": "ab636e8ba41f37d2bcd5291ddf30024be7f3ce2f", - "SHA256": "7419b05e74733d2b7ce4c860ab74043b816a7f66a1ff7eec81fe3b35730e3bbb" + "MD5": "ef1a7d935ae5e49c42d632f550e6f5e0", + "SHA1": "a62c27dedfb91de6404e2358fdd14b67fdb43767", + "SHA256": "596c497e7e405ceb79ba0ba45f993125d88d50fc18867048d0c7a356ebd0c0ed" }, - "Description": "Novell Client Portability Layer", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "NICM.SYS", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", - "MachineType": "I386", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.6.4235.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.6.4235.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "RtlCopyUnicodeString", - "RtlInitUnicodeString", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", - "ZwDeleteKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwOpenKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "DbgBreakPoint", - "memset", - "_aulldvrm", - "DbgPrintEx", - "RtlUpcaseUnicodeString", - "RtlFreeUnicodeString", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", "RtlAnsiStringToUnicodeString", - "RtlOemStringToUnicodeString", - "RtlFreeAnsiString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", "RtlUnicodeStringToAnsiString", - "RtlUnicodeStringToOemString", - "DbgPrint", - "RtlAppendUnicodeToString", - "RtlCompareString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsGetThreadId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "PsGetThreadProcess", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsGetProcessId", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", "RtlCompareUnicodeString", - "RtlCopyString", - "RtlEqualString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", "RtlEqualUnicodeString", - "RtlInitString", - "RtlIntegerToUnicodeString", - "RtlUnicodeStringToInteger", - "KeLeaveCriticalRegion", - "KeGetCurrentThread", - "ExAcquireResourceSharedLite", - "RtlAppendUnicodeStringToString", - "ExAcquireResourceExclusiveLite", - "KeInitializeMutex", - "ExInitializeResourceLite", - "KeSetEvent", - "ExDeleteResourceLite", - "ExIsResourceAcquiredSharedLite", - "ExIsResourceAcquiredExclusiveLite", - "ExReleaseResourceLite", - "KeResetEvent", - "KeWaitForMultipleObjects", - "_allmul", - "KeSetPriorityThread", - "KeQuerySystemTime", - "IoDeleteDevice", - "IoCreateDevice", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "RtlCompareMemory", - "memcpy", - "memmove", - "IoInitializeWorkItem", - "IoAllocateWorkItem", - "KeCancelTimer", - "IoFreeWorkItem", - "IoUninitializeWorkItem", - "KeSetTimer", - "KeDelayExecutionThread", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", "KeInitializeDpc", - "KeInitializeTimer", - "IoQueueWorkItem", - "KeTickCount", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "ZwCreateKey", - "ZwClose", - "ExFreePoolWithTag", - "KeWaitForSingleObject", - "KeReleaseMutex", - "KeEnterCriticalRegion", - "KeInitializeEvent", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "NicmCreateInstance" + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { @@ -61477,414 +49339,721 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "FileName": "NICM.SYS", - "MD5": "3bf217f8ef018ca5ea20947bfdfc0a4d", - "SHA1": "26a8ab6ea80ab64d5736b9b72a39d90121156e76", - "SHA256": "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190", + "FileName": "aswArPot.sys", + "MD5": "11dc5523bb559f8d2ce637f6a2b70dea", + "SHA1": "0edf51a0fac3b90f6961c2b20bbaeb4ccfc1ea84", + "SHA256": "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d", "Authentihash": { - "MD5": "1b164cdc9dadc9944f2d3c0063cfcaa9", - "SHA1": "a13e2a1ea1c6427bc2006b1512047cc9779e480e", - "SHA256": "ea80b4a2314e44061f33a7403e0740437aa34326082e97816bb6e7693866478b" + "MD5": "0b253942e96233f5999ffea9ac6cc07a", + "SHA1": "12079ccb38494c101d23667282452f87845868eb", + "SHA256": "03a54ad77fc453c9889e170a811d232a305d46fb7f59582d3f1cb234598507a1" }, - "Description": "Novell Client Portability Layer", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "NICM.SYS", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.5.4220.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.5.4220.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "nicm.sys" - ], - "ExportedFunctions": [ - "DllGetClassObject", - "XTCOM_Table" + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ZwEnumerateKey", - "ZwOpenKey", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", "ExAllocatePoolWithTag", - "ZwCreateKey", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", "ExFreePoolWithTag", + "KeResetEvent", "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", - "ZwSetValueKey", - "ZwQueryValueKey", - "ZwEnumerateValueKey", - "ZwClose", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "ZwDeleteKey", - "DbgBreakPoint", - "DbgPrintEx", - "DbgPrint", - "RtlUpcaseUnicodeString", - "RtlAnsiStringToUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", "RtlUnicodeStringToAnsiString", - "RtlUnicodeStringToOemString", - "RtlFreeUnicodeString", - "RtlOemStringToUnicodeString", - "RtlFreeAnsiString", - "KeReleaseSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", "RtlInitString", - "RtlEqualUnicodeString", - "RtlCompareString", - "KeReleaseMutex", - "RtlCompareUnicodeString", - "RtlEqualString", - "RtlUnicodeStringToInteger", - "ExDeleteResourceLite", - "ExInitializeResourceLite", - "KeWaitForMultipleObjects", - "ExAcquireResourceExclusiveLite", - "KeResetEvent", - "KeInitializeMutex", - "KeLeaveCriticalRegion", - "KeSetEvent", - "ExIsResourceAcquiredSharedLite", - "ExIsResourceAcquiredExclusiveLite", - "KeEnterCriticalRegion", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "KeSetPriorityThread", - "IoDeleteDevice", - "IoCreateDevice", + "KeReleaseSpinLock", + "PsGetThreadId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", "PsTerminateSystemThread", - "RtlCompareMemory", - "IoUninitializeWorkItem", - "IoFreeWorkItem", - "KeInitializeDpc", - "KeInitializeTimer", - "KeDelayExecutionThread", + "IoGetCurrentProcess", + "ExEventObjectType", "IoAllocateWorkItem", - "KeSetTimer", - "IoInitializeWorkItem", + "ZwClose", + "IofCompleteRequest", + "PsGetThreadProcess", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", "IoQueueWorkItem", - "KeCancelTimer", - "KeBugCheckEx", - "RtlCopyString", - "KeInitializeEvent", - "NicmCreateInstance" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "NICM.SYS" - ] - }, - { - "Id": "ad693146-4adf-4407-bb20-f2505e34c226", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create TGSafe.sys binPath=C:\\windows\\temp\\TGSafe.sys type=kernel && sc.exe start TGSafe.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "TGSafe.sys", - "SHA256": "3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "TGSafe.sys" - ] - }, - { - "Id": "a7bba474-815f-49be-bddc-4d76a64c866c", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create NTIOLib.sys binPath=C:\\windows\\temp\\NTIOLib.sys type=kernel && sc.exe start NTIOLib.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "NTIOLib.sys", - "MD5": "6126065af2fc2639473d12ee3c0c198e", - "SHA1": "d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4", - "SHA256": "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsGetProcessId", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.2", - "FileVersion": "1.0.0.2", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib_X64.sys", + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" + } + ] + } + ] + }, + { + "FileName": "aswArPot.sys", + "MD5": "9f3b5de6fe46429bed794813c6ae8421", + "SHA1": "5236728c7562b047a9371403137a6e169e2026a6", + "SHA256": "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed", "Authentihash": { - "MD5": "fb5bbdd2bc73cd1f1f4bf727e6ddb137", - "SHA1": "918768712f37fe0f3092b2ea452906d06f189bb3", - "SHA256": "5b08a501124d13262c86889617071743521aeefc2d77f678d541aa8dbad52992" + "MD5": "e4d36098f543d3e4d5bbe1bd50cc42cd", + "SHA1": "e51d18476af7dd376eaaedf2a3533b6fbdab95c0", + "SHA256": "c13745de817eb38a092524cd3dae805c8fbde967e635e485243782db955508cc" }, - "InternalName": "NTIOLib_X64.sys", - "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", + "Description": "Avast Anti Rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.4.83.0", + "Product": "Avast Antivirus ", + "ProductVersion": "20.4.83.0", + "Copyright": "Copyright (c) 2020 AVAST Software", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "_wcsicmp", + "KeGetCurrentThread", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "PsRemoveCreateThreadNotifyRoutine", "IoDeleteDevice", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "KeQuerySystemTime", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "ZwUnmapViewOfSection", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "IoBuildDeviceIoControlRequest", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "RtlUnwind", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "memcpy", + "memset", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "PsRemoveLoadImageNotifyRoutine", + "ZwQuerySystemInformation", + "RtlAnsiStringToUnicodeString", + "ExAllocatePool", + "MmUnlockPages", + "MmIsAddressValid", + "IoAllocateWorkItem", + "PsGetCurrentThreadId", + "KeDelayExecutionThread", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "KfLowerIrql", + "ExAcquireFastMutex", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "c6f8983dd3d75640c072a8459b8fa55a", - "SHA1": "5e6ddd2b39a3de0016385cbd7aa50e49451e376d", - "SHA256": "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "f0aeb731d83f7ab6008c92c97faf6233", + "SHA1": "aaffdc89befa42e375f822366bbded8c245baf94", + "SHA256": "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea", "Authentihash": { - "MD5": "b3f5d7d5ea5ddb56cae089ab780d2058", - "SHA1": "b648e51b784f071adbf9f53048e3765efb96ab8a", - "SHA256": "745273e1620bc657d2210ae1b5abb49f4f5928829f95c8ef01ce151bdbb4c32f" + "MD5": "444a4760f447dafc01a359829e17dcab", + "SHA1": "83f7c19b66f53302e371d9f0987fc4adc37b1e46", + "SHA256": "c8b5fddf52551259d7d936283aa4fdc4579c5e4b030a11267496cdbdc143e15b" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "17.9.3761.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "17.9.3761.0", + "Copyright": "Copyright (C) 2014 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -61894,13 +50063,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -61909,1233 +50071,3084 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CZ, ST=Jihomoravsky kraj, L=Brno, O=AVG Technologies CZ, s.r.o., CN=AVG Technologies CZ, s.r.o.", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2018-01-20 23:59:59", + "Signature": "3d93ae390468d2f9d7dae44754afe395ca0a9dae3e2e78d96f1fb865662d5336479c70f7f75dd2e478dfeee4afd56418f03491e2758d3b9907892a1d5425ce69fd560ab580589451c26ccb281b08eac55d446d391de4d1eb3b6161ee879927ef9e700c1e827957ebfd201eda47fdf3cbeeec5a61fdad2496055d39804d3525a9fdf1fb15d54f5d7089daebde48a226a4532d815ca0b98808cf072975df3756f8bb5fd97ec97877b6243dc33ae787cae89da9419da2d818ff892179a561b4e3208acfd7b956eeaa3396d91f36cba96269abbc0a54764daab47ada4589de2e318dc0ae82ffa7aa327cc73b42f84e472a834c804f77a3883600e0bd8faf126d7d82", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "266d333ede17a8b472053e4fa3934572", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "f7cbbb5eb263ec9a35a1042f52e82ca4", - "SHA1": "976777d39d73034df6b113dfce1aa6e1d00ffcfd", - "SHA256": "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "700d6a0331befd4ed9cfbb3234b335e7", + "SHA1": "c1a5aacf05c00080e04d692a99c46ab445bf8b6e", + "SHA256": "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882", "Authentihash": { - "MD5": "63cc49f8ae8897706dec2444951c0414", - "SHA1": "ae69d3501e7fe1e2109998beed9da13f74e032c2", - "SHA256": "7334c46a55acf8bb18435ab60ed9b89f2c1ab31587ef052730358efc32fddb62" + "MD5": "200e978d48ef267fa8fe5eef7fe798b8", + "SHA1": "f7979e778214d8d32844e6b65b8f4a56c3a12354", + "SHA256": "6c919efdad21b7d9884903b9d539fbb50dc418ff2c2753c12b35b9ace4c96d73" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.8.4057.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.8.4057.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "7ed6030f14e66e743241f2c1fa783e69", - "SHA1": "9c6749fc6c1127f8788bff70e0ce9062959637c9", - "SHA256": "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.3", - "FileVersion": "1.0.0.3", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "9eb524c5f92e5b80374b8261292fdeb5", + "SHA1": "80ea425e193bd0e05161e8e1dc34fb0eae5f9017", + "SHA256": "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9", "Authentihash": { - "MD5": "07744c410b3e3a459576524f1b522a88", - "SHA1": "bfa958230e3816f9879e16ec391e94b607f292e6", - "SHA256": "7af3585ca7c2dd65032fa48759a0124db2c5bbca5fc8caf8bb8f61fa5085149d" + "MD5": "996cd1b1cf33931bfaf2217e22fc82f0", + "SHA1": "ba761efd5a552ccdd4363277acf95cd54b9dff4c", + "SHA256": "3b38427f167fde644868a62f0aa1ed03790137905c97024ac21729fa6153eca2" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.7.4246.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.7.4246.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsGetThreadId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "PsGetThreadProcess", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsGetProcessId", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "3651a6990fe38711ebb285143f867a43", - "SHA1": "53acd4d9e7ba0b1056cf52af0d191f226eddf312", - "SHA256": "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib_X64", - "Product": "NTIOLib_X64", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib_X64.sys", + "FileName": "aswArPot.sys", + "MD5": "9496585198d726000ea505abc39dbfe9", + "SHA1": "19977d45e98b48c901596fb0a49a7623cee4c782", + "SHA256": "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5", "Authentihash": { - "MD5": "575bfa9a34097f8d19982dcdd9118094", - "SHA1": "9369dbe6e082a2af351daebeef1c464af33cc270", - "SHA256": "6f96c129eb96bc4df9a7d247a98fecb9a3801dde63281ac1aba3d2ef869d32a5" + "MD5": "e7f217b2e9cafd1fd529fac02570b6ba", + "SHA1": "172b630f5d54c70ce0ee43cf1afdbb6f488eb4b7", + "SHA256": "2537f2ad83f5efc841ed75081d5dfffeb04eea92abfb9844adc091ff2a671b56" }, - "InternalName": "NTIOLib_X64.sys", - "Copyright": "Copyright (C) 2014 MSI. All rights reserved.", + "Description": "AVG Anti Rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.4.83.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "20.4.83.0", + "Copyright": "Copyright (C) 2020 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, LLC, OU=RE 999, CN=AVG Technologies USA, LLC", + "ValidFrom": "2020-01-27 00:00:00", + "ValidTo": "2022-10-20 12:00:00", + "Signature": "b02cbaf178caf97fa7c0182c25b4c97d4e68127e4d5634609757bcbc051eb94254bb50e112e72505e7f9c6dbd92622287bacbcd726fa911b3b3e36ccc88f8794e980c0b0409efc87fb04d88a15df20dedb23ced152779b799359e4d3b553eb4c6c6ea61216899a0d9cc97de7f7e21ce374d5430e2dcfbb3b6f653db2d236f59bb22bd65e0787a65610c4fde1463a5be08e4710fb4e1ae7c00080edb315995b06297431ce4a9821d1050aa7061ef26c182482d09ba42001ab103c882c01f312411130490aa7820ff72902e723a864b881066e2d7883afdb5ba9d3027550f6a3761669e42b425ad61f76e2add3dd012558bd769b76f8f37843243dfbd0a2efa363", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "03ec0c9015079fab8a6f3fc9f839311c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "736c4b85ce346ddf3b49b1e3abb4e72a", - "SHA1": "3abb9d0a9d600200ae19c706e570465ef0a15643", - "SHA256": "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib For MSISimple_OC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.2", - "FileVersion": "1.0.0.2", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "ceac1347acae9ad9496d4b0593256522", + "SHA1": "36a6f75f05ac348af357fdecbabe1a184fe8d315", + "SHA256": "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7", "Authentihash": { - "MD5": "fb364fe88525eface63e291f7e86338e", - "SHA1": "0f661f61f0106faeda1d6cbe83b81aaf3ea4d28c", - "SHA256": "299f36c717c5d5d77a8e9c15879e95cd825f74e77c7ed24e7cccbefeb38a2165" + "MD5": "d09a1bf39b8055fc11ac2bad634f36c5", + "SHA1": "3016bec15d07a845d6cf40aafbd4d63a06c403f2", + "SHA256": "9e309324897edf07776adbb2b05252d7a2ad8140c6636bc28a5050e4ea183d40" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.1.4132.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.1.4132.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", "RtlInitUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", + "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeBugCheckEx", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "4a06bcd96ef0b90a1753a805b4235f28", - "SHA1": "27eab595ec403580236e04101172247c4f5d5426", - "SHA256": "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "MSI ComCenService Driver", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "35c8fdf881909fa28c92b1c2741ac60b", + "SHA1": "d942dac4033dcd681161181d50ce3661d1e12b96", + "SHA256": "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1", "Authentihash": { - "MD5": "1a384cdc0edc4e14d6dfb5b242e9313f", - "SHA1": "13874ae76957845e9315eedf0f5f2b59eedcb9a6", - "SHA256": "1f210a62de46c5acb868a083465b94287331ec28acd3b269e64ab6c3f372021f" + "MD5": "e56d6c4be652c01f178ecef18428f567", + "SHA1": "816088e3f2c6e3be17abe236bc905acc10733fda", + "SHA256": "11f0f2395b3e7a9849bf3f050bfda6b48ae2de856d8541a16b51d9097afb8306" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2013 MSI. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.2.4181.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.2.4181.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "wcsrchr", + "towlower", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "RtlUnicodeStringToAnsiString", + "MmIsAddressValid", + "RtlAnsiStringToUnicodeString", + "strncmp", + "MmUnlockPages", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmProbeAndLockPages", + "IoAllocateMdl", + "memcpy", + "ObfDereferenceObject", + "ObReferenceObjectByName", + "IoDriverObjectType", + "_snwprintf", + "ZwClose", + "IoGetBaseFileSystemDeviceObject", + "ObReferenceObjectByHandle", + "ZwOpenFile", + "ExFreePoolWithTag", + "ZwReadFile", + "ExAllocatePoolWithTag", + "ZwSetInformationFile", + "ZwQueryInformationFile", + "PsLookupProcessByProcessId", + "KeSetEvent", + "KeResetEvent", + "ZwMapViewOfSection", + "ZwCreateSection", + "ZwUnmapViewOfSection", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "_snprintf", + "memset", + "ZwQuerySystemInformation", + "ZwQueryInformationProcess", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsThreadType", + "PsLookupThreadByThreadId", + "KeUnstackDetachProcess", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeWaitForSingleObject", + "KeClearEvent", + "KeQuerySystemTime", + "ZwEnumerateKey", + "ZwOpenKey", + "IoFreeWorkItem", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "strchr", + "strrchr", + "strstr", + "PsGetCurrentProcessId", + "_alldiv", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "RtlVolumeDeviceToDosName", + "IoGetDeviceObjectPointer", + "wcsncpy", + "wcsncmp", + "IoGetDeviceInterfaces", + "_stricmp", + "strncpy", + "IoGetCurrentProcess", + "RtlInitString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "RtlConvertSidToUnicodeString", + "RtlEqualSid", + "SeExports", + "ZwQueryInformationToken", + "PsGetCurrentThreadId", + "ExEventObjectType", + "NtBuildNumber", + "IoFileObjectType", + "IoDeviceObjectType", + "PsSetLoadImageNotifyRoutine", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessWin32Process", + "ExAllocatePool", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "ObQueryNameString", + "_allmul", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", "IofCompleteRequest", + "IoGetRequestorProcessId", + "IofCallDriver", "IoDeleteDevice", + "IoCreateSymbolicLink", + "PsGetVersion", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", "IoCreateDevice", + "PsInitialSystemProcess", + "IoThreadToProcess", + "KeAttachProcess", + "MmMapLockedPages", + "ZwDeleteFile", + "MmUnmapIoSpace", + "MmMapIoSpace", + "PsProcessType", + "KeDetachProcess", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "RtlCompareUnicodeString", + "IoBuildSynchronousFsdRequest", + "ZwTerminateProcess", + "ZwOpenThread", + "IoFreeIrp", + "RtlEqualUnicodeString", + "IoAllocateIrp", + "ZwQueryDirectoryObject", + "ZwOpenDirectoryObject", + "KeBugCheck", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IoBuildDeviceIoControlRequest", + "KeTickCount", + "RtlUnwind", + "_strnicmp", + "_wcsnicmp", + "_wcsicmp", + "wcschr", + "KeDelayExecutionThread", + "MmMapLockedPagesSpecifyCache", + "KeGetCurrentThread", + "wcsstr", + "KeInitializeEvent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "IoIsWdmVersionAvailable", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "ExUnregisterCallback", + "ExCreateCallback", + "ExRegisterCallback", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeGetCurrentIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "63e333d64a8716e1ae59f914cb686ae8", - "SHA1": "78b9481607ca6f3a80b4515c432ddfe6550b18a8", - "SHA256": "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib for MSIFrequency_CC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "300d6ac47a146eb8eb159f51bc13f7cf", + "SHA1": "02316decf9e5165b431c599643f6856e86b95e7c", + "SHA256": "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad", "Authentihash": { - "MD5": "9e87790870d27c78e12a870557a5decf", - "SHA1": "ff09c47ebaa82cdde41a1be4e65f5a7cafb28322", - "SHA256": "051dad67cc6cb6b6e20b1230b04c09cc360d106a6b7000e0991381356ace0811" + "MD5": "dc4869ad1497f7bd21ae89c9ecbcefca", + "SHA1": "1b7496a00aa6fd9328b41bf48a692f2648f6a7fb", + "SHA256": "60f79c1b60a74b98b4f436d6bbbf5aeb9ce6febbe1443d318eea7581962b75a4" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.3.3848.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.3.3848.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "79483cb29a0c428e1362ec8642109eee", - "SHA1": "414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c", - "SHA256": "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "dcd966874b4c8c952662d2d16ddb4d7c", + "SHA1": "135b261eb03e830c57b1729e3a4653f9c27c7522", + "SHA256": "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c", "Authentihash": { - "MD5": "4f3fc3f46b55c66e36a411e0389d9740", - "SHA1": "fed54cfff38966133b7fbc067246bbfca871118b", - "SHA256": "9a1d483d6ca994942533fcfe10c11b1725bbb9551e435476453a57ce7ff17029" + "MD5": "31deadc1bcfdcac3b86e05ad2aa9eb1d", + "SHA1": "6a02a8de97682af43b1a5831c4b4991caf94094a", + "SHA256": "f2e97fb72237dbbd8981d13a056dd3544c41d802efd129e1ea7e3f655de661b8" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.2.3820.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.2.3820.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "23cf3da010497eb2bf39a5c5a57e437c", - "SHA1": "d9c09dd725bc7bc3c19b4db37866015817a516ef", - "SHA256": "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "991230087394738976dbd44f92516cae", + "SHA1": "e2f40590b404a24e775f781525d8ed01f1b1156d", + "SHA256": "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833", "Authentihash": { - "MD5": "d3ef4e7146fce9f2a17134d42c07166b", - "SHA1": "ee34907ac4afce04fe1bab85e68d7e743db05841", - "SHA256": "a6bf32fafa57bcbb84b06db0d7d28e4b1457ead69c33fa883d5abe84ecd91b51" + "MD5": "6a9312463a34c79194223951fc89b195", + "SHA1": "6439725334c47247763a76d4ba8ebab4c1caedfa", + "SHA256": "f8e307f2af1c1ae3d5ef6581e651823e3b6bfb9d7b565353cbd50e455c1dc9c8" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast Anti Rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "20.6.107.0", + "Product": "Avast Antivirus ", + "ProductVersion": "20.6.107.0", + "Copyright": "Copyright (c) 2020 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ZwQueryInformationProcess", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetCurrentProcess", + "ObOpenObjectByPointer", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", + "ZwEnumerateKey", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", + "_stricmp", + "ExAllocatePoolWithTag", + "RtlInitString", + "IofCallDriver", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", + "IofCompleteRequest", + "PsGetProcessWin32Process", + "ExEventObjectType", + "ZwQueryInformationFile", + "KeWaitForSingleObject", + "IoCreateSymbolicLink", + "PsSetCreateProcessNotifyRoutine", + "IoDriverObjectType", + "PsLookupThreadByThreadId", + "IoGetDeviceInterfaces", + "ZwClose", + "PsTerminateSystemThread", + "wcsrchr", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", + "IoThreadToProcess", + "PsInitialSystemProcess", "IoCreateDevice", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "9638f265b1ddd5da6ecdf5c0619dcbe6", - "SHA1": "9c256edd10823ca76c0443a330e523027b70522d", - "SHA256": "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib For NTIOLib_ECO", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.2", - "FileVersion": "1.0.0.2", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "259381daae0357fbfefe1d92188c496a", + "SHA1": "3f347117d21cd8229dd99fa03d6c92601067c604", + "SHA256": "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2", "Authentihash": { - "MD5": "ff9b15a51f11874a9abe7a1b9f4cfd0d", - "SHA1": "0d3956de7c3a7788727358867abf34880eaa7100", - "SHA256": "cf3ec8972720f84d73e907bb293de40468a0d605ce0da658a786f7b4842b3c62" + "MD5": "63451cd1b804978b26b8b04869749d76", + "SHA1": "2c96a59141c58c42a871671fd2c3dfac9bb43a37", + "SHA256": "72f100edc998bb2fc40a3a7e7d76c6c37f7173b812f5cd7ae62c824b3fc63d57" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.4.3891.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.4.3891.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "f2f728d2f69765f5dfda913d407783d2", - "SHA1": "35829e096a15e559fcbabf3441d99e580ca3b26e", - "SHA256": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "16472fca75ab4b5647c99de608949cde", + "SHA1": "24daa825adedcbbb1d098cbe9d68c40389901b64", + "SHA256": "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9", "Authentihash": { - "MD5": "2d87365d63e81ef0edc577bf0cb33995", - "SHA1": "b472d32094e258b2af60914db8604cd0bf439c4b", - "SHA256": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8" + "MD5": "f778cb0515b1db1cb133286ed8e3f284", + "SHA1": "7ab72d197214b2792893a14b80ed6e5a546d0b9b", + "SHA256": "5eb493fc07a9573176f87297a002183d8e60104619a7b83940ce6e83ac54cd7b" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.6.3979.0", + "Product": "Avast Antivirus ", + "ProductVersion": "18.6.3979.0", + "Copyright": "Copyright (c) 2018 AVAST Software", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "wcsrchr", + "towlower", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "RtlUnicodeStringToAnsiString", + "MmIsAddressValid", + "RtlAnsiStringToUnicodeString", + "strncmp", + "MmUnlockPages", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmProbeAndLockPages", + "IoAllocateMdl", + "memcpy", + "ObfDereferenceObject", + "ObReferenceObjectByName", + "IoDriverObjectType", + "_snwprintf", + "ZwClose", + "IoGetBaseFileSystemDeviceObject", + "ObReferenceObjectByHandle", + "ZwOpenFile", + "ExFreePoolWithTag", + "ZwReadFile", + "ExAllocatePoolWithTag", + "ZwSetInformationFile", + "ZwQueryInformationFile", + "PsLookupProcessByProcessId", + "KeSetEvent", + "KeResetEvent", + "ZwMapViewOfSection", + "ZwCreateSection", + "ZwUnmapViewOfSection", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "_snprintf", + "memset", + "ZwQuerySystemInformation", + "ZwQueryInformationProcess", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsThreadType", + "PsLookupThreadByThreadId", + "KeUnstackDetachProcess", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeWaitForSingleObject", + "KeClearEvent", + "KeQuerySystemTime", + "ZwEnumerateKey", + "ZwOpenKey", + "IoFreeWorkItem", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "strchr", + "strstr", + "PsGetCurrentProcessId", + "_alldiv", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "RtlVolumeDeviceToDosName", + "IoGetDeviceObjectPointer", + "wcsncpy", + "wcsncmp", + "IoGetDeviceInterfaces", + "wcschr", + "strncpy", + "IoGetCurrentProcess", + "RtlInitString", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "RtlConvertSidToUnicodeString", + "RtlEqualSid", + "SeExports", + "ZwQueryInformationToken", + "PsGetCurrentThreadId", + "ExEventObjectType", + "NtBuildNumber", + "IoFileObjectType", + "IoDeviceObjectType", + "PsSetLoadImageNotifyRoutine", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessWin32Process", + "strrchr", + "ExAllocatePool", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "ObQueryNameString", + "_allmul", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", "IofCompleteRequest", + "IoGetRequestorProcessId", + "IofCallDriver", "IoDeleteDevice", + "IoCreateSymbolicLink", + "PsGetVersion", + "IoDetachDevice", + "IoAttachDeviceToDeviceStackSafe", "IoCreateDevice", + "PsInitialSystemProcess", + "IoThreadToProcess", + "KeAttachProcess", + "MmMapLockedPages", + "ZwDeleteFile", + "PsProcessType", + "KeDetachProcess", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "RtlCompareUnicodeString", + "IoBuildSynchronousFsdRequest", + "ZwTerminateProcess", + "ZwOpenThread", + "IoFreeIrp", + "RtlEqualUnicodeString", + "IoAllocateIrp", + "ZwQueryDirectoryObject", + "ZwOpenDirectoryObject", + "KeBugCheck", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IoBuildDeviceIoControlRequest", + "KeTickCount", + "RtlUnwind", + "_stricmp", + "_strnicmp", + "_wcsicmp", + "_wcsnicmp", + "KeDelayExecutionThread", + "MmMapLockedPagesSpecifyCache", + "KeGetCurrentThread", + "wcsstr", + "KeInitializeEvent", + "ZwSetSecurityObject", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "IoIsWdmVersionAvailable", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "ExUnregisterCallback", + "ExCreateCallback", + "ExRegisterCallback", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeGetCurrentIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "992ded5b623be3c228f32edb4ca3f2d2", - "SHA1": "b8de3a1aeeda9deea43e3f768071125851c85bd0", - "SHA256": "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "0e207ef80361b3d047a2358d0e2206b4", + "SHA1": "9393698058ce1187eb87e8c148cfe4804761142d", + "SHA256": "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258", "Authentihash": { - "MD5": "1d0d0ef174a767359bb32e53fe346416", - "SHA1": "4dbbf2558cdbdaf4a5e5ec65e844f5abdace5514", - "SHA256": "809403706c3669a0d67bd35a87f66714989d1bc66e2aa6ca5979781ae3c4fdb0" + "MD5": "57dfa53fc7b8280adbe9a32a00241e17", + "SHA1": "20812c39a2bb52c80eec322d8fecbef4d8138a73", + "SHA256": "00716eab8a3277128fb5ea8b1ac863e4b81b40674f7c6eb0f201e96341fd87c9" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.7.4246.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.7.4246.0", + "Copyright": "Copyright (c) 2019 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsGetThreadId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "PsGetThreadProcess", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "PsGetProcessId", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "c3fea895fe95ea7a57d9f4d7abed5e71", - "SHA1": "054a50293c7b4eea064c91ef59cf120d8100f237", - "SHA256": "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "a4531040276080441974d9e00d8d4cfa", + "SHA1": "d8e8dcc8531b8d07f8dabc9e79c19aac6eeca793", + "SHA256": "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6", "Authentihash": { - "MD5": "922f6d3d0dda7748bad7a537a8bc9e4e", - "SHA1": "71355d9ebcf35492b60c3f936550d30310a31049", - "SHA256": "9d734d6443a707d601d76577692dc613b35201518856d0189b037f7a4fbd420d" + "MD5": "2288e600dfcf6eb8f176f9c5df5e7fcf", + "SHA1": "2cc6204ab44715a8d7c5189c524d8213a917e00a", + "SHA256": "e27fa56ceff3fe7d5a723c5f4192ce6aa16994f88cf05935645f9e398292376a" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.4.4211.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "19.4.4211.0", + "Copyright": "Copyright (C) 2019 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, ST=North Carolina, L=Newton, O=AVG Technologies USA, Inc., OU=Release Engineering, CN=AVG Technologies USA, Inc.", + "ValidFrom": "2018-01-30 00:00:00", + "ValidTo": "2021-01-22 12:00:00", + "Signature": "64a3846966f4f2a1ffd87657c43ac13664775a70d059fd4447ee6588de3e0bf2b1a228291c0a01222cab6b4bbbcaabb94662396476d5525c952e7fd0048588028be1ba1c55c1ac200b523e7234ded93661acf83becee39c27823e22ec23d4ff8266eea3241ed9fbfd6bba155c7c39ed31db5e810dd7ea0858b0a2e9b824f23b9002f04e35375d54e5237f575e221914fd6a11590fdac7bc2ee5d66eb08e3c560414f6144111bef12350d70d9bdc513fb8d2407de5f1c7cca824feb4fb2a51057c2609f8d6419078879d64840ed870385d645f08f022a306ba5309883eacf4967dbbeb36961c73f2ed047d6cf85d2c3ee86c9913e8374be078155a4ffa36d9fa8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "0557955e02a6b53dd1d574ede15f310e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "0395b4e0eb21693590ad1cfdf7044b8b", - "SHA1": "d94f2fb3198e14bfe69b44fb9f00f2551f7248b2", - "SHA256": "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "aswArPot.sys", + "MD5": "7fbd3b4488a12eab56c54e7bb91516f3", + "SHA1": "61d44c9a1ef992bc29502f725d1672d551b9bc3f", + "SHA256": "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9", "Authentihash": { - "MD5": "c6830e904e56ea951005ea7639eedd35", - "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", - "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" + "MD5": "e9dca8f16d7d0074a212dd73f33f94f1", + "SHA1": "b844ef5bb029ccfd144dc6f3d705b7c3d0e6efdb", + "SHA256": "47f64d6753f40388382097351a26dad54b8fdf59529a24acc65e9ced440ee2c6" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "AVG anti rootkit", + "Company": "AVG Technologies CZ, s.r.o.", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "18.2.3827.0", + "Product": "AVG Internet Security System ", + "ProductVersion": "18.2.3827.0", + "Copyright": "Copyright (C) 2018 AVG Technologies CZ, s.r.o.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", "IoCreateDevice", + "PsProcessType", + "KeDetachProcess", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "IoBuildDeviceIoControlRequest", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -63145,13 +53158,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -63160,264 +53166,385 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "Filename": "NTIOLib.sys", - "MD5": "68dde686d6999ad2e5d182b20403240b", - "SHA1": "01a578a3a39697c4de8e3dab04dba55a4c35163e", - "SHA256": "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib For MSIRatio_CC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", - "Authentihash": { - "MD5": "3b7d9b57810ca80137223615a97635e0", - "SHA1": "8d9f65a6a9048ec91dd010216071c4ec983887c7", - "SHA256": "4e92baa37cd8b665ca0851f8442766aaf3b96fa61ea137d5972d5eb059389a05" - }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=NL, ST=North Holland, L=Amsterdam, O=AVG Netherlands B.V., CN=AVG Netherlands B.V.", + "ValidFrom": "2015-07-28 00:00:00", + "ValidTo": "2018-09-25 23:59:59", + "Signature": "6a77df4c2dc0ab59ee02d60398ece3dbed508ef731dfe2d64ecaeb0d78f918776b40e046c00dc921210237c8fe7f91b4f2101334f5f672eed5cc4a21825bd8be18fc38ca8f190e2e83e527aae99e956a9cb6a1fa9f52658e42b9fc5618bf7e644f9aea6af7409233ba6e92bc6ea8c07677f094369af597f236de3ffeec4f2d4191c825e1273bbafa6ecb7846f430655760a92f40de681304dc230eb1513082bd4249e3fdcd01cb82905f21cdf0d1f68f581e76f8bded6332cca3dcabf7d483c5e64255bca86d876454c614d9c14c961df6ce78555b9d61a482497dc36dc41179970a8ae7e5cba9306d14cfa79b59112dfa0bec9cf9f7f63853a833b146dc33d8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "4b5e1897903602425d3cb25d75c4f4ce", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "34069a15ae3aa0e879cd0d81708e4bcc", - "SHA1": "14bf0eaa90e012169745b3e30c281a327751e316", - "SHA256": "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib_X64", - "Product": "NTIOLib_X64", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib_X64.sys", + "FileName": "aswArPot.sys", + "MD5": "65e6718a547495c692e090d7887d247b", + "SHA1": "51b9867c391be3ce56ba7e1c3cba8c76777245b2", + "SHA256": "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3", "Authentihash": { - "MD5": "066bcfa3fdd0925385faf92debce887c", - "SHA1": "a2948b9d2e2ee9f4929b39acad6c850ea70dd34c", - "SHA256": "7fa5c326b294f4fc537207a27947c2fcbbfa4eabde1ba4727c92cd8613e0fc7f" + "MD5": "2be74c85587978badcc47079d1eb1c5b", + "SHA1": "eaaaeba2313000a501688f7b8416fec2b705ef7a", + "SHA256": "fca5f90ce2b210e6026cbf6f2c281fe17a08ddb2e936200847823ef83eaab1eb" }, - "InternalName": "NTIOLib_X64.sys", - "Copyright": "Copyright (C) 2014 MSI. All rights reserved.", + "Description": "Avast anti rootkit", + "Company": "AVAST Software", + "InternalName": "aswArPot.sys", + "OriginalFilename": "aswArPot.sys", + "FileVersion": "19.2.4157.0", + "Product": "Avast Antivirus ", + "ProductVersion": "19.2.4157.0", + "Copyright": "Copyright (c) 2019 AVAST Software", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_wcsicmp", + "towlower", + "_strnicmp", + "ExAllocatePoolWithTag", + "PsGetProcessWin32Process", + "KeClearEvent", + "RtlVolumeDeviceToDosName", + "KeQueryActiveProcessors", + "RtlConvertSidToUnicodeString", + "IoBuildDeviceIoControlRequest", + "ExFreePoolWithTag", + "KeResetEvent", + "ExReleaseFastMutex", + "IoGetBaseFileSystemDeviceObject", + "strncmp", + "ZwOpenThreadTokenEx", + "RtlAnsiStringToUnicodeString", + "ExAcquireFastMutex", + "PsSetLoadImageNotifyRoutine", + "_snwprintf", + "NtBuildNumber", + "PsRemoveCreateThreadNotifyRoutine", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "_wcsnicmp", + "ZwReadFile", + "strstr", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeSetEvent", + "wcsncpy", + "RtlEqualSid", + "strchr", + "IoFreeWorkItem", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateThreadNotifyRoutine", + "RtlUnicodeStringToAnsiString", + "_snprintf", + "RtlGetVersion", + "ZwQuerySystemInformation", + "RtlInitString", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "KeUnstackDetachProcess", + "ZwOpenProcessTokenEx", + "ZwSetInformationFile", + "tolower", + "KeDelayExecutionThread", + "ObQueryNameString", + "strncpy", + "IoFileObjectType", + "IoDriverObjectType", + "wcsrchr", + "wcsstr", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "IoGetDeviceObjectPointer", + "ZwUnmapViewOfSection", + "ExAllocatePool", + "PsTerminateSystemThread", + "IoGetCurrentProcess", + "ExEventObjectType", + "IoAllocateWorkItem", + "ZwClose", "IofCompleteRequest", - "IoDeleteDevice", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "MmProbeAndLockPages", + "PsGetVersion", + "KeRevertToUserAffinityThread", + "PsThreadType", + "IoGetDeviceInterfaces", + "ZwOpenProcess", + "SeExports", + "MmUnlockPages", + "strrchr", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeSetSystemAffinityThread", + "MmIsAddressValid", + "ObfDereferenceObject", + "ZwCreateSection", + "ObReferenceObjectByName", + "IoQueueWorkItem", + "IoDeviceObjectType", + "ZwOpenFile", + "wcsncmp", + "ZwQueryInformationToken", + "ZwQueryInformationFile", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "ZwEnumerateKey", + "IoAllocateMdl", + "IofCallDriver", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "IoThreadToProcess", + "IoAttachDeviceToDeviceStackSafe", + "IoDetachDevice", + "PsInitialSystemProcess", "IoCreateDevice", + "PsProcessType", + "MmUnmapIoSpace", + "KeDetachProcess", + "MmMapIoSpace", + "KeAttachProcess", + "ZwDeleteFile", + "IoBuildSynchronousFsdRequest", + "NtClose", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwWriteFile", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "ZwOpenDirectoryObject", + "KeBugCheck", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeInsertQueueDpc", + "KeNumberProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CZ, L=Praha 4, O=AVAST Software s.r.o., CN=AVAST Software s.r.o.", + "ValidFrom": "2016-09-06 00:00:00", + "ValidTo": "2019-10-04 12:00:00", + "Signature": "56220de8a9a65fffbff97ff463c4026ec9be68fe98bfa0b20a722df84322a44dbc98f25b87ee42da3a06a6cedef076de22e0d7e02d41201156875341cd24badedb8aa5afa133e9ed688fc45aeb37a74fbe399828143561fd717fa7bed97cb5d42643494462fef349f3300daff13660a9e50f85d1110de96d1300e0e730d2b6689fd53eb7a72f4f3112dffa2c1caf17cb64c22509d82b5ce1c2181c2faac22fce3981e683183d6da50d1c17dec375c370f5feb5abfbc6dca4cdd47a5b14375870de6dc346361d8997e79f19819f5168f9b01c9aacc210f2322248adc375a2782b64881c6a557677815c39b024555cc0adca920a617e0ecb385eb47213b1553c80", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "07c70f7cab145bc1ed385fbe69fa3130", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "aswArPot.sys" + ], + "yara": true + }, + { + "Id": "0258df5c-c3c1-4ed5-ba8f-846d91526ffe", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrDrv10.sys binPath=C:\\windows\\temp\\AsrDrv10.sys type=kernel && sc.exe start AsrDrv10.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "3f39f013168428c8e505a7b9e6cba8a2", - "SHA1": "f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79", - "SHA256": "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrDrv10.sys", + "MD5": "9b91a44a488e4d539f2e55476b216024", + "SHA1": "72966ca845759d239d09da0de7eebe3abe86fee3", + "SHA256": "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c", "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Publisher": "ASROCK Incorporation", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "7c60ced61bb34cad2982f5ddb1306754", - "SHA1": "d02d19abf19569df72ea2c5071330de3d57e0982", - "SHA256": "fa861c61102cbcaa1e5f6020deaa066c4fcdfaee3ded1ee156ab81d59ad54f9a" + "MD5": "e3a0cecf1427722f291347941edc9b81", + "SHA1": "2e6d61fa32e12fe4abf7b7d87aa6824f5f528000", + "SHA256": "c767a5895119154467ac3fce8e82c20e6538a4e54f6c109001c61f8abd58f9f8" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", "IofCompleteRequest", - "IoDeleteDevice", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -63425,10 +53552,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -63439,189 +53566,151 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "AsrDrv10.sys" + ], + "yara": true + }, + { + "Id": "10b1fc3d-c444-4885-8ca9-4b5891885507", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create atillk64.sys binPath=C:\\windows\\temp\\atillk64.sys type=kernel && sc.exe start atillk64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "1ed043249c21ab201edccb37f1d40af9", - "SHA1": "6100eb82a25d64a7a7702e94c2b21333bc15bd08", - "SHA256": "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", - "Authentihash": { - "MD5": "ef516589154145d31284df600c9ad58b", - "SHA1": "dbed3d7755df2c30d7e445529ed2bbe60ce9ee2d", - "SHA256": "6bed7f1304c6785a06064b04e0e3cb55384588f18ea2fc348a6fcd5784f47558" - }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "96b463b6fa426ae42c414177af550ba2", - "SHA1": "bf87e32a651bdfd9b9244a8cf24fca0e459eb614", - "SHA256": "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "atillk64.sys", + "MD5": "27d21eeff199ed555a29ca0ea4453cfb", + "SHA1": "1045c63eccb54c8aee9fd83ffe48306dc7fe272c", + "SHA256": "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7", "Authentihash": { - "MD5": "133e1582c5d14c52ac3590c9d2ada850", - "SHA1": "a22e6b855062f1154ae8f244e2652e04b4ea5b4c", - "SHA256": "5a63937a6320f50c4782d0675104932907d16a91d89088ac979a7a0129aad986" + "MD5": "75c20227e11024bdfd5fbe23e769bbca", + "SHA1": "2e3cf3678d476420696ec7df46b08d4d24d25644", + "SHA256": "c9b8ecd0657fda14476920fe47783bd8a951d7a4a640935d9199b4a7ae4b8b69" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "ATI Diagnostics Hardware Abstraction Sys", + "Company": "ATI Technologies Inc.", + "InternalName": "atillk64.sys", + "OriginalFilename": "atillk64.sys", + "FileVersion": "5.11.9.0", + "Product": "ATI Diagnostics", + "ProductVersion": "5.11.9.0", + "Copyright": "Copyright (C) ATI Technologies Inc., 2003", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", "MmMapIoSpace", "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "MmUnmapIoSpace", + "IoDeleteSymbolicLink", + "KeTickCount", + "IoAllocateMdl", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPages", + "IoFreeMdl", "RtlInitUnicodeString", + "IoCreateDevice", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoDeleteDevice", + "HalGetBusDataByOffset", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "READ_PORT_UCHAR", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "HalSetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -63630,79 +53719,80 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", + "ValidFrom": "2006-03-17 00:00:00", + "ValidTo": "2009-03-21 23:59:59", + "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "0752f113d983030939b4ab98b0812cf0", - "SHA1": "28b1c0b91eb6afd2d26b239c9f93beb053867a1a", - "SHA256": "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "atillk64.sys", + "MD5": "26d973d6d9a0d133dfda7d8c1adc04b7", + "SHA1": "eb0d45aa6f537f5b2f90f3ad99013606eafcd162", + "SHA256": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173", "Authentihash": { - "MD5": "761bee6879171d50932f73cfa9c718e0", - "SHA1": "33b2e3af695f0febd39d02d8f931e92ad88461f4", - "SHA256": "e951858d5317724c015eef07d402e8bcb33cf1a7c2ccf7a75cea63e3430d16a2" + "MD5": "78103f6de4cad64d95a8beda5f8b9112", + "SHA1": "0358bcba83349cb23ea44d5c36b9e22adaec8d94", + "SHA256": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "ATI Diagnostics Hardware Abstraction Sys", + "Company": "ATI Technologies Inc.", + "InternalName": "atillk64.sys", + "OriginalFilename": "atillk64.sys", + "FileVersion": "5.11.9.0", + "Product": "ATI Diagnostics", + "ProductVersion": "5.11.9.0", + "Copyright": "Copyright (C) ATI Technologies Inc., 2003", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlInitUnicodeString", "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "IofCompleteRequest", "IoDeleteSymbolicLink", - "__C_specific_handler", + "IoCreateSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], @@ -63712,85 +53802,87 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", + "ValidFrom": "2006-03-17 00:00:00", + "ValidTo": "2009-03-21 23:59:59", + "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "6cce5bb9c8c2a8293df2d3b1897941a2", - "SHA1": "879fcc6795cebe67718388228e715c470de87dca", - "SHA256": "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib for MSIDDR_CC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "atillk64.sys", + "MD5": "26d973d6d9a0d133dfda7d8c1adc04b7", + "SHA1": "eb0d45aa6f537f5b2f90f3ad99013606eafcd162", + "SHA256": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173", "Authentihash": { - "MD5": "63ea2f5ce789857efaf657ae86d029c5", - "SHA1": "33286e984b12811b38b2ad3396451388e2f24424", - "SHA256": "98f5cb928827e8dadc79c1be4f27f67755dbeb802c3485af9cace78b9eb65c59" + "MD5": "78103f6de4cad64d95a8beda5f8b9112", + "SHA1": "0358bcba83349cb23ea44d5c36b9e22adaec8d94", + "SHA256": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "ATI Diagnostics Hardware Abstraction Sys", + "Company": "ATI Technologies Inc.", + "InternalName": "atillk64.sys", + "OriginalFilename": "atillk64.sys", + "FileVersion": "5.11.9.0", + "Product": "ATI Diagnostics", + "ProductVersion": "5.11.9.0", + "Copyright": "Copyright (C) ATI Technologies Inc., 2003", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "RtlInitUnicodeString", "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "IofCompleteRequest", "IoDeleteSymbolicLink", - "__C_specific_handler", + "IoCreateSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], @@ -63799,13 +53891,6 @@ "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -63814,434 +53899,811 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", + "ValidFrom": "2006-03-17 00:00:00", + "ValidTo": "2009-03-21 23:59:59", + "Signature": "7345709b7537390f5e353a60481acc85fef70a62195b9c0384f0902d68f66a98d26cb8601bc0aa4868a5136937cebc1b6898e1c16c2f8283a7a632cc5a124b514852877db91ef19627f9dc5ec8df9de0bda8c938efaa488e1c7aca70808d99edf2289109a64720f7ee24c21c35cbc126c3127f23f8ac10ac13095c8e6d91e1f23428a9528dc8e5139ca0a6b60a85d2dad287ac8810a5d9c6104790674ea13f71235c46d39faec2f7514be12720f3bcb1f01b58eb544f2094a8a0dff7e259e5c2e5363b6ad23d19607499b585ca194037d2651446534ced4b367860a711603ab89940dba8fd4ddf756bb36fa30a77ae941390561feaffebbd2040ac375414252c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "71bb7d93f6814cf58266cf2176e751b3", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - }, + } + ], + "Tags": [ + "atillk64.sys" + ], + "yara": true + }, + { + "Id": "9f8f2324-d867-4211-842a-122b93946445", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create mhyprot.sys binPath=C:\\windows\\temp\\mhyprot.sys type=kernel && sc.exe start mhyprot.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "NTIOLib.sys", - "MD5": "64efbffaa153b0d53dc1bccda4279299", - "SHA1": "15df139494d2c40a645fb010908551185c27f3c5", - "SHA256": "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "mhyprot.sys", + "MD5": "8b779fe1d71839ad361226f66f1b3fe5", + "SHA1": "175fb76c7cd8f0aeb916f4acb3b03f8b2d51846a", + "SHA256": "0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467", "Authentihash": { - "MD5": "c6788d75093368b6dc2bc373df4591b8", - "SHA1": "a3799e1aa983ad65de762a430f3286eefeff61e0", - "SHA256": "1ef80a6b63766ca36e2f2a7d29c49dc5859a58604bd8fde15011d8c379f76e01" + "MD5": "a74fbda962fe6aa9701b1af91f74675a", + "SHA1": "f1f4cfa7c5b4a882ff4c107e72977edcd7128855", + "SHA256": "7bfa54943180e34aea390a8f63a2cb007cf53c336dff697c60a79103f3c0c19d" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "NtQuerySystemInformation", + "RtlInitUnicodeString", + "ExAllocatePool", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "IofCompleteRequest", - "IoDeleteDevice", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ZwClose", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "ZwQueryVirtualMemory", + "MmProbeAndLockPages", + "PsLookupProcessByProcessId", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoGetCurrentProcess", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", + "DbgPrint", + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "KeInitializeEvent", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmBuildMdlForNonPagedPool", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "2da209dde8188076a9579bd256dc90d0", - "SHA1": "1f7501e01d84a2297c85cb39880ec4e40ac3fe8a", - "SHA256": "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "mhyprot.sys", + "MD5": "67e3b720cee8184c714585a85f8058a0", + "SHA1": "254dce914e13b90003b0ae72d8705d92fe7c8dd0", + "SHA256": "69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2", "Authentihash": { - "MD5": "5e4c54660e02b951d67e54ce3c16dcc9", - "SHA1": "14e798609095df77d135dd2afae8277e0a968d99", - "SHA256": "5eb233ed9df3c1def326e2c63ee304dc85af303f8c9f038c993aa6e34f91ffaf" + "MD5": "19c86f21ca10d68738fac94bb43e7861", + "SHA1": "c771ea59f075170e952c393cfd6fc784b265027c", + "SHA256": "39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "ObfDereferenceObject", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "RtlInitUnicodeString", "IofCompleteRequest", - "IoDeleteDevice", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ZwClose", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ZwQueryObject", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "ExReleaseFastMutex", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "PsGetProcessId", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "PsAcquireProcessExitSynchronization", + "PsReleaseProcessExitSynchronization", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "KeInitializeEvent", + "RtlCopyUnicodeString", + "ExAcquireFastMutex", + "ExFreePoolWithTag", + "ExAllocatePool", + "MmProbeAndLockPages", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", + "ValidFrom": "2019-05-02 00:00:00", + "ValidTo": "2038-01-18 23:59:59", + "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", + "ValidFrom": "2020-10-23 00:00:00", + "ValidTo": "2032-01-22 23:59:59", + "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "84ba7af6ada1b3ea5efb9871a0613fc6", - "SHA1": "152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67", - "SHA256": "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib for DebugLED", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "mhyprot2.sys", + "MD5": "8f47af49c330c9fcf3451ad2252b9e04", + "SHA1": "be797c91768ac854bd3b82a093e55db83da0cb11", + "SHA256": "ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058", "Authentihash": { - "MD5": "e2fde714a590d75cec614058707ac9d7", - "SHA1": "450a92b5d604ad2c7d848ab96dc1c0455c7d1f92", - "SHA256": "5dfb950d4771c35f4f82626b5d8859cce74bf03db67f2be3036631894a62eca8" + "MD5": "5908564f34ef8fd94e9420c8f1af19bc", + "SHA1": "bd2c5fdae29b39de9f862455fb2fb07fbf99ece2", + "SHA256": "df3fd9fa267e12d7c6b65028373e21978041f0c94375b5c7316498fbad6f4ae0" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2013 MSI. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "NtQuerySystemInformation", + "RtlInitUnicodeString", + "ExAllocatePool", + "ExFreePoolWithTag", "IofCompleteRequest", - "IoDeleteDevice", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ZwClose", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ZwQueryObject", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "MmProbeAndLockPages", + "PsLookupProcessByProcessId", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "PsGetProcessId", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlEqualUnicodeString", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "PsAcquireProcessExitSynchronization", + "PsReleaseProcessExitSynchronization", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "KeInitializeEvent", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmBuildMdlForNonPagedPool", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", + "ValidFrom": "2019-05-02 00:00:00", + "ValidTo": "2038-01-18 23:59:59", + "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", + "ValidFrom": "2020-10-23 00:00:00", + "ValidTo": "2032-01-22 23:59:59", + "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "1b32c54b95121ab1683c7b83b2db4b96", - "SHA1": "5f8356ffa8201f338dd2ea979eb47881a6db9f03", - "SHA256": "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "mhyprot2.sys", + "MD5": "89c7bd12495e29413038224cb61db02e", + "SHA1": "16c6bcef489f190a48e9d3b1f35972db89516479", + "SHA256": "b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418", "Authentihash": { - "MD5": "b36ce3dc6e3ca0e76c9f9a7d4d331524", - "SHA1": "0b68901f632deadc3f0691febe7d0dacb8a2d4d8", - "SHA256": "bb4e3aa888a779238b210d6406aa480f01d27ea28d20699b1ec29a59dae19913" + "MD5": "d5a852a9cb4c81cba921aaf523bcabf4", + "SHA1": "a3fd0d15889398830a61eed9dfac17dfbde792ef", + "SHA256": "8ced17d1ee92ae72749afdfe40f5029223d97f0f977e718bd5ab1242d1ff7cb5" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "NtQuerySystemInformation", + "RtlInitUnicodeString", + "ExAllocatePool", + "ExFreePoolWithTag", "IofCompleteRequest", - "IoDeleteDevice", "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "_wcsicmp", + "RtlInitString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ZwClose", + "MmIsAddressValid", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", + "ZwQuerySystemInformation", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "MmGetSystemRoutineAddress", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ZwQueryObject", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "PsLookupProcessByProcessId", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmCopyVirtualMemory", + "KeClearEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "MmMapLockedPages", + "ObReferenceObjectByHandle", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ExEventObjectType", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "PsGetProcessId", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "PsAcquireProcessExitSynchronization", + "PsReleaseProcessExitSynchronization", + "_snprintf", + "vsprintf_s", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", + "KeDelayExecutionThread", + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "KeInitializeEvent", + "RtlCopyUnicodeString", + "ObfDereferenceObject", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "MmProbeAndLockPages", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-08 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "46a5e6f6c38a63b314f7e2677bb86d4bcd7839eef8e006048ddd58c6783ff0657456e61c800efb31966c611f7ca7d1de1785e006e3f4c0b24cb652842e42cbae016320a774724537fc30e8f09895fdb626daa26b5740c7538aa1df1f97dcab12c3a743c2048f6c9a754f66189ac0f21544399798fb780cd347c9cac0443c8d778736938e17cdd5eca8a2338d8171efd61e13c868dff862da9df4ca8c653a227e0971030aa7e6b44dc2199d1ebd9cae00c6f0a3e91bb883cc509fb297902ba5c13e5826071d92178ace51f1a0653b0445cf7ba17226401c92d7db4f67a37d1243f9094ad5f32873891ea5004a8cbfec77129d4955e344492aaee456f852001ded", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "7b721d64ff88c83ac1b7e9e7a9c487bbdb9492d7905933fa2b87dea85b80253f138f9b831b7c43c4e68cdf393ec315ecb0da3b21257b24c1725db84791811346fa9c3f6a5138deb425cbf0abdfc528015479104624d1380f26a161904dbabd28e63ff1c4aa9bf6da35534fc9f23dd36cdc23edaaa04d6709f33a803d3cfb364c90e776a4ddf23abf56352fa24c65e8e0d4dad1c7c8916a2d234f373b199418d4d59c103cd5b11c19ff8fc86b9b9ef8ae9c999678d1cd9c51155b4226725a8d0a4a239240e886de22c2933ad49b68a6df297f06b93c0ebd9fc4869c82474271328609997209794b9d7169f541ff7f397764f1848dbe8b1eb27d68a3a590b10cff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "05a7559541e0fdc678d79e3272468907", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Code Signing CA,1" } ] } ] + } + ], + "Tags": [ + "mhyprot.sys" + ], + "yara": false + }, + { + "Id": "54d67d79-0268-4c5f-be7e-0f74cd20828a", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create NTIOLib_X64.sys binPath=C:\\windows\\temp\\NTIOLib_X64.sys type=kernel && sc.exe start NTIOLib_X64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "b0baac4d6cbac384a633c71858b35a2e", - "SHA1": "a7bd05de737f8ea57857f1e0845a25677df01872", - "SHA256": "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "NTIOLib_X64.sys", + "MD5": "c02f70960fa934b8defa16a03d7f6556", + "SHA1": "3805e4e08ad342d224973ecdade8b00c40ed31be", + "SHA256": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530", "Signature": [ "Micro-Star Int'l Co. Ltd.", "GlobalSign ObjectSign CA", "GlobalSign Primary Object Publishing CA", - "GlobalSign" + "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", @@ -64253,9 +54715,9 @@ "MachineType": "AMD64", "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "498e18a0df3d49779e5d50e2ce1e8385", - "SHA1": "cb7ed29416920b38a00695d11751ca6766a7b5f9", - "SHA256": "48ac8ae911c490e1b7f7813c0f345677e110ffaa9ef385b86ca25e5519e2c0de" + "MD5": "c6830e904e56ea951005ea7639eedd35", + "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", + "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" }, "InternalName": "NTIOLib.sys", "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", @@ -64283,20 +54745,6 @@ "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", "ValidFrom": "1999-01-28 12:00:00", @@ -64334,52 +54782,128 @@ ] } ] - }, + } + ], + "Tags": [ + "NTIOLib_X64.sys" + ], + "yara": true + }, + { + "Id": "d1441172-cc15-4a96-b782-f440bfb681e1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create b4.sys binPath=C:\\windows\\temp\\b4.sys type=kernel && sc.exe start b4.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "NTIOLib.sys", - "MD5": "b89b097b8b8aecb8341d05136f334ebb", - "SHA1": "cce9b82f01ec68f450f5fe4312f40d929c6a506e", - "SHA256": "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499", + "Filename": "b4.sys", + "SHA256": "dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "b4.sys" + ], + "yara": false + }, + { + "Id": "05d7cfea-1fb9-4559-8837-d97b713254fe", + "Author": "Michael Haag", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create 4.sys binPath=C:\\windows\\temp\\4.sys type=kernel && sc.exe start 4.sys", + "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "4.sys", + "MD5": "6fcf56f6ca3210ec397e55f727353c4a", + "SHA1": "6debce728bcff73d9d1d334df0c6b1c3735e295c", + "SHA256": "8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104", "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "b70f71ebef5d45dcf99098beb0f72951", - "SHA1": "049b1cd656849214bd5c864c79e3b27be6b46b34", - "SHA256": "c1795ec9d05d0efe56e76bf4b76a09a804d3cd5b0e75bc47049d5ee488fc2bec" + "MD5": "72b24aa23f596d91a5596e57b1c306d0", + "SHA1": "60316c8ebadad30d9dd33ae87e8202b6e0c17cb4", + "SHA256": "1716d4c523aeea9703032ca93eb9668b9a16f542c00cec248b0a1c132d80bb15" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "", + "Copyright": "", "Imports": [ + "ntoskrnl.exe", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "rand", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -64387,87 +54911,165 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "4.sys" + ], + "yara": false + }, + { + "Id": "1c7631f0-f92f-4be5-8ba7-3eefb0601d45", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create LHA.sys binPath=C:\\windows\\temp\\LHA.sys type=kernel && sc.exe start LHA.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "a711e6ab17802fabf2e69e0cd57c54cd", - "SHA1": "e35a2b009d54e1a0b231d8a276251f64231b66a3", - "SHA256": "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "LHA.sys", + "MD5": "748cf64b95ca83abc35762ad2c25458f", + "SHA1": "fcd615df88645d1f57ff5702bd6758b77efea6d0", + "SHA256": "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf", "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "LG Electronics Inc.", + "Description": "LHA", + "Product": "Microsoft® Windows® Operating System", + "ProductVersion": "6.1.7600.16385", + "FileVersion": "6.1.7600.16385 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "LHA.sys", "Authentihash": { - "MD5": "ec3966c4b4ec6fc15ff0940548fd10c2", - "SHA1": "531a782723ecc50ea4fcfbbfe4b94465782a21d0", - "SHA256": "eae8045d43f16e33232fd8bd2399f48b14f8a6391c9fffe38960c03fee978b27" + "MD5": "8a3fb969d6edfb9a860e13a556a9d64f", + "SHA1": "d9cf173dd75bf410c2f7f35247cd4db186af9a41", + "SHA256": "fe14940b5d3068b7ceffd28a529196811f1d0e175522f4dfab26573e7aca0bb4" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "LHA.sys", + "Copyright": "ultrabios@hotmail.com", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ExFreePoolWithTag", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoFreeWorkItem", + "KeReleaseSpinLock", "MmUnmapIoSpace", + "MmFreeNonCachedMemory", + "MmGetPhysicalAddress", + "IoAllocateWorkItem", "MmMapIoSpace", "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "KeAcquireSpinLockRaiseToDpc", + "ExUnregisterCallback", + "PoRegisterPowerSettingCallback", + "ExRegisterCallback", + "ObfDereferenceObject", + "IoQueueWorkItem", + "ExCreateCallback", + "DbgPrint", + "IoWMIQueryAllData", + "MmGetSystemRoutineAddress", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "MmAllocateNonCachedMemory", + "IoCreateDevice", + "ZwClose", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -64475,94 +55077,117 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-09-06 21:30:32", + "ValidTo": "2019-09-06 21:30:32", + "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000253a2738690a3451c1000000000025", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - }, + } + ], + "Tags": [ + "LHA.sys" + ], + "yara": true + }, + { + "Id": "a005e057-c84f-47cd-9b4b-5b1e51a06ab4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create fidpcidrv64.sys binPath=C:\\windows\\temp\\fidpcidrv64.sys type=kernel && sc.exe start fidpcidrv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "NTIOLib.sys", - "MD5": "490b1f404c4f31f4538b36736c990136", - "SHA1": "37364cb5f5cefd68e5eca56f95c0ab4aff43afcc", - "SHA256": "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d", + "Filename": "fidpcidrv64.sys", + "MD5": "2fed983ec44d1e7cffb0d516407746f2", + "SHA1": "eb93d2f564fea9b3dc350f386b45de2cd9a3e001", + "SHA256": "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46", "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign" + "Intel(R) Processor Identification Utility", + "Intel External Basic Issuing CA 3A", + "Intel External Basic Policy CA", + "GeoTrust" ], "Date": "", "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "364af1be1135ce8bede31bb6c201f7bb", - "SHA1": "3d0c8e9e7fcd431a91d4c4ea088d94fa371d546b", - "SHA256": "c1c18591d7b68fafa870f3d0f1124a353682765236674cc7476c5f1cc71b1528" + "MD5": "66e3da88d9b3b4637474d0da27a523a6", + "SHA1": "4789b910023a667bee70ff1f1a8f369cffb10fe8", + "SHA256": "7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", + "MmGetSystemRoutineAddress", + "IoGetDeviceAttachmentBaseRef", + "KeInitializeEvent", + "KeWaitForSingleObject", + "IoFreeIrp", + "ExAllocatePoolWithTag", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "ExFreePoolWithTag", "IofCompleteRequest", - "IoDeleteDevice", + "ObReferenceObjectByName", "IoCreateDevice", + "IoDriverObjectType", + "IoEnumerateDeviceObjectList", + "IoBuildSynchronousFsdRequest", + "IoGetDeviceProperty", + "DbgPrint", + "IofCallDriver", "KeBugCheckEx", + "IoDeleteDevice", + "ObfDereferenceObject", "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", + "HalGetBusData", "HalGetBusDataByOffset" ], "Signatures": [ @@ -64571,193 +55196,386 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2006-02-16 18:01:30", + "ValidTo": "2016-02-19 18:01:30", + "Signature": "131038ada454a5489545b02d3772c09f9ed8ef8f0bfb9096d2b6177951cab3df067ebdb4e9083f84a00c939fb31ca86c8acf2deef99012f0f83a26d773810e9fc4319259d4282541f555f1ca3d993dda64c8d21864223209092d1de331fafdd347d764a8f95dea8227e24fd2612124611d54263e145964b098d5f3a7c3aead50", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", + "ValidFrom": "2006-05-23 17:01:15", + "ValidTo": "2016-05-23 17:11:15", + "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "CN=Intel(R) Processor Identification Utility", + "ValidFrom": "2009-03-19 00:29:29", + "ValidTo": "2012-03-18 00:29:29", + "Signature": "86c24504c2f46f4eb6f3dc997172bd94eecd17fe47c54e3be9e7d9c6a1dfb0158bbee32ab23b4e48d4c889e91edbde24cd5753feb01ac761e3c236ab02ef21345a0afe54a61cc5587f89484170d6bdd703606685ee22539b68c84201a0ac746ff98a719d7b8a358d0109d599d46bc8dc15392b3f9ed67a5092665aa4c0ece1c1591915ed5479a123c9a2da0aafa79b69dee0e16d89949c2139f73174e914ac0ac224660c083684ff56d29df499539b701e80a45b69107f7dc25e031fb9f491475e0d0ff6c7a2127caad2978c4a292d3e126ff06f841183fea1a4a66e831fd7ecce3132413239db87e78850d743953f73d140b22d7d2a50b468be4662ec2a06a6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3A", + "ValidFrom": "2006-03-22 22:22:42", + "ValidTo": "2012-03-22 22:32:42", + "Signature": "ae3429de709faf0e95f3b073b3304cb3e0a8133436c944e1da83c1ff65581aeeca1ca09c82f872aa0df420c627d5a2b6d36d26a3081100c6a83a6db356049eaa28e1479de06b5e410d7f959d0f9d1e093085591577108b0710e43590fd1e35857911de21a7dcbac00495eb3db3f3a3b8faaa2e2c98a8c3800886808a0fcac4c83ece0e04ef8ef2c22a9b15c8f946d633954ac392205d95526b9e0262b74455389e9f37cdeacafe3d06dfba308678840d3e998709147745cbe399edd66ef20293046e75d44c735a5e713e3fdf249379c35dd5b6e6c07ee7159c611dc6a6031d4226603ff7f4299fb264a344ee0729dc8fcee295ea50d588b0b4984e2deca00476", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "13fd5f58000000002ea3", + "Issuer": "C=US, O=Intel Corporation, CN=Intel External Basic Issuing CA 3A" } ] } ] + } + ], + "Tags": [ + "fidpcidrv64.sys" + ], + "yara": false + }, + { + "Id": "7edb5602-239f-460a-89d6-363ff1059765", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create viragt64.sys binPath=C:\\windows\\temp\\viragt64.sys type=kernel && sc.exe start viragt64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "6f5d54ab483659ac78672440422ae3f1", - "SHA1": "d62fa51e520022483bdc5847141658de689c0c29", - "SHA256": "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib_X64.sys", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "viragt64.sys", + "MD5": "779af226b7b72ff9d78ce1f03d4a3389", + "SHA1": "9eef72e0c4d5055f6ae5fe49f7f812de29afbf37", + "SHA256": "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506", "Authentihash": { - "MD5": "c7069e41aab11ec8cb06657e6e8babd0", - "SHA1": "156907d0ca2ecff7efa07f479622b018af74bf2f", - "SHA256": "9c513f4d4c38a10af9f4a967bb6c7901275adf0df8046fc7e1b7e4c3e3c7c3cf" + "MD5": "835b8a268127c12be0ebcdd13eae3f16", + "SHA1": "40082d350533c99578bdabfcaf03afe52c83d4a8", + "SHA256": "5f353fc46843155b6b63e75994f5328b9d4344654d5759a5145cd6e64babe3de" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2015 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt64.sys", + "FileVersion": "1, 0, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 0, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2012 - www.tgsoft.it", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "mbstowcs", + "ExAllocatePoolWithTag", + "KeSetTargetProcessorDpc", + "ZwCreateKey", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "KeInitializeMutex", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "RtlInitUnicodeString", "IoDeleteDevice", + "RtlInitAnsiString", + "ZwSetValueKey", + "_strupr", + "KeInitializeDpc", + "ZwQuerySystemInformation", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "ZwSetInformationFile", + "KeReleaseMutex", + "KeDelayExecutionThread", + "ZwCreateFile", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "ExSystemTimeToLocalTime", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "KeInsertQueueDpc", + "ZwEnumerateValueKey", + "ZwClose", + "sprintf", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlTimeToTimeFields", + "MmProbeAndLockPages", + "ZwOpenProcess", + "MmUnlockPages", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", + "ZwTerminateProcess", + "wcstombs", + "KeNumberProcessors", + "ZwQueryInformationFile", + "MmIsNonPagedSystemAddressValid", + "ZwWriteFile", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "IoAllocateMdl", + "ZwOpenKey", + "ObOpenObjectByName", + "swprintf", + "RtlUnicodeStringToAnsiString", + "ZwOpenDirectoryObject", + "IoFileObjectType", + "IoDriverObjectType", + "ZwQueryDirectoryObject", + "KeQueryActiveProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ExQueueWorkItem", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "__chkstk", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2010-01-15 00:00:00", + "ValidTo": "2013-01-26 23:59:59", + "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "25008956fcdc548a3079b096ef96c928", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "dd04cd3de0c19bede84e9c95a86b3ca8", - "SHA1": "93aa3bb934b74160446df3a47fa085fd7f3a6be9", - "SHA256": "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "25ebe6f757129adbe78ec312a5f1800b", + "SHA1": "d17656f11b899d58dca7b6c3dd6eef3d65ae88e2", + "SHA256": "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24", "Authentihash": { - "MD5": "55cd6f1f309b3409bf2cb92a4eb56e74", - "SHA1": "e7558eaa5e3357ca3010ee219cf52fdf46e5cd5a", - "SHA256": "a502c904a7fe42183d3ea66f1e01fbd4321eb202280b054b9124dd333f093ba2" + "MD5": "78428144608ab49b0508197849200ab0", + "SHA1": "eb528a7bc5b0d9efe5872e16f42420291c6df07f", + "SHA256": "04f771d72a812fe9dd6bced402b36b081c80bd3397fdd66dbaa44906ac088159" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1.25.0.0", + "Product": "VirIT Agent System", + "ProductVersion": "1.25.0.0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2010 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "ZwQueryValueKey", "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "PsTerminateSystemThread", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "memcpy", "IoCreateSymbolicLink", + "IoCreateDevice", + "PsCreateSystemThread", + "KeInitializeMutex", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "RtlUnicodeStringToAnsiString", + "ZwQueryDirectoryObject", + "KeTickCount", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwQueryInformationFile", + "RtlUnwind", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KfRaiseIrql" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -64768,84 +55586,170 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2010-01-15 00:00:00", + "ValidTo": "2013-01-26 23:59:59", + "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "25008956fcdc548a3079b096ef96c928", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "95e4c7b0384da89dce8ea6f31c3613d9", - "SHA1": "ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b", - "SHA256": "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib for MSIClock_CC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "650f6531db6fb0ed25d7fc70be35a4da", + "SHA1": "7ee675f0106e36d9159c5507b96c3237fb9348cd", + "SHA256": "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8", "Authentihash": { - "MD5": "0c06dcbb129db21d296df3f6f8e98514", - "SHA1": "d3642da8e37cb772b1dd7b75a69323a4a00566c8", - "SHA256": "ce89124d29b5e562bbcc2f07b1dfac0f22dd66ad3deb32dd32c8c138a3739ef8" + "MD5": "fbbb02331ba15c59930554299f14b793", + "SHA1": "2c300726f3806b6d077fe58ae8d2b257d654a700", + "SHA256": "f78e06f649bc0d88770c5465d7792abeb27631ec0ce9a0fa68698b94ebf2cf49" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1, 65, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 65, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2012 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "memcpy", + "IoCreateSymbolicLink", "IoCreateDevice", + "PsCreateSystemThread", + "KeInitializeMutex", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "RtlUnicodeStringToAnsiString", + "ZwQueryDirectoryObject", + "IoFileObjectType", + "swprintf", + "DbgPrint", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", + "KeTickCount", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -64863,84 +55767,172 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2010-01-15 00:00:00", + "ValidTo": "2013-01-26 23:59:59", + "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "25008956fcdc548a3079b096ef96c928", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "9aa7ed7809eec0d8bc6c545a1d18107a", - "SHA1": "35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd", - "SHA256": "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.01", - "FileVersion": "1.0.0.01", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "3467b0d996251dc56a72fc51a536dd6b", + "SHA1": "ca33c88cd74e00ece898dca32a24bdfcacc3f756", + "SHA256": "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a", "Authentihash": { - "MD5": "37256f56e87f5530dd63e3069a3e3252", - "SHA1": "17f4ab1865a5a2be4768cd25019439441fd0e10b", - "SHA256": "61a3bf24d4e3eac56c380b022dfc195bad4cc8d03156cdc3ba743faab582284a" + "MD5": "e39802ea77fa83f1939a50985f9036c0", + "SHA1": "070c6795aa64c2bce7867e280016fb1d2af86dca", + "SHA256": "ac42c7b1d9feccd48c305698942186d580b7bfd047bb73dbf028f3fed7aa24ad" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2016 Micro-Star INT'L CO., LTD.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1, 74, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 74, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2013 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "strstr", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "PsCreateSystemThread", + "memcpy", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoCreateDevice", + "KeInitializeMutex", + "RtlUnicodeStringToAnsiString", + "IoGetDeviceObjectPointer", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "IoFileObjectType", + "swprintf", + "DbgPrint", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", + "KeTickCount", + "KeBugCheckEx", + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -64950,13 +55942,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -64965,254 +55950,334 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2012-12-31 00:00:00", + "ValidTo": "2016-02-29 23:59:59", + "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "c02f70960fa934b8defa16a03d7f6556", - "SHA1": "3805e4e08ad342d224973ecdade8b00c40ed31be", - "SHA256": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt64.sys", + "MD5": "688a10e87af9bcf0e40277d927923a00", + "SHA1": "388819a7048179848425441c60b3a8390ad04a69", + "SHA256": "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285", "Authentihash": { - "MD5": "c6830e904e56ea951005ea7639eedd35", - "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", - "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" + "MD5": "2a499183392f0d3835f957bbe6b538ba", + "SHA1": "f8a9a8d7c704069d4fff9c26740115c1f4ba3499", + "SHA256": "605e0efa14fc8443dc43c2068f17e6f175369909d5f7f1c3730fb5fe062528e6" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt64.sys", + "FileVersion": "1, 0, 0, 4", + "Product": "VirIT Agent System", + "ProductVersion": "1, 0, 0, 4", + "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2013 - www.tgsoft.it", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "mbstowcs", + "ExAllocatePoolWithTag", + "KeSetTargetProcessorDpc", + "ZwCreateKey", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "KeInitializeMutex", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "strstr", + "RtlInitUnicodeString", "IoDeleteDevice", + "RtlInitAnsiString", + "ZwSetValueKey", + "_strupr", + "KeInitializeDpc", + "ZwQuerySystemInformation", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "ZwSetInformationFile", + "KeReleaseMutex", + "KeDelayExecutionThread", + "ZwCreateFile", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "ExSystemTimeToLocalTime", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "KeInsertQueueDpc", + "ZwEnumerateValueKey", + "ZwClose", + "sprintf", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlTimeToTimeFields", + "MmProbeAndLockPages", + "ZwOpenProcess", + "MmUnlockPages", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", "IoCreateDevice", + "ZwTerminateProcess", + "KeNumberProcessors", + "ZwQueryInformationFile", + "MmIsNonPagedSystemAddressValid", + "ZwWriteFile", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "IoAllocateMdl", + "ZwOpenKey", + "ObOpenObjectByName", + "swprintf", + "RtlUnicodeStringToAnsiString", + "ZwOpenDirectoryObject", + "IoFileObjectType", + "IoDriverObjectType", + "ZwQueryDirectoryObject", + "wcstombs", + "KeQueryActiveProcessors", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", + "IofCompleteRequest", + "ExQueueWorkItem", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "__chkstk", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - }, - { - "Filename": "NTIOLib.sys", - "MD5": "300c5b1795c9b6cc1bc4d7d55c7bbe85", - "SHA1": "65d8a7c2e867b22d1c14592b020c548dd0665646", - "SHA256": "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", - "Authentihash": { - "MD5": "6b5dd12cfdee0cf8a654eacc65028c36", - "SHA1": "081d87fdb40a348b85382c63ea029281f213b778", - "SHA256": "d82a938dc7b0077a06d940bd3ce6097e3b02cdc254ec6fd863c0e526f2af69fa" - }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2012-12-31 00:00:00", + "ValidTo": "2016-02-29 23:59:59", + "Signature": "c7c9efc50350a4c32f6dacc513ba6ac9fe5fd749bd74dcb912bdc41655a751ecd628c0d94677c4bc71424ba27a3b82680532cb0fa85f6d7ae2a5a9b5a0f2c87059ce4c5c80c426bafe6fa0713e23787b5fe5274c659c221a58a376d27d9866a1843d21788bc53012b5af4b9a8787b5a6dd2d41498e60967e5248c6cc8b08ccafc5f39006f0597ae03b91f0aed26337f40550dc1fe4490df7258d2f0bdf0448d5a68c3bb8222007b91f9f83e4813edfb134738bfdd5c5cd9f8413b360231472ec5a22d32e7c6e15b127a34f84edea31ce625a0c87aaa07e31a14221dc51689e68e5a0e13bd563475134ee102e1a86788dc909dbdb4c7a370e0d418c8424e88a14", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "4cccaccf48f6d93fb37178d7fce6209c", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "3dbf69f935ea48571ea6b0f5a2878896", - "SHA1": "c8d87f3cd34c572870e63a696cf771580e6ea81b", - "SHA256": "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "3d5164e85d740bce0391e2b81d49d308", + "SHA1": "7ce978092fadbef44441a5f8dcb434df2464f193", + "SHA256": "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605", "Authentihash": { - "MD5": "c80d819869c1718a58dfada2167e842c", - "SHA1": "0d6b74ac325c816bfdc20aa4a0fc0eb2cd45f4e6", - "SHA256": "f8ffb8a23be71c26f784905110b7e752473be55216300d08a83c40c1496fb6c1" + "MD5": "fca297e7088250ac73298a7d623e1137", + "SHA1": "d1d6535cd02ff50825941130fe992fcdc91c71cd", + "SHA256": "401ed2d2768707b5c47556774c119f989986a9e2fa88e1e2626f14e22b85e66b" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1, 60, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 60, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2011 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "memcpy", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoCreateDevice", + "PsCreateSystemThread", + "KeInitializeMutex", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "RtlUnicodeStringToAnsiString", + "ZwQueryDirectoryObject", + "DbgPrint", + "IoFileObjectType", + "swprintf", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", + "KeTickCount", + "KeBugCheckEx", + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -65223,268 +56288,515 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2010-01-15 00:00:00", + "ValidTo": "2013-01-26 23:59:59", + "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "25008956fcdc548a3079b096ef96c928", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "8d63e1a9ff4cafee1af179c0c544365c", - "SHA1": "c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60", - "SHA256": "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib For MSISimple_OC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.2", - "FileVersion": "1.0.0.2", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "3ad7b36a584504b3c70b5f552ba33015", + "SHA1": "d363011d6991219d7f152609164aba63c266b740", + "SHA256": "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148", "Authentihash": { - "MD5": "7e9154ee514d494701eb8559524f8e2e", - "SHA1": "95c5f63e97d18e1ccc449a79ec952a5f6e76b9eb", - "SHA256": "543ee203b355c4cbac74d9bac71fb73c0c5c5c3afe268e2ae8ae48d61d350709" + "MD5": "bec44ba7f52a8c4700876db0c566d696", + "SHA1": "3854d0364d7379bcb7d59311823cadc3e34d1612", + "SHA256": "230fe99d425e870cc03383b195d5a8c0ef3d191baaa4104f6f4cdee4960c48fc" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2011-2012 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1, 38, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 38, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2011 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "memcpy", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoCreateDevice", + "PsCreateSystemThread", + "KeInitializeMutex", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "RtlUnicodeStringToAnsiString", + "ZwQueryDirectoryObject", + "DbgPrint", + "IoFileObjectType", + "swprintf", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", + "KeTickCount", + "KeBugCheckEx", + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2010-01-15 00:00:00", + "ValidTo": "2013-01-26 23:59:59", + "Signature": "49acd6daead15fe8d7445a98d9c495f32e30c0bfe703acba889230d0e71911d319656ef50b2116f52fafc0e98010c27d23c59fc85bfd5a20c274a171279702f4c34435fe76b9746a39c64fd401aec55d0e1dedb33f6a8a4a35b3e4438ea30563562e3627df7abd77736982bd73966cd56b223a57e8cb3e709c316aa968eb8f9ef84560f0d68dc6e37ae179cca59e1ca21216cd04ac1f0913dbfb2ea258ebce38b3b329b2b9bd4dce4c6b568bebe1323e4622a0678ee5326540fbf0667684c9936eae2d879bb500e7f5684633e203cf5c9fcffad04ed7c712678d4209f32f280c1bf91b228a1d88a43f2b9cc0f68109b0ee81f935a87bfef1cf309fa7093a9c51", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "25008956fcdc548a3079b096ef96c928", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "e9a30edef1105b8a64218f892b2e56ed", - "SHA1": "d34a7c497c603f3f7fcad546dc4097c2da17c430", - "SHA256": "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib for MSICPU_CC", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "viragt.sys", + "MD5": "08e06b839499cb4b752347399db41b57", + "SHA1": "b53c360b35174bd89f97f681bf7c17f40e519eb6", + "SHA256": "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850", "Authentihash": { - "MD5": "01a9049b40b0e848649dd1e0d224e63e", - "SHA1": "9030ba396131afec733fc208ef55a4d37b6ffc07", - "SHA256": "826e80ea5f657c75127c066b86caea8089f33b09b12c3d393fca8efedd40c1ef" + "MD5": "d1d42d44e5fcfd9c0a148b0d85f911d0", + "SHA1": "eb2d192b58a979cdb127fb81049ff19b07dbe45e", + "SHA256": "b59ad4a1f71f8379c89fc3bc1d2827b0785bbb0192b43549034f24a133eea3a5" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "VirIT Agent System", + "Company": "TG Soft S.a.s.", + "InternalName": "viragt.sys", + "OriginalFilename": "viragt.sys", + "FileVersion": "1, 80, 0, 0", + "Product": "VirIT Agent System", + "ProductVersion": "1, 80, 0, 0", + "Copyright": "Copyright (C) TG Soft S.a.s. 2006, 2016 - www.tgsoft.it", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "RtlInitAnsiString", + "wcstombs", + "ZwOpenKey", + "ZwSetValueKey", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwCreateFile", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "ZwReadFile", + "ZwWriteFile", + "ZwSetInformationFile", + "ZwOpenProcess", + "ZwTerminateProcess", + "_strupr", + "ZwQuerySystemInformation", + "IoFreeMdl", + "MmUnlockPages", + "MmIsAddressValid", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmIsNonPagedSystemAddressValid", + "IoGetCurrentProcess", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", + "sprintf", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "strstr", + "KeServiceDescriptorTable", + "KeReleaseMutex", + "KeDelayExecutionThread", + "RtlAnsiStringToUnicodeString", + "ExQueueWorkItem", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeInitializeDpc", + "KeNumberProcessors", + "IofCompleteRequest", + "PsCreateSystemThread", + "memcpy", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoCreateDevice", + "KeInitializeMutex", + "RtlUnicodeStringToAnsiString", + "IoGetDeviceObjectPointer", + "ObOpenObjectByName", + "IoDriverObjectType", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "IoFileObjectType", + "swprintf", + "DbgPrint", + "IoFreeIrp", + "MmUnmapLockedPages", + "KeSetEvent", + "MmLockPagableSectionByHandle", + "MmLockPagableDataSection", + "IoAllocateIrp", + "_wcsnicmp", + "RtlCompareMemory", + "IoBuildDeviceIoControlRequest", + "_alldiv", + "wcsrchr", + "ZwQueryVolumeInformationFile", + "ZwDeviceIoControlFile", + "_strnicmp", + "ZwFsControlFile", + "_allmul", + "ObfReferenceObject", + "_allrem", + "_stricmp", + "strrchr", + "KeQueryActiveProcessors", + "KeTickCount", + "KeBugCheckEx", + "ZwCreateKey", + "ZwQueryValueKey", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "mbstowcs", + "ZwClose", + "memset", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "RtlUnwind", + "KeRaiseIrqlToDpcLevel", + "KfRaiseIrql", + "KfLowerIrql", + "KeGetCurrentIrql", + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_BUFFER_UCHAR", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2016-01-20 00:00:00", + "ValidTo": "2019-03-11 23:59:59", + "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "viragt64.sys" + ], + "yara": true + }, + { + "Id": "a66d0413-cc82-4f1e-bcf1-0dcf9d79f6c0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_HWMIO64_W10.sys binPath=C:\\windows\\temp\\BS_HWMIO64_W10.sys type=kernel && sc.exe start BS_HWMIO64_W10.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "361a598d8bb92c13b18abb7cac850b01", - "SHA1": "1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b", - "SHA256": "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BS_HWMIO64_W10.sys", + "MD5": "d2588631d8aae2a3e54410eaf54f0679", + "SHA1": "cb3de54667548a5c9abf5d8fa47db4097fcee9f1", + "SHA256": "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8", "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Company": "BIOSTAR Group", + "Description": "I/O Interface driver file", + "Product": "BIOSTAR I/O driver", + "ProductVersion": "10, 0, 1806, 2200", + "FileVersion": "10, 0, 1806, 2200", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "BS_HWMIO64_W10.sys", "Authentihash": { - "MD5": "94faebdbb74a0b99a8a17430671cdf9e", - "SHA1": "aca4c47b4823b5653cb42e599ee6168f435bdcc7", - "SHA256": "21a6689456d9833453d5247e4c5faf13edcd4835408e033c40ae1a225711ae8f" + "MD5": "88704eaf268ad2d72eb099de209873c6", + "SHA1": "2d8499e9b45d7ae198cab59c7435bc83cd4162a0", + "SHA256": "c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "I/O driver", + "Copyright": "Copyright (c) 2018-2019 BIOSTAR Group", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "KeInitializeSemaphore", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeSetEvent", "MmUnmapIoSpace", + "KeDelayExecutionThread", + "PsCreateSystemThread", + "IoStartNextPacket", + "PsTerminateSystemThread", + "ExEventObjectType", "MmMapIoSpace", - "IofCompleteRequest", "IoDeleteDevice", - "IoCreateDevice", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeReleaseSemaphore", + "ObfDereferenceObject", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "IoStartPacket", + "IofCompleteRequest", + "KeRemoveEntryDeviceQueue", "KeBugCheckEx", "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "ZwClose", "IoDeleteSymbolicLink", - "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], @@ -65494,94 +56806,146 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2017-10-05 17:44:16", + "ValidTo": "2018-10-05 17:44:16", + "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "330000001f9800c911029569be00000000001f", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "BS_HWMIO64_W10.sys" + ], + "yara": true + }, + { + "Id": "8d3f27bd-c3fd-48d0-913a-e2caa6fbd025", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create rtkio64.sys binPath=C:\\windows\\temp\\rtkio64.sys type=kernel && sc.exe start rtkio64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761.yara" }, { - "Filename": "NTIOLib.sys", - "MD5": "7b43dfd84de5e81162ebcfafb764b769", - "SHA1": "0b8b83f245d94107cb802a285e6529161d9a834d", - "SHA256": "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d", - "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "rtkio64.sys", + "MD5": "7aa34cd9ea5649c24a814e292b270b6f", + "SHA1": "b21cba198d721737aabd882ada6c91295a5975ed", + "SHA256": "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761", "Authentihash": { - "MD5": "85dcbf05c91ceacc919a1638dd3c8f9f", - "SHA1": "3d947aff431bb8ec02d9be3b4499312a62d4fec9", - "SHA256": "5c22b7f65de948fdb74ffc3b5bae68f109bf7404a154ddbfa25dfd53e1bde667" + "MD5": "dbcdc8d0f902e064773b158644ee717d", + "SHA1": "7593d46a73ec00e00aef3e9d0031c2b21b74ecfb", + "SHA256": "64d060216cf55210f595609487b708d5e70e0706a8de0827369bf58898205f34" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Realtek IO Driver", + "Company": "Realtek ", + "InternalName": "rtkio64.sys ", + "OriginalFilename": "rtkio64.sys ", + "FileVersion": "1.006.0118.2017 built by: WinDDK", + "Product": "Realtek IO Driver ", + "ProductVersion": "1.006.0118.2017", + "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", "MmMapIoSpace", - "IofCompleteRequest", + "MmUnmapLockedPages", + "ExUnregisterCallback", + "ExAllocatePoolWithTag", + "IoWMIRegistrationControl", + "KeQueryActiveProcessors", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "IoWMIWriteEvent", + "IoRegisterShutdownNotification", + "RtlInitUnicodeString", "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmMapLockedPagesSpecifyCache", + "ZwQueryValueKey", + "IofCompleteRequest", + "ExRegisterCallback", + "RtlCompareMemory", + "IoCreateSymbolicLink", + "KeSetSystemAffinityThread", + "ObfDereferenceObject", "IoCreateDevice", + "ExCreateCallback", + "IoAllocateMdl", + "ZwOpenKey", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", + "IoFreeMdl", + "_vsnprintf", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -65589,106 +56953,114 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2016-06-13 00:00:00", + "ValidTo": "2019-01-24 12:00:00", + "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0320be3eb866526927f999b97b04346e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] }, { - "Filename": "NTIOLib.sys", - "MD5": "f66b96aa7ae430b56289409241645099", - "SHA1": "c969f1f73922fd95db1992a5b552fbc488366a40", - "SHA256": "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "rtkio.sys", + "MD5": "ffd0c87d9bf894af26823fbde94c71b6", + "SHA1": "eacfc73f5f45f229867ee8b2eb1f9649b5dd422e", + "SHA256": "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677", "Authentihash": { - "MD5": "b9951498dd00ac42a36a6f5d59ebe98d", - "SHA1": "0c429ee64668374fdf6d187071d4f0a932992a5f", - "SHA256": "2e5648f892460e2a2a450519b523007ca6973a3679a59c07582aa5bdbd6584d4" + "MD5": "d543d754cbb1d404d62b6c574a1aa3cd", + "SHA1": "daca8d39b72bbe8a5b6d5fa35bbb4ecef198a359", + "SHA256": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "Realtek IODriver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "rtkio.sys", + "OriginalFilename": "rtkio.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "ExAllocatePool", + "DbgPrint", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", + "IoCreateSymbolicLink", "IoCreateDevice", - "KeBugCheckEx", + "KeTickCount", + "IoFreeMdl", + "MmUnmapIoSpace", + "ExFreePoolWithTag", "RtlInitUnicodeString", - "IoCreateSymbolicLink", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoDeleteDevice", + "MmBuildMdlForNonPagedPool", + "IofCompleteRequest", + "RtlUnwind", + "KeBugCheckEx", + "WRITE_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "READ_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -65699,366 +57071,224 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - } - ], - "Tags": [ - "NTIOLib.sys" - ] - }, - { - "Id": "127cde1d-905e-4c67-a2c3-04ea4deaea7d", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create wantd_6.sys binPath=C:\\windows\\temp\\wantd_6.sys type=kernel && sc.exe start wantd_6.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "Subject": "C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RTCN, CN=Realtek Semiconductor Corp", + "ValidFrom": "2010-07-21 00:00:00", + "ValidTo": "2013-06-11 23:59:59", + "Signature": "6944295349cb2f0345a03f4b1be1351f4c361e68dd81dca590ebe4ac5f6e558fbb8b4d658e95ec5fddb5b31fdd4f98c0ca087af7c9b5bda8bf5eb3df56bc645e9402861e569a0f925220fada5ee8000893ace40b2b8b4cf598b2725ecfad20e4bcca8e10246474e8b7df6364ad38a7e2c125930afb624fc0a1431c87e2cb04c63ee62ebe12973baa5fc658ad644787d9802fa7eb5f892acd43155fbfa36e825842ad1799fc4543fc8a3fc0f7e110812faf9cc5846e93ddce7c5cb1670bdf62c648ce43c197d3d6825ca73f6e06eb51c725ee2339c6dbda33588a9970c3fdefe315152dc5a73ff855aba8129a1abc3c2654455deddca9b328bbff973266f5cd91", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2c80892e0115b0b77aa3594b9a733953", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, { - "Filename": "wantd_6.sys", - "MD5": "4b058945c9f2b8d8ebc485add1101ba5", - "SHA1": "37e6450c7cd6999d080da94b867ba23faa8c32fe", - "SHA256": "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e", - "Signature": "The digital signature of the object did not verify.", - "Date": "8:23 PM 2/28/2022", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", - "Company": "Microsoft Corporation", - "Description": "WAN Transport Driver", - "Product": "Microsoft Windows Operating System", - "ProductVersion": "6.1.7600.1172", - "FileVersion": "6.1.7600.1172", - "MachineType": "AMD64", - "OriginalFilename": "wantd.sys", + "FileName": "rtkiow10x64.sys", + "MD5": "96a8b535b5e14b582ca5679a3e2a5946", + "SHA1": "f6b3577ea4b1a5641ae3421151a26268434c3db8", + "SHA256": "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89", "Authentihash": { - "MD5": "3bfdb46b5ad5fa267b992a2350a6518a", - "SHA1": "cb65c6f9f411892d13ffe8ba1cb5e9c4be2c0a25", - "SHA256": "bd243e33fa80f4bd6010c23ecdf94b6008fee30df248255dcfe014c91f2ce2af" + "MD5": "02f3eb42f514eb2652d6097e36874a1c", + "SHA1": "3c5cc137458500a4a7a0be5860a02a00df92e2d8", + "SHA256": "8944a3f50f38d92d17b8cfe2e08201a79ea30f38812d18f28036e59789d3f58c" }, - "InternalName": "wantd.sys", - "Copyright": "Microsoft Corporation. All rights reserved.", + "Description": "Realtek IO Driver", + "Company": "Realtek ", + "InternalName": "rtkiow10x64.sys ", + "OriginalFilename": "rtkiow10x64.sys ", + "FileVersion": "1.009.0709.2020", + "Product": "Realtek IO Driver ", + "ProductVersion": "1.009.0709.2020", + "Copyright": "Copyright (C) 2020 Realtek Semiconductor Corporation. All Right Reserved. ", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "wcsncmp", - "IoAllocateMdl", - "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "_strnicmp", + "KfRaiseIrql", + "MmUnmapIoSpace", + "MmMapIoSpaceEx", + "RtlInitUnicodeString", + "MmGetSystemRoutineAddress", + "KeSetSystemAffinityThreadEx", + "KeQueryActiveProcessors", "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "_wcsnicmp", - "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", - "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "atoi", - "_snprintf", - "ZwQuerySystemInformation", - "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", - "RtlImageDirectoryEntryToData", - "KeDetachProcess", - "ZwOpenFile", - "ZwCreateFile", - "PsCreateSystemThread", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", - "ZwQueryInformationProcess", + "ExCreateCallback", + "ExRegisterCallback", + "ExUnregisterCallback", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "KeLowerIrql", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoRegisterShutdownNotification", + "IoUnregisterShutdownNotification", + "IoWMIRegistrationControl", "ObfDereferenceObject", + "ZwClose", + "ZwOpenKey", + "ZwQueryValueKey", + "__C_specific_handler", + "ZwCreateKey", + "MmUnmapLockedPages", + "_vsnprintf", + "ZwSetSecurityObject", + "IoDeviceObjectType", "IoCreateDevice", - "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "PsLookupThreadByThreadId", - "RtlLengthSid", + "ObOpenObjectByPointer", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", "RtlCreateSecurityDescriptor", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", - "ZwDeviceIoControlFile", - "IofCompleteRequest", - "ZwClose", - "MmMapLockedPagesSpecifyCache", - "KeDelayExecutionThread", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "ZwWaitForSingleObject", - "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", - "NdisFreeMemory", - "NdisMIndicateStatus", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=HSINCHU, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2020-01-09 00:00:00", + "ValidTo": "2020-09-15 12:00:00", + "Signature": "622ab6660f0bb6b692dbbfe701f462a2f59e43a039ed1bf699a2e55c1871b0d24036819d02f456b8b5903628c5cf7094cd138332eed3e985232c30c7b3bb7c0640f06bb230d5c1eccd4e13d2377c168df20895c77a8c87b44c6200f6f06bc3bc40b285efa3f855f75c7ff3518dfb299c638b5d560fb94d3e97eea3a29a7524a0c1192311571fd06905346264c6d6c8336e08cb34d9ee7440677b92aa061981364db6bb67b4d3479041e85c7b4e31e009f3d315b75c6c50d8cefe6b63475ac598505235fe9c5f69bee61d70940d47ac10a760e3eac26e268f21508b5e567e6d92c5b1ba9b1de5ebc9da9ac472d6ca33dae12b01fca6113e6e8082bd00a3a33840", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "04df4d56733ae38d598ea004dd2d9c51", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] - } - ], - "Tags": [ - "wantd_6.sys" - ] - }, - { - "Id": "354a9fcf-acf1-4151-94d2-af88116f605c", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create piddrv.sys binPath=C:\\windows\\temp\\piddrv.sys type=kernel && sc.exe start piddrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "piddrv.sys", - "SHA1": "a7d827a41b2c4b7638495cd1d77926f1ba902978", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" }, { - "Filename": "piddrv.sys", - "SHA1": "877c6c36a155109888fe1f9797b93cb30b4957ef", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "piddrv.sys" - ] - }, - { - "Id": "de4dd27a-1f7e-4271-98a4-55395ab6aabf", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BS_I2c64.sys binPath=C:\\windows\\temp\\BS_I2c64.sys type=kernel && sc.exe start BS_I2c64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "BS_I2c64.sys", - "MD5": "83601bbe5563d92c1fdb4e960d84dc77", - "SHA1": "dc55217b6043d819eadebd423ff07704ee103231", - "SHA256": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a", - "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "BIOSTAR Group", - "Description": "I/O Interface driver file", - "Product": "BIOSTAR I/O driver fle", - "ProductVersion": "1, 1, 0, 0", - "FileVersion": "1, 1, 0, 0", - "MachineType": "AMD64", - "OriginalFilename": "BS_I2cIo.sys", + "FileName": "rtkio.sys", + "MD5": "664ad9cf500916c94fc2c0020660ac4e", + "SHA1": "444f96d8943aec21d26f665203f3fb80b9a2a260", + "SHA256": "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab", "Authentihash": { - "MD5": "bcc1ae726001fdbabb8159e3b333f3fd", - "SHA1": "7885fb33d8800fa3c036252af70e0a8391ab367d", - "SHA256": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4" + "MD5": "2131039a2273befb71bfd7aedf9196b1", + "SHA1": "df5d3b52f987c4b48c6d164d8266e57c86a4a2d7", + "SHA256": "1044ea40d459fe4c619a44afe53e6ff5a9cc5a37cf568d974ae23ed62da58759" }, - "InternalName": "I/O driver", - "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", + "Description": "Realtek IODriver", + "Company": "Windows (R) Codename Longhorn DDK provider", + "InternalName": "rtkio.sys", + "OriginalFilename": "rtkio.sys", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "KeSetSystemAffinityThread", + "IoCreateDevice", + "DbgPrint", + "IoAllocateMdl", + "MmUnmapLockedPages", + "KeQueryActiveProcessors", "IoDeleteSymbolicLink", - "IoStartNextPacket", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", + "ExFreePoolWithTag", + "IoCreateSymbolicLink", + "IoDeleteDevice", "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "ExAllocatePool", + "MmMapIoSpace", + "KeBugCheckEx", "RtlInitUnicodeString", - "KeRemoveEntryDeviceQueue", "IofCompleteRequest", - "IoStartPacket", - "IoCreateDevice", - "IoCreateSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "__C_specific_handler", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -66069,10 +57299,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -66083,17 +57313,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2007-10-16 00:00:00", - "ValidTo": "2010-10-20 23:59:59", - "Signature": "bd6d9abbee60d79e542436d85a6a1ee7cf79e08e0947e5c74d227cdf7e710069e4a5ea9faf821e4e8a98fc8619b24ec41be8cd2d54b65778405c0b1a159184f671bacc976999c08a1df6013408976dbc9ba5dc5001e7da5ca2eef4109b4f57b700d897913a855e00ccf5a96de2b8fa9878e8353e0b7a7753d01cb7b9b47504a9f28629acc9643e4c35f2133362bbfb5adc633501cac7d6553cf553c52998f600043e4030fcc5740ad575b0820f4a0088e77c78e1b5e64b48c2553c362e3a771c2ebe604f28c42db392098e120af5fe67fe7d8b241213f418800a43ecd1759d1c68e54e20cd6ba2cc2ccbb4b189a9a9920b146e8855239a91dd3e01cd640dbadc", + "Subject": "C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RTCN, CN=Realtek Semiconductor Corp", + "ValidFrom": "2010-07-21 00:00:00", + "ValidTo": "2013-06-11 23:59:59", + "Signature": "6944295349cb2f0345a03f4b1be1351f4c361e68dd81dca590ebe4ac5f6e558fbb8b4d658e95ec5fddb5b31fdd4f98c0ca087af7c9b5bda8bf5eb3df56bc645e9402861e569a0f925220fada5ee8000893ace40b2b8b4cf598b2725ecfad20e4bcca8e10246474e8b7df6364ad38a7e2c125930afb624fc0a1431c87e2cb04c63ee62ebe12973baa5fc658ad644787d9802fa7eb5f892acd43155fbfa36e825842ad1799fc4543fc8a3fc0f7e110812faf9cc5846e93ddce7c5cb1670bdf62c648ce43c197d3d6825ca73f6e06eb51c725ee2339c6dbda33588a9970c3fdefe315152dc5a73ff855aba8129a1abc3c2654455deddca9b328bbff973266f5cd91", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4d3675c15944120a97b4ae294ec73245", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "2c80892e0115b0b77aa3594b9a733953", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -66101,26 +57331,27 @@ } ], "Tags": [ - "BS_I2c64.sys" - ] + "rtkio64.sys" + ], + "yara": true }, { - "Id": "e299b0b6-e5e2-45b3-bf0b-c008068cebfa", + "Id": "1d4f7a3a-786b-4a74-b34f-14d44343de9e", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create BS_Flash64.sys binPath=C:\\windows\\temp\\BS_Flash64.sys type=kernel && sc.exe start BS_Flash64.sys", + "Command": "sc.exe create nt4.sys binPath=C:\\windows\\temp \\n \\n \\n t4.sys type=kernel && sc.exe start nt4.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -66129,15 +57360,9 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "BS_Flash64.sys", - "MD5": "f5051c756035ef5de9c4c48bacb0612b", - "SHA1": "e83458c4a6383223759cd8024e60c17be4e7c85f", - "SHA256": "86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219", - "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], + "Filename": "nt4.sys", + "SHA256": "d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102", + "Signature": [], "Date": "", "Publisher": "", "Company": "", @@ -66145,1511 +57370,4197 @@ "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "cf428ad377e1fd1a045e058b896fcee2", - "SHA1": "5107438a02164e1bcedd556a786f37f59cd04231", - "SHA256": "543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteDevice", - "RtlFreeUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAnsiStringToUnicodeString", - "RtlInitString", - "IofCompleteRequest", - "MmMapLockedPages", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2006-09-25 00:00:00", - "ValidTo": "2007-10-20 23:59:59", - "Signature": "0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "49a570277854e9481d38e34c081226ee", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] + "MachineType": "", + "OriginalFilename": "" } ], "Tags": [ - "BS_Flash64.sys" - ] + "nt4.sys" + ], + "yara": false }, { - "Id": "a261cd64-0d04-4bf5-ad73-f3bb96bf83cf", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create PCHunter.sys binPath=C:\\windows\\temp\\PCHunter.sys type=kernel && sc.exe start PCHunter.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Id": "79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create VBoxDrv.sys binPath=C:\\windows\\temp\\VBoxDrv.sys type=kernel && sc.exe start VBoxDrv.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "PCHunter.sys", - "MD5": "c2c1b8c00b99e913d992a870ed478a24", - "SHA1": "a64354aac2d68b4fa74b5829a9d42d90d83b040c", - "SHA256": "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "一普明为(北京)信息技术有限公司", - "Description": "Epoolsoft Windows Information View Tools", - "Product": "PCHunter", - "ProductVersion": "1.0.0.4", - "FileVersion": "1.0.0.4", - "MachineType": "AMD64", - "OriginalFilename": "PCHunter.sys", + "FileName": "VBoxDrv.sys", + "MD5": "b1b8e6b85dd03c7f1290b1a071fc79c1", + "SHA1": "a22dead5cdf05bd2f79a4d0066ffcf01c7d303ec", + "SHA256": "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712", "Authentihash": { - "MD5": "9655d43fd874e7a6720b36e7fd9fa6b7", - "SHA1": "a14261c290339995b7430495f2dfdd1da64dcfc5", - "SHA256": "c2d209ed240027608003f8d32b621f8baaf5601aaf348e64269e4457a594c7c3" + "MD5": "6837b5fe3a3a100c88c7cf4f0408f528", + "SHA1": "d679aadb2844462deaaf069d48e7d0fc76979741", + "SHA256": "7dcd81140dc57d1d412c39940643ea923a1925815097f83788d840c1a7b57d25" }, - "InternalName": "PCHunter.sys", - "Copyright": "(C) 2013-2016 Epoolsoft Corporation. All Rights Reserved.", + "Description": "VirtualBox Support Driver", + "Company": "Vektor T13 Security Service", + "InternalName": "VBoxDrv", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "1.2.0.119230", + "Product": "Antidetect 2018 Public by Vektor T13 (rev.05)", + "ProductVersion": "1.2.0.119230", + "Copyright": "Copyright (C) 2009-2018 Oracle Corporation", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "FLTMGR.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "ASMAtomicBitClear", + "ASMAtomicXchgU16", + "ASMAtomicXchgU8", + "ASMGetCS", + "ASMGetDS", + "ASMGetES", + "ASMGetFS", + "ASMGetGS", + "ASMGetIDTR", + "ASMGetSS", + "ASMMultU64ByU32DivByU32", + "ASMNopPause", + "RTAssertAreQuiet", + "RTAssertMayPanic", + "RTAssertMsg1", + "RTAssertMsg1Weak", + "RTAssertMsg2AddV", + "RTAssertMsg2V", + "RTAssertMsg2Weak", + "RTAssertMsg2WeakV", + "RTAssertSetMayPanic", + "RTAssertSetQuiet", + "RTAssertShouldPanic", + "RTAvlPVDestroy", + "RTAvlPVDoWithAll", + "RTAvlPVGet", + "RTAvlPVGetBestFit", + "RTAvlPVInsert", + "RTAvlPVRemove", + "RTAvlPVRemoveBestFit", + "RTCrc32", + "RTCrc32Finish", + "RTCrc32Process", + "RTCrc32Start", + "RTErrConvertFromErrno", + "RTErrConvertFromNtStatus", + "RTErrConvertToErrno", + "RTErrInfoAdd", + "RTErrInfoAddF", + "RTErrInfoAddV", + "RTErrInfoSet", + "RTErrInfoSetF", + "RTErrInfoSetV", + "RTErrVarsAreEqual", + "RTErrVarsHaveChanged", + "RTErrVarsRestore", + "RTErrVarsSave", + "RTHandleTableAllocWithCtx", + "RTHandleTableCreate", + "RTHandleTableCreateEx", + "RTHandleTableDestroy", + "RTHandleTableFreeWithCtx", + "RTHandleTableLookupWithCtx", + "RTLatin1CalcUtf8Len", + "RTLatin1CalcUtf8LenEx", + "RTLatin1ToUtf8ExTag", + "RTLatin1ToUtf8Tag", + "RTLogClearFileDelayFlag", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDefaultInstanceEx", + "RTLogDestinations", + "RTLogDestroy", + "RTLogDumpPrintfV", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGetDefaultInstanceEx", + "RTLogGetDestinations", + "RTLogGetFlags", + "RTLogGetGroupSettings", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelGetDefaultInstance", + "RTLogRelGetDefaultInstanceEx", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetBuffering", + "RTLogRelSetDefaultInstance", + "RTLogSetBuffering", + "RTLogSetCustomPrefixCallback", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAllocExTag", + "RTMemAllocTag", + "RTMemAllocVarTag", + "RTMemAllocZTag", + "RTMemAllocZVarTag", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDupExTag", + "RTMemDupTag", + "RTMemExecAllocTag", + "RTMemExecFree", + "RTMemFree", + "RTMemFreeEx", + "RTMemReallocTag", + "RTMemTmpAllocTag", + "RTMemTmpAllocZTag", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpCurSetIndex", + "RTMpCurSetIndexAndId", + "RTMpGetArraySize", + "RTMpGetCount", + "RTMpGetCpuGroupCounts", + "RTMpGetMaxCpuGroupCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCoreCount", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetPresentCoreCount", + "RTMpGetPresentCount", + "RTMpGetPresentSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuPresent", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnAllIsConcurrentSafe", + "RTMpOnOthers", + "RTMpOnPair", + "RTMpOnPairIsConcurrentExecSupported", + "RTMpOnSpecific", + "RTMpPokeCpu", + "RTMpSetIndexFromCpuGroupMember", + "RTNetIPv4AddDataChecksum", + "RTNetIPv4AddTCPChecksum", + "RTNetIPv4AddUDPChecksum", + "RTNetIPv4FinalizeChecksum", + "RTNetIPv4HdrChecksum", + "RTNetIPv4IsDHCPValid", + "RTNetIPv4IsHdrValid", + "RTNetIPv4IsTCPSizeValid", + "RTNetIPv4IsTCPValid", + "RTNetIPv4IsUDPSizeValid", + "RTNetIPv4IsUDPValid", + "RTNetIPv4PseudoChecksum", + "RTNetIPv4PseudoChecksumBits", + "RTNetIPv4TCPChecksum", + "RTNetIPv4UDPChecksum", + "RTNetIPv6PseudoChecksum", + "RTNetIPv6PseudoChecksumBits", + "RTNetIPv6PseudoChecksumEx", + "RTNetTCPChecksum", + "RTNetUDPChecksum", + "RTOnceReset", + "RTOnceSlow", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0AssertPanicSystem", + "RTR0Init", + "RTR0MemAreKrnlAndUsrDifferent", + "RTR0MemKernelCopyFrom", + "RTR0MemKernelCopyTo", + "RTR0MemKernelIsValidAddr", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocContTag", + "RTR0MemObjAllocLowTag", + "RTR0MemObjAllocPageTag", + "RTR0MemObjAllocPhysExTag", + "RTR0MemObjAllocPhysNCTag", + "RTR0MemObjAllocPhysTag", + "RTR0MemObjEnterPhysTag", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernelTag", + "RTR0MemObjLockUserTag", + "RTR0MemObjMapKernelExTag", + "RTR0MemObjMapKernelTag", + "RTR0MemObjMapUserTag", + "RTR0MemObjProtect", + "RTR0MemObjReserveKernelTag", + "RTR0MemObjReserveUserTag", + "RTR0MemObjSize", + "RTR0MemUserCopyFrom", + "RTR0MemUserCopyTo", + "RTR0MemUserIsValidAddr", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTR0TermForced", + "RTSemEventCreate", + "RTSemEventCreateEx", + "RTSemEventDestroy", + "RTSemEventGetResolution", + "RTSemEventMultiCreate", + "RTSemEventMultiCreateEx", + "RTSemEventMultiDestroy", + "RTSemEventMultiGetResolution", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitEx", + "RTSemEventMultiWaitExDebug", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitEx", + "RTSemEventWaitExDebug", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSemMutexCreate", + "RTSemMutexCreateEx", + "RTSemMutexDestroy", + "RTSemMutexIsOwned", + "RTSemMutexRelease", + "RTSemMutexRequest", + "RTSemMutexRequestDebug", + "RTSemMutexRequestNoResume", + "RTSemMutexRequestNoResumeDebug", + "RTSemSpinMutexCreate", + "RTSemSpinMutexDestroy", + "RTSemSpinMutexRelease", + "RTSemSpinMutexRequest", + "RTSemSpinMutexTryRequest", + "RTSpinlockAcquire", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTStrAAppendNTag", + "RTStrAAppendTag", + "RTStrATruncateTag", + "RTStrAllocExTag", + "RTStrAllocTag", + "RTStrCalcLatin1Len", + "RTStrCalcLatin1LenEx", + "RTStrCalcUtf16Len", + "RTStrCalcUtf16LenEx", + "RTStrCat", + "RTStrConvertHexBytes", + "RTStrCopy", + "RTStrCopyEx", + "RTStrCopyP", + "RTStrDupExTag", + "RTStrDupNTag", + "RTStrDupTag", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrFree", + "RTStrGetCpExInternal", + "RTStrGetCpInternal", + "RTStrGetCpNExInternal", + "RTStrIsValidEncoding", + "RTStrNCmp", + "RTStrPrevCp", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrPurgeComplementSet", + "RTStrPurgeEncoding", + "RTStrPutCpInternal", + "RTStrReallocTag", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToLatin1ExTag", + "RTStrToLatin1Tag", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTStrToUni", + "RTStrToUniEx", + "RTStrToUtf16BigExTag", + "RTStrToUtf16BigTag", + "RTStrToUtf16ExTag", + "RTStrToUtf16Tag", + "RTStrUniLen", + "RTStrUniLenEx", + "RTStrValidateEncoding", + "RTStrValidateEncodingEx", + "RTTermDeregisterCallback", + "RTTermRegisterCallback", + "RTTermRunCallbacks", + "RTThreadCreate", + "RTThreadCreateF", + "RTThreadCreateV", + "RTThreadCtxHookCreate", + "RTThreadCtxHookDestroy", + "RTThreadCtxHookDisable", + "RTThreadCtxHookEnable", + "RTThreadCtxHookIsEnabled", + "RTThreadFromNative", + "RTThreadGetName", + "RTThreadGetNative", + "RTThreadGetType", + "RTThreadIsInInterrupt", + "RTThreadIsInitialized", + "RTThreadIsMain", + "RTThreadIsSelfAlive", + "RTThreadIsSelfKnown", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptIsPending", + "RTThreadPreemptIsPendingTrusty", + "RTThreadPreemptIsPossible", + "RTThreadPreemptRestore", + "RTThreadSelf", + "RTThreadSelfName", + "RTThreadSetName", + "RTThreadSetType", + "RTThreadSleep", + "RTThreadUserReset", + "RTThreadUserSignal", + "RTThreadUserWait", + "RTThreadUserWaitNoResume", + "RTThreadWait", + "RTThreadWaitNoResume", + "RTThreadYield", + "RTTimeExplode", + "RTTimeFromString", + "RTTimeImplode", + "RTTimeIsLeapYear", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNormalize", + "RTTimeNow", + "RTTimeSpecFromString", + "RTTimeSpecToString", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimeToString", + "RTTimerCanDoHighResolution", + "RTTimerChangeInterval", + "RTTimerCreate", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "RTUuidClear", + "RTUuidCompare", + "RTUuidCompare2Strs", + "RTUuidCompareStr", + "RTUuidFromStr", + "RTUuidFromUtf16", + "RTUuidIsNull", + "RTUuidToStr", + "RTUuidToUtf16", + "SUPGetCpuHzFromGipForAsyncMode", + "SUPGetGIP", + "SUPGetTscDeltaSlow", + "SUPIsTscFreqCompatible", + "SUPIsTscFreqCompatibleEx", + "SUPR0BadContext", + "SUPR0ChangeCR4", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetCurrentGdtRw", + "SUPR0GetKernelFeatures", + "SUPR0GetPagingMode", + "SUPR0GetSessionGVM", + "SUPR0GetSessionVM", + "SUPR0GetSvmUsability", + "SUPR0GetVmxUsability", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0PageProtect", + "SUPR0Printf", + "SUPR0QueryUcodeRev", + "SUPR0QueryVTCaps", + "SUPR0ResumeVTxOnCpu", + "SUPR0SetSessionVM", + "SUPR0SuspendVTxOnCpu", + "SUPR0TracerDeregisterDrv", + "SUPR0TracerDeregisterImpl", + "SUPR0TracerFireProbe", + "SUPR0TracerRegisterDrv", + "SUPR0TracerRegisterImpl", + "SUPR0TracerRegisterModule", + "SUPR0TracerUmodProbeFire", + "SUPR0TscDeltaMeasureBySetIndex", + "SUPR0UnlockMem", + "SUPReadTscWithDelta", + "SUPSemEventClose", + "SUPSemEventCreate", + "SUPSemEventGetResolution", + "SUPSemEventMultiClose", + "SUPSemEventMultiCreate", + "SUPSemEventMultiGetResolution", + "SUPSemEventMultiReset", + "SUPSemEventMultiSignal", + "SUPSemEventMultiWait", + "SUPSemEventMultiWaitNoResume", + "SUPSemEventMultiWaitNsAbsIntr", + "SUPSemEventMultiWaitNsRelIntr", + "SUPSemEventSignal", + "SUPSemEventWait", + "SUPSemEventWaitNoResume", + "SUPSemEventWaitNsAbsIntr", + "SUPSemEventWaitNsRelIntr", + "g_pSUPGlobalInfoPage", + "g_pszRTAssertExpr", + "g_pszRTAssertFile", + "g_pszRTAssertFunction", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2", + "g_u32RTAssertLine" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "ZwCreateKey", - "RtlInitUnicodeString", - "ZwSetValueKey", - "ExGetPreviousMode", - "PsGetCurrentProcessId", - "KeInitializeEvent", - "ExFreePoolWithTag", - "ZwQuerySymbolicLinkObject", - "SeCreateAccessState", - "KeSetEvent", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "IoCreateFile", - "MmBuildMdlForNonPagedPool", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "IoFileObjectType", - "ExAllocatePool", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "IoFreeIrp", - "MmProbeAndLockPages", - "ZwClose", - "MmUnlockPages", - "ObOpenObjectByPointer", - "IoAllocateMdl", - "MmSectionObjectType", - "_wcsicmp", - "NtDeviceIoControlFile", - "NtFsControlFile", - "swprintf", - "MmGetSystemRoutineAddress", - "ExAllocatePoolWithTag", - "ObQueryNameString", - "KeBugCheckEx", - "PsLookupThreadByThreadId", - "IoDeleteSymbolicLink", + "strchr", "IoDeleteDevice", - "wcsncat", - "KeDelayExecutionThread", - "wcsrchr", - "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "KeStackAttachProcess", + "RtlInitUnicodeString", "ObfDereferenceObject", - "MmIsAddressValid", - "KeUnstackDetachProcess", - "PsLookupProcessByProcessId", - "ProbeForRead", - "IoGetCurrentProcess", - "MmUserProbeAddress", - "ProbeForWrite", - "NtBuildNumber", - "IoAllocateIrp", - "MmSystemRangeStart", + "ExUnregisterCallback", + "IofCompleteRequest", "__C_specific_handler", - "FltReleaseFileNameInformation", - "FltClose", - "FltStartFiltering", - "FltParseFileNameInformation", - "FltCreateFile", - "FltRegisterFilter", - "FltUnregisterFilter", - "FltGetFileNameInformation" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CN, ST=?????????, L=?????????, O=????????????(??????)????????????????????????, CN=????????????(??????)????????????????????????", - "ValidFrom": "2015-10-16 04:47:28", - "ValidTo": "2016-11-16 04:47:28", - "Signature": "c87f8ed5e0c37da04f8f7b193aae1974b8712e6d9740a8dc55058a576301c1783919200b621b7d674954efe2689ee641cdd2609541eea9a633277af5e3ac84fc33b681d3737d54bd45bf9405947dbfe89338577c841b148dd745c742f19775cdb6f1f456500b439b79e350b41987c671ebd6bf05eb6832fb8bde7e4aaa42d7e26d8080b41cd6181f9a0ac62bce4cb9103907f279d6c18237b4744a745bcfa118f90bd2fa3f4eed5b059faffef0f8ae7c023f2e9e8788cd071b6ceb949a00b078591988a8ab7792cb11a545c7bb079687d2defdb88a6615e0d3204c29dae9a6f19fbb3ae4c3d338522648cb1bd5399f55fa7bd01ee9041330eb6a57edcd0fc455", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, O=WoSign CA Limited, CN=WoSign Time Stamping Signer", - "ValidFrom": "2009-08-08 01:00:05", - "ValidTo": "2024-08-08 01:00:05", - "Signature": "7c982fbbc3d2aec22a8fa69776568632c4cd36688becd7801a3179b05e56b969ebb90b32a98326dc775d7a56b246a07d15d66df9acf835737836026022201cef188f7e66b24fe771935a2be6e58d3d5d2e274b46cb1d04f30b8c3f13a80dd4cde828e82a9c55c8e3ff9da922496ee8e7889237578060441827435818046d86c065470557555091e67350ee3f10a98f052fda6811536e1fad98f3763e85d057a3cfe4c11a4c6406a644ab4e1ee24bd5a46d71f86bcb6613a6471f212aa1ae4c89a47d2877174f888db1d15db1c4935abf22926cab678268edd721cb63bc93c4178e871925ad1754b479d2a59373bc7cbbe4800f8fccaa0ad0e49375aa6ccf497d75ec82285c73f042bf9ea6132ede6cee8003a6ee8836a01bb282e83dbba61ad511ae0a0b62d651369723175226edf1c5b62175391507e042f12a89047766ad1404d2c7d47c4f6cdd4edced8ea9f68617e7e15966bbd07ad09442ebafc154cae21aa4a9b6a5d481ca1526fa6fb4df7810048c4818bc2859669ab818f1d95e5b82fffe11d7d40436309f511d3cc86440757cd83583efb1e528760a053de9b81e70503a60e2a50188889c04cc6af21585d10cb74a6d934e82ca29e9750b42e43a4724086d805ce66a672cb61308c94fd86653b9b67fe2ea39956f71779603afb9e3cce3a1b9f101c66ebefc975cb2d1f17bfb33c665eae618f9ab3a271a2d206be6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, O=WoSign CA Limited, CN=WoSign Class 3 Code Signing CA", - "ValidFrom": "2009-08-08 01:00:05", - "ValidTo": "2024-08-08 01:00:05", - "Signature": "0e93a5712562a282627ab579eae1eaaccaa58bc7a14cdcccae1ce9ea2e88e251e5812276e9f6e06641c974e4de667ef9529912fdc59e6a85a45dc554f2221fbc786120c0fe1c1b24ff01e3dcad1379cbcc3daef43f6e35cacf5dc6053e431ea78d03dd6eabcd5c6ab8155085dab896530f557d19d9a374681a84d0c25809d6dd6ae785a5d4ac415edefda6ab798e24abed396f8f5f71990274fc427e3202202932c29006c27ed0ab065017c3acfba6b96bbeeebea41e188002ed449da2c6544dabe1b698197ee1b4ba7c2c3c4719cb4af76362665e5709a86c1eb84dec5394d781ff0c0bef080215aed8d49f5c3987d7246684a0d038904a4e994d936076f51ae28e465f5b1297b466d77c4f421623e80aed86460f6d9ae47baf37dcf380544b3b22dd902c07bdc097f2c3ec7f7cfbbe4699366e48c781e5f28c020dc07c3fc5439b700281f5b0aa7f0554c0c2309cc5c257f519b190bcd99dd62608d60c0eb268d091e3e73e274837475ed351b50e5959c9baa7cb846e0384cfec50bbeecd756d7c3a9b9afb151890b1c4a3e19819770896fcd548c455f7d3ac2058ff47c3d4fc7bae641855ab472d84e42453b000f47873cbcca622202e7ff5454d0a49aa6bae6e6624e2c40a7ea42b908e90621cf58bf14528f7614acbb48c48839ece01f3a584f4d26afd3a2568f208c5cf1c8d27c036db17136cc1da214035f866b32327", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign", - "ValidFrom": "2015-04-29 17:12:11", - "ValidTo": "2025-04-29 17:12:11", - "Signature": "0c9e907a381c3c94a5f76fb3989e6f52f9cac16e59ac5e76a96251971b98be114a421c5aec81972fd19436b91ea63e2a6ca219d2124b3924e36986125a2af5d8ca331725a69d3c8ba9beba6b956e04603ff9a84d77e874aa7b6776991b797f1f64dd62858ea09559332ff81c87f0f7f3060cd13c3e9b4f1b5b4a99dd8c62f1308ef8a4900f64c303f84ec232e2c18b71977d49aebdf6770e470bf36f182318e0a03071a49afd47ee0cf36e466274504a08bae15862143d40b6744d21c347520780632a4af199e5e71e7f20d87d04e34e528e712e08ab6ec4223c0d6b6d90f3b4d861c675c0ca26d5f01d9ced505558654ef637108d212938c3dfdb98b6a76663e65675bb166a4cbc9d516745008564555fbbcbff213c0833b59c8455e22497e5deefd15336710e7be432c58da0c54d976e7ff2c7e8c951ca325114d63771667ef0668107d84c50ee0497dc93916d1fb794c7cf710e011d66b4f64cce75a74ca754ffc83bea3711b414f1a609455b28ce7ebc5074ed934fbbcd48fe378a59a72b97a097eb4c59e0907698397d4b38125aa22c00def8f3f2f7ef3a05040a905c87d47accb70917a6d557c03a8f28b70782d7add8df43a7238c95be42e923abc9c7f033a890947f80cbe75f66a342592fa4776fee2956da0a091f16f0699018c41284bfa0b6e608ce46b893168fb7e04ecb38c25d2f1078fdbe0c41825b47049f64", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", - "ValidFrom": "2011-04-15 20:13:19", - "ValidTo": "2021-04-15 20:23:19", - "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign", - "ValidFrom": "2006-09-17 22:46:36", - "ValidTo": "2019-12-31 23:59:59", - "Signature": "b66df870fbe20d4c98b3074915f504c46ccacaf568a008fe126d9c0406c9ad9a91523e78c45cee9f541deee3f15e30c949e139e0a69d366c57fae6344f55e887a82cdd05f1581291e8cace28788fdf078501a5dc459605d480b22b059acb9aa58be03a67e67347be4afd27b188efe6cacf8d0e269ffa5f5778ad6dfeae9b3508b1c3bac1004a4b7d14bdf7f1d35518acd03370886dc4097114a62b4f8881e70b0037a9157d7ed701963f2faf7b62ae0a4abf4b392e35108bfe0439e43c3a0c0956403ab5f4c2680cb5f952cdee9df898fc78e758478f1c73586933abffdddf8e24017798193ab06679bce108a30e4fc104b3f301c8ebd3591c35d2931e7065827fdbcffbc8991260c3446f3a804bd7be21aa147a64cbdd3743455b322e45f0d9591f6b18f07ce9553619615fb57df18dbd88e4754b98dd27b0e484442a6184570582111faa3558f3200eaf59effa5572720d26d09b5349acce372e6561fff6ec1beaf6f1a6d3d1b57bbe35f422c1bc8d01bd685e830d2fecd6da630c27d1543ee4a8d3ce4b32b89194fffb5b492d7518a8ba719a3baed9c0a94f8791ed8b7b6b20988939834f80c469cc17c9c84ebee4a9a5817670060432cd8365f4bc7d3e13bcd2e86f63aab53bda8d863282789dd9ccffbf576474ed283d446215614bf794b00d2a671cf0cb9ba592bff8415ac13d60ed9fbbb86d9bcea96a163f7eea06f1", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", - "ValidFrom": "2006-09-17 19:46:36", - "ValidTo": "2036-09-17 19:46:36", - "Signature": "166c99f4660c34f5d0855e7d0aecda104e381c5edfa625054b9132c1e83bf13ddd44095b07498a29cb6602b7b19af72598093c8e1be1dd36872b4bbb68d339663da026c7f239911d51ab827b7ed5ce5ae4e2035770699708f95e58a60adf8c069a451616380a5e57f662c77a0205e6bc1eb5f29ef4a92983f8b214e36e288744c3901ade38a93cac434d6445cedd28a95cf2737b04f817e8abb1f32e5c646e73313a12b8bcb311e47d8f81519a3b8d89f44d93667b3c03edd39a1d9af36550f5a0d0759f2faff0ea824398f8699c8979c4438e4672e3643612aff7251e388990777ec36b6ab9c3cb444bac78908be7c72c1e4b1144c8345227cd0a5d9f85c189d51a78f295105332dd80846675d9b56828fb612ebe84a838c0991286a51e6764ad062e2fa97085c7960f7c8965f58e43540eabdda580399460c034c996702ca312f51f487bbd1c7e6bb79d90f4223baef8fc2acafa8252a0efaf4b5593ebc1b5f0228bac344e262204a1872c754ab7e57d13d7b80c64c036d2c92f86128c2309c11b823b7349a36a578794e5d678c5994363e34de0772de165997269041a4709e60f015624fb1fbf0e79a9582eb9c409017e95ba6d00063eb2ea4a1039d8d02bf5bfec75bf9702c5091b08dc5537e281fb3784436220cae7564b65eafe6cc1249324a134eb05ff9a22ae9b7d3ff165510aa6306ab3f4881c800dfc728ae8835e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "5c5d0a336ba298b9695d2cfa5a181510", - "Issuer": "C=CN, O=WoSign CA Limited, CN=WoSign Class 3 Code Signing CA" - } - ] - } - ] - } - ], - "Tags": [ - "PCHunter.sys" - ] - }, - { - "Id": "fbdd993b-47b1-4448-8c41-24c310802398", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create rwdrv.sys binPath=C:\\windows\\temp\\rwdrv.sys type=kernel && sc.exe start rwdrv.sys", - "Description": "This utility access almost all the computer hardware, including PCI (PCI Express), PCI Index/Data, Memory, Memory Index/Data, I/O Space, I/O Index/Data, Super I/O, Clock Generator, DIMM SPD, SMBus Device, CPU MSR Registers, ATA/ATAPI Identify Data, Disk Read Write, ACPI Tables Dump (include AML decode), Embedded Controller, USB Information, SMBIOS Structures, PCI Option ROMs, MP Configuration Table, E820, EDID and Remote Access. And also a Command Window is provided to access hardware manually.\n", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "http://rweverything.com/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "rwdrv.sys", - "MD5": "257483d5d8b268d0d679956c7acdf02d", - "SHA1": "fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2", - "SHA256": "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3", - "Signature": [ - "ChongKim Chan", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "RW-Everything", - "Description": "RwDrv Driver", - "Product": "RwDrv Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "I386", - "OriginalFilename": "RwDrv.sys", - "Authentihash": { - "MD5": "3cd1454d2308cee5c59b45d5f952e70b", - "SHA1": "2c3b01ff8ce024f70f9daad31ea6c78de54f239b", - "SHA256": "acb65f96f1d5c986b52d980a1c5ea009292ff472087fdd8a98a485404948f585" - }, - "InternalName": "RwDrv.sys", - "Copyright": "Copyright (C) 2011 RW-Everything", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ObfDereferenceObject", - "IoUnregisterPlugPlayNotification", "ExFreePoolWithTag", - "MmUnmapIoSpace", - "MmMapIoSpace", - "RtlCompareMemory", "ExAllocatePoolWithTag", - "memcpy", - "memset", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemorySpecifyCache", - "IoFreeIrp", - "IoFreeMdl", - "MmUnlockPages", - "RtlInitUnicodeString", - "IoBuildAsynchronousFsdRequest", - "KeWaitForSingleObject", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "IoIs32bitProcess", + "ZwSetSystemInformation", + "ExRegisterCallback", + "ExCreateCallback", + "MmGetSystemRoutineAddress", "RtlQueryRegistryValues", - "IoFreeWorkItem", - "IoGetDeviceObjectPointer", - "ExfInterlockedInsertTailList", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "RtlCopyUnicodeString", - "IoRegisterPlugPlayNotification", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IofCallDriver", - "IofCompleteRequest", - "KfReleaseSpinLock", - "KeStallExecutionProcessor", - "KfAcquireSpinLock" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, CN=ChongKim Chan", - "ValidFrom": "2012-07-31 20:41:59", - "ValidTo": "2013-08-01 20:41:59", - "Signature": "6b86336c2008e3d1a9cb42f4e323c36c782602b06948e63b7cc646ca61b5768677c2cdd5cf24f58d68844079cd6d8e9534b3170a0261fe64ea47971eecf4a84de8174a4a8b5c6ad87894cf5cc8a10ec522db9697504b208442ae34ec6e9a0e85d93470f66374f36c4f1ec3483c136497b2880d8ba4de0342b5aa2c0890ad80e010c8e34ae8792740e677952d3bc05a36a032ab7bbb64051d506f674e0232f66900c8c29dad2df6960012a8bb216f9e83157632545ead40db592c1e7de76f407601b111113e9b087db3e780f21a61e9f7593e96332f0c35162e0900a61c6ba3a88faee64d9fe94cad5705d6d16585603b5bb376161bdcf01b0bb9022bb360aceb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "11218f56dafd7542d5f3d70b213e2a546cff", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - } - ], - "Tags": [ - "rwdrv.sys" - ] - }, - { - "Id": "76b5dfae-b384-45ce-8646-b2eec6b76a1e", - "Author": "Paul Michaud", - "Created": "2023-05-12", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create KfeCo11X64.sys binPath=C:\\windows\\temp\\KfeCo11X64.sys type=kernel && sc.exe start KfeCo11X64.sys", - "Description": "Killer exposes COM interfaces that allow non-privileged users 1) to block network for any process 2) to manage any service in the OS. Killer is preinstalled to laptops equipped with Intel Killer NICs (e.g. Dell). Since Intel patched the vulnerability quietly, it's not clear which version is safe. Also, it is unclear which OEMs are affected. Dell is definitely in the list, but it is likely that other vendors with Killer NICs on board, such as Acer and MSI, are affected too. Some users think that Killer suite is required for the NIC to work properly, so they install it even after a fresh Windows install. This version is confirmed vulnerable based on the script usage from zwclose.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://zwclose.github.io/2023/04/18/killer2.html", - "https://twitter.com/zwclose/status/1648441215808049153", - "https://zwclose.github.io/2022/12/18/killer1.html" - ], - "Acknowledgement": { - "Person": "zwclose", - "Handle": "zwclose" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "KfeCo11X64.sys", - "MD5": "c901887f28bbb55a10eb934755b47227", - "SHA1": "2540205480ea3d59e4031de3c6632e3ce2596459", - "SHA256": "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Rivet Networks, LLC.", - "Description": "Killer Traffic Control Callout Driver", - "Product": "Killer Traffic Control", - "ProductVersion": "9.8.4.59", - "FileVersion": "9.8.4.59", - "MachineType": "AMD64", - "OriginalFilename": "KfeCoDrv.sys", - "Authentihash": { - "MD5": "758090532f58b19865d76a41389c2d58", - "SHA1": "6aa5070d7346f164d618915d32ddb9cfe1c1fecc", - "SHA256": "a7047cee090ddbd150d7337a9357e03ccea56f004a2d29ddb7b8a0636a396240" - }, - "InternalName": "KfeCoDrv.sys", - "Copyright": "Copyright (C) 2015-2018 Rivet Networks, LLC.", - "Imports": [ - "ntoskrnl.exe", - "NDIS.SYS", - "fwpkclnt.sys", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ExFreePoolWithTag", - "KeReleaseInStackQueuedSpinLockFromDpcLevel", - "RtlCopyUnicodeString", - "DbgPrintEx", - "KeInitializeEvent", - "strstr", - "RtlCompareMemory", - "RtlIpv4StringToAddressA", - "RtlIpv6StringToAddressA", - "memchr", - "ObfDereferenceObject", - "MmBuildMdlForNonPagedPool", - "KeInitializeSpinLock", - "KeSetTimer", + "DbgPrint", + "KeSetTimerEx", + "KeInsertQueueDpc", + "KeRemoveQueueDpc", "KeCancelTimer", - "KeInitializeTimer", - "KeSetPriorityThread", "KeSetImportanceDpc", - "KeInsertQueueDpc", "KeInitializeDpc", - "IoQueueWorkItem", - "IoFreeWorkItem", - "IoAllocateWorkItem", - "PsTerminateSystemThread", - "KeWaitForMultipleObjects", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", "KeDelayExecutionThread", - "KeClearEvent", - "RtlEthernetAddressToStringW", - "RtlRandomEx", + "ZwYieldExecution", + "KeSetPriorityThread", + "KeWaitForSingleObject", "ZwClose", + "ObReferenceObjectByHandle", "PsCreateSystemThread", - "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeInitializeMutex", + "KeReleaseMutex", + "KeReadStateMutex", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", "KeSetEvent", - "KeQueryInterruptTimePrecise", - "ExEventObjectType", - "__C_specific_handler", - "ObReferenceObjectByHandle", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "MmProbeAndLockPages", - "ProbeForWrite", + "KeResetEvent", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", "ProbeForRead", + "ProbeForWrite", + "MmHighestUserAddress", + "MmSystemRangeStart", + "KeSetTargetProcessorDpc", + "KeNumberProcessors", + "PsGetVersion", + "MmIsAddressValid", + "MmUnmapIoSpace", + "MmUnlockPages", + "MmFreeContiguousMemory", "IoFreeMdl", - "ExAllocatePool2", - "IoAllocateMdl", - "KeAcquireInStackQueuedSpinLockAtDpcLevel", - "KeReleaseInStackQueuedSpinLock", - "KeAcquireInStackQueuedSpinLock", - "KeGetCurrentIrql", - "NdisRetreatNetBufferDataStart", - "NdisAdvanceNetBufferDataStart", - "NdisGetDataBuffer", - "NdisCopySendNetBufferListInfo", - "NdisFreeNetBufferPool", - "NdisAllocateNetBufferPool", - "NdisFreeNetBufferListPool", - "NdisAllocateNetBufferListPool", - "NdisFreeGenericObject", - "NdisCopyReceiveNetBufferListInfo", - "NdisAllocateGenericObject", - "FwpsInjectTransportReceiveAsync0", - "FwpsQueryConnectionRedirectState0", - "FwpsRedirectHandleDestroy0", - "FwpsRedirectHandleCreate0", - "FwpsApplyModifiedLayerData0", - "FwpsAcquireWritableLayerDataPointer0", - "FwpsCompleteClassify0", - "FwpsPendClassify0", - "FwpsReleaseClassifyHandle0", - "FwpsAcquireClassifyHandle0", - "FwpsCalloutUnregisterByKey0", - "FwpsConstructIpHeaderForTransportPacket0", - "FwpsDereferenceNetBufferList0", - "FwpsReferenceNetBufferList0", - "FwpsInjectMacSendAsync0", - "FwpsInjectMacReceiveAsync0", - "FwpsAllocateCloneNetBufferList0", - "FwpsFreeNetBufferList0", - "FwpsAllocateNetBufferAndNetBufferList0", - "FwpmFilterDeleteById0", - "FwpsCalloutRegister3", - "FwpmFilterAdd0", - "FwpmCalloutDeleteByKey0", - "FwpmSubLayerDeleteByKey0", - "FwpmProviderContextDeleteByKey0", - "FwpsInjectTransportSendAsync1", - "FwpsFreeCloneNetBufferList0", - "FwpsFlowRemoveContext0", - "FwpsFlowAssociateContext0", - "FwpsCalloutUnregisterById0", - "FwpmCalloutAdd0", - "FwpmSubLayerAdd0", - "FwpmProviderAdd0", - "FwpmTransactionAbort0", - "FwpmTransactionCommit0", - "FwpmTransactionBegin0", - "FwpmEngineClose0", - "FwpmEngineOpen0", - "FwpsInjectionHandleDestroy0", - "FwpsInjectionHandleCreate0", - "FwpsQueryPacketInjectionState0", - "FwpsGetPacketListSecurityInformation0", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass", - "WdfVersionBind" + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocateContiguousMemorySpecifyCache", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=California, L=Santa Clara, O=Intel Corporation, OU=Intel(R) Connectivity Innovation, CN=Intel Corporation", - "ValidFrom": "2021-04-01 00:00:00", - "ValidTo": "2023-04-01 23:59:59", - "Signature": "1b7cfebb08c68ed60abcba3a04dbad328d046911c5325ffe46fb569e1d0c3c9f3413ff65a1d8ec402ac7c08f375ce9f48eb9212e1cb9ae1d4460e6c6e680d2553c47885c2119915d8401830970df37563b1a1649f0485848b55617a993a59612fb47cfeb541b0fa464fb781e87f4e8c1557600774719a502f23f4197963127c78a0d4641b34e0bcb8f86faacecfbd4c9798bdf92797bb629240970d04cd9267566d9e8226e41e6b2fe167dde6e3a471340982eb23969e27769a60d2f802d31601d6152c64019662357278b43a3965359050bca6ff45466d65fd54ba05a1f8eacc08660cdd55050249b001237f0fa9c6e28779f310b7de38a994f1637d8b387ec", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "CN=Vektor T13 Security Service", + "ValidFrom": "2018-04-19 00:15:30", + "ValidTo": "2039-12-31 23:59:59", + "Signature": "6a53b7553edfd579a2a4dd005b893883cc26c3e314683b8b92b95b8b60e33d6c9841d1761bd52c2e5a69f9bec38e457bf5a06f43fdb4d4f601a2ae0b0c7e16e180b8447308fca66dcbdf34c0a4319e96af6f96f4b9037bfd7f1360efe2fd24efe837d59c64e895cee83d63952d217672932decd29af822e80d0d25a580d53e0c", + "SignatureAlgorithmOID": "1.3.14.3.2.29" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA", - "ValidFrom": "2018-11-02 00:00:00", - "ValidTo": "2030-12-31 23:59:59", - "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority", - "ValidFrom": "2015-07-22 21:03:49", - "ValidTo": "2025-07-22 21:03:49", - "Signature": "6b22933c3d395471646b0ef2e43c3011c5204a4b860f92f1ff33793ad9e498a70e40a022807e61b2e0a719cf2695312a65d46a4f3186eac0c62ec5648c3d4859cd0b2f743d9426131042d49798275e3c76d278691d1a64e7057275e0eb6640439f8f0c46ff9760a6c867ad10089b62a6e9be3a8ad3074d9f729325bc0611e02c90383e671cfd19d79e90ce3dc2e0e761acc0e504f51e99540c910d01567137ae27d49e4322a5c927cd4de571123924a5415687ffbc55140f25ca89eec797e5d213ff3d7e1aa08f3fc82cd7a370d0c760c0fcd83e51e797c63e3bedcf78be8acae3c4f2a7a7ed9eae08028fa052db721ed53bc34d9f8efa9b70c7f8e3bf6c3f929be4373eec6a8c29f9c1a2bf8b3e1a6966fb1c634f2601c902c43ed2ffc343a81bfd99fad4bca5b9e2932f3b01c5d1f43a2f68c3e064b75a955e46cc078369bb3c05925673357345984e7cd812a5b742e9a263f642601870d13b6f31c087c7e671e1f34616e9f5b872b3e96d1f622649a3498bdd68c78b6856f7defcfa8724b80381178fe5f1676a1daed374f78ca55db30b8e422996ce49c4777e667c01171a6c1424c3b0177705d81a40b7866bd8e47b40ac7edf4e6f24f92080828c33e7e5fa29d89dda8b705d2bc91d824c0b67cb84419ee7067e1183442d8a19eef47f9add791c37191e9f3f8c29ba0d5c1086376c48cd455dcd70bcbcd14d5dd8c5b876", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "00bfcce9854e3f154ff8e62c2ce2fde84d", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" + "SerialNumber": "c3b2c606d320e0bf4f71f1e73668a938", + "Issuer": "CN=Vektor T13 Security Service" } ] } ] - } - ], - "Tags": [ - "KfeCo11X64.sys" - ] - }, - { - "Id": "31a962ce-43ef-410f-873a-7ccc8f00332b", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create t3.sys binPath=C:\\windows\\temp\\t3.sys type=kernel && sc.exe start t3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "t3.sys", - "SHA256": "4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "t3.sys" - ] - }, - { - "Id": "c854b612-0b9f-4fc3-a7b8-a93bed7a291e", - "Author": "Nasreddine Bencherchali", - "Created": "2023-04-15", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create SSPORT.sys binPath=C:\\windows\\temp\\SSPORT.sys type=kernel && sc.exe start SSPORT.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/ssport_v1.0" - ], - "Acknowledgement": { - "Person": "Paolo Stagno", - "Handle": "Void_Sec" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "SSPORT.sys", - "MD5": "0211ab46b73a2623b86c1cfcb30579ab", - "SHA1": "ccd547ef957189eddb6ee213e5e0136e980186f9", - "SHA256": "7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4", - "Signature": "N/A", - "Date": "N/A", - "Publisher": "N/A", - "Company": "Samsung Electronics", - "Description": "Port Contention Driver", - "Product": "Port Contention Driver", - "ProductVersion": "1.0", - "FileVersion": "1.0", - "MachineType": "AMD64", - "OriginalFilename": "SSPORT.sys", + "FileName": "VBoxDrv.sys", + "MD5": "02a1d77ef13bd41cad04abcce896d0b9", + "SHA1": "59c0fa0d61576d9eb839c9c7e15d57047ee7fe29", + "SHA256": "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b", "Authentihash": { - "MD5": "ffc522ee567368a6f98c38dd2aa57f30", - "SHA1": "06643b15efe04a2177c08d0395a2be5a910ed58c", - "SHA256": "710639fd1eb76520e8733840ad78a81e09ce03930e4d3c47998e3162ae95f90e" + "MD5": "49f3b147b53aa5ebce9ddce9a20fe9ff", + "SHA1": "46064d1e248e2c9d24950d6a5dcf68a2c12aeb9d", + "SHA256": "7e5abe4530eff3838d44516f95c15d8b3ec6cec44ca7b67998e50641c939d12a" }, - "InternalName": "SSPORT.sys", - "Copyright": "Copyright (C) Samsung Corp. 1998-2005", + "Description": "VirtualBox Support Driver", + "Company": "Vektor T13 Security Service", + "InternalName": "VBoxDrv", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "1.4.2.119230", + "Product": "Antidetect 2019 Public", + "ProductVersion": "1.4.2.119230", + "Copyright": "Copyright (C) 2009-2019 Oracle Corporation", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": "", + "ExportedFunctions": [ + "ASMAtomicBitClear", + "ASMAtomicXchgU16", + "ASMAtomicXchgU8", + "ASMGetCS", + "ASMGetDS", + "ASMGetES", + "ASMGetFS", + "ASMGetGS", + "ASMGetIDTR", + "ASMGetSS", + "ASMMultU64ByU32DivByU32", + "ASMNopPause", + "RTAssertAreQuiet", + "RTAssertMayPanic", + "RTAssertMsg1", + "RTAssertMsg1Weak", + "RTAssertMsg2AddV", + "RTAssertMsg2V", + "RTAssertMsg2Weak", + "RTAssertMsg2WeakV", + "RTAssertSetMayPanic", + "RTAssertSetQuiet", + "RTAssertShouldPanic", + "RTAvlPVDestroy", + "RTAvlPVDoWithAll", + "RTAvlPVGet", + "RTAvlPVGetBestFit", + "RTAvlPVInsert", + "RTAvlPVRemove", + "RTAvlPVRemoveBestFit", + "RTCrc32", + "RTCrc32Finish", + "RTCrc32Process", + "RTCrc32Start", + "RTErrConvertFromErrno", + "RTErrConvertFromNtStatus", + "RTErrConvertToErrno", + "RTErrInfoAdd", + "RTErrInfoAddF", + "RTErrInfoAddV", + "RTErrInfoSet", + "RTErrInfoSetF", + "RTErrInfoSetV", + "RTErrVarsAreEqual", + "RTErrVarsHaveChanged", + "RTErrVarsRestore", + "RTErrVarsSave", + "RTHandleTableAllocWithCtx", + "RTHandleTableCreate", + "RTHandleTableCreateEx", + "RTHandleTableDestroy", + "RTHandleTableFreeWithCtx", + "RTHandleTableLookupWithCtx", + "RTLatin1CalcUtf8Len", + "RTLatin1CalcUtf8LenEx", + "RTLatin1ToUtf8ExTag", + "RTLatin1ToUtf8Tag", + "RTLogClearFileDelayFlag", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDefaultInstanceEx", + "RTLogDestinations", + "RTLogDestroy", + "RTLogDumpPrintfV", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGetDefaultInstanceEx", + "RTLogGetDestinations", + "RTLogGetFlags", + "RTLogGetGroupSettings", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelGetDefaultInstance", + "RTLogRelGetDefaultInstanceEx", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetBuffering", + "RTLogRelSetDefaultInstance", + "RTLogSetBuffering", + "RTLogSetCustomPrefixCallback", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAllocExTag", + "RTMemAllocTag", + "RTMemAllocVarTag", + "RTMemAllocZTag", + "RTMemAllocZVarTag", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDupExTag", + "RTMemDupTag", + "RTMemExecAllocTag", + "RTMemExecFree", + "RTMemFree", + "RTMemFreeEx", + "RTMemReallocTag", + "RTMemTmpAllocTag", + "RTMemTmpAllocZTag", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpCurSetIndex", + "RTMpCurSetIndexAndId", + "RTMpGetArraySize", + "RTMpGetCount", + "RTMpGetCpuGroupCounts", + "RTMpGetMaxCpuGroupCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCoreCount", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetPresentCoreCount", + "RTMpGetPresentCount", + "RTMpGetPresentSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuPresent", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnAllIsConcurrentSafe", + "RTMpOnOthers", + "RTMpOnPair", + "RTMpOnPairIsConcurrentExecSupported", + "RTMpOnSpecific", + "RTMpPokeCpu", + "RTMpSetIndexFromCpuGroupMember", + "RTNetIPv4AddDataChecksum", + "RTNetIPv4AddTCPChecksum", + "RTNetIPv4AddUDPChecksum", + "RTNetIPv4FinalizeChecksum", + "RTNetIPv4HdrChecksum", + "RTNetIPv4IsDHCPValid", + "RTNetIPv4IsHdrValid", + "RTNetIPv4IsTCPSizeValid", + "RTNetIPv4IsTCPValid", + "RTNetIPv4IsUDPSizeValid", + "RTNetIPv4IsUDPValid", + "RTNetIPv4PseudoChecksum", + "RTNetIPv4PseudoChecksumBits", + "RTNetIPv4TCPChecksum", + "RTNetIPv4UDPChecksum", + "RTNetIPv6PseudoChecksum", + "RTNetIPv6PseudoChecksumBits", + "RTNetIPv6PseudoChecksumEx", + "RTNetTCPChecksum", + "RTNetUDPChecksum", + "RTOnceReset", + "RTOnceSlow", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0AssertPanicSystem", + "RTR0Init", + "RTR0MemAreKrnlAndUsrDifferent", + "RTR0MemKernelCopyFrom", + "RTR0MemKernelCopyTo", + "RTR0MemKernelIsValidAddr", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocContTag", + "RTR0MemObjAllocLowTag", + "RTR0MemObjAllocPageTag", + "RTR0MemObjAllocPhysExTag", + "RTR0MemObjAllocPhysNCTag", + "RTR0MemObjAllocPhysTag", + "RTR0MemObjEnterPhysTag", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernelTag", + "RTR0MemObjLockUserTag", + "RTR0MemObjMapKernelExTag", + "RTR0MemObjMapKernelTag", + "RTR0MemObjMapUserTag", + "RTR0MemObjProtect", + "RTR0MemObjReserveKernelTag", + "RTR0MemObjReserveUserTag", + "RTR0MemObjSize", + "RTR0MemUserCopyFrom", + "RTR0MemUserCopyTo", + "RTR0MemUserIsValidAddr", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTR0TermForced", + "RTSemEventCreate", + "RTSemEventCreateEx", + "RTSemEventDestroy", + "RTSemEventGetResolution", + "RTSemEventMultiCreate", + "RTSemEventMultiCreateEx", + "RTSemEventMultiDestroy", + "RTSemEventMultiGetResolution", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitEx", + "RTSemEventMultiWaitExDebug", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitEx", + "RTSemEventWaitExDebug", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSemMutexCreate", + "RTSemMutexCreateEx", + "RTSemMutexDestroy", + "RTSemMutexIsOwned", + "RTSemMutexRelease", + "RTSemMutexRequest", + "RTSemMutexRequestDebug", + "RTSemMutexRequestNoResume", + "RTSemMutexRequestNoResumeDebug", + "RTSemSpinMutexCreate", + "RTSemSpinMutexDestroy", + "RTSemSpinMutexRelease", + "RTSemSpinMutexRequest", + "RTSemSpinMutexTryRequest", + "RTSpinlockAcquire", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTStrAAppendNTag", + "RTStrAAppendTag", + "RTStrATruncateTag", + "RTStrAllocExTag", + "RTStrAllocTag", + "RTStrCalcLatin1Len", + "RTStrCalcLatin1LenEx", + "RTStrCalcUtf16Len", + "RTStrCalcUtf16LenEx", + "RTStrCat", + "RTStrConvertHexBytes", + "RTStrCopy", + "RTStrCopyEx", + "RTStrCopyP", + "RTStrDupExTag", + "RTStrDupNTag", + "RTStrDupTag", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrFree", + "RTStrGetCpExInternal", + "RTStrGetCpInternal", + "RTStrGetCpNExInternal", + "RTStrIsValidEncoding", + "RTStrNCmp", + "RTStrPrevCp", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrPurgeComplementSet", + "RTStrPurgeEncoding", + "RTStrPutCpInternal", + "RTStrReallocTag", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToLatin1ExTag", + "RTStrToLatin1Tag", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTStrToUni", + "RTStrToUniEx", + "RTStrToUtf16BigExTag", + "RTStrToUtf16BigTag", + "RTStrToUtf16ExTag", + "RTStrToUtf16Tag", + "RTStrUniLen", + "RTStrUniLenEx", + "RTStrValidateEncoding", + "RTStrValidateEncodingEx", + "RTTermDeregisterCallback", + "RTTermRegisterCallback", + "RTTermRunCallbacks", + "RTThreadCreate", + "RTThreadCreateF", + "RTThreadCreateV", + "RTThreadCtxHookCreate", + "RTThreadCtxHookDestroy", + "RTThreadCtxHookDisable", + "RTThreadCtxHookEnable", + "RTThreadCtxHookIsEnabled", + "RTThreadFromNative", + "RTThreadGetName", + "RTThreadGetNative", + "RTThreadGetType", + "RTThreadIsInInterrupt", + "RTThreadIsInitialized", + "RTThreadIsMain", + "RTThreadIsSelfAlive", + "RTThreadIsSelfKnown", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptIsPending", + "RTThreadPreemptIsPendingTrusty", + "RTThreadPreemptIsPossible", + "RTThreadPreemptRestore", + "RTThreadSelf", + "RTThreadSelfName", + "RTThreadSetName", + "RTThreadSetType", + "RTThreadSleep", + "RTThreadUserReset", + "RTThreadUserSignal", + "RTThreadUserWait", + "RTThreadUserWaitNoResume", + "RTThreadWait", + "RTThreadWaitNoResume", + "RTThreadYield", + "RTTimeExplode", + "RTTimeFromString", + "RTTimeImplode", + "RTTimeIsLeapYear", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNormalize", + "RTTimeNow", + "RTTimeSpecFromString", + "RTTimeSpecToString", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimeToString", + "RTTimerCanDoHighResolution", + "RTTimerChangeInterval", + "RTTimerCreate", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "RTUuidClear", + "RTUuidCompare", + "RTUuidCompare2Strs", + "RTUuidCompareStr", + "RTUuidFromStr", + "RTUuidFromUtf16", + "RTUuidIsNull", + "RTUuidToStr", + "RTUuidToUtf16", + "SUPGetCpuHzFromGipForAsyncMode", + "SUPGetGIP", + "SUPGetTscDeltaSlow", + "SUPIsTscFreqCompatible", + "SUPIsTscFreqCompatibleEx", + "SUPR0BadContext", + "SUPR0ChangeCR4", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetCurrentGdtRw", + "SUPR0GetKernelFeatures", + "SUPR0GetPagingMode", + "SUPR0GetSessionGVM", + "SUPR0GetSessionVM", + "SUPR0GetSvmUsability", + "SUPR0GetVmxUsability", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0PageProtect", + "SUPR0Printf", + "SUPR0QueryUcodeRev", + "SUPR0QueryVTCaps", + "SUPR0ResumeVTxOnCpu", + "SUPR0SetSessionVM", + "SUPR0SuspendVTxOnCpu", + "SUPR0TracerDeregisterDrv", + "SUPR0TracerDeregisterImpl", + "SUPR0TracerFireProbe", + "SUPR0TracerRegisterDrv", + "SUPR0TracerRegisterImpl", + "SUPR0TracerRegisterModule", + "SUPR0TracerUmodProbeFire", + "SUPR0TscDeltaMeasureBySetIndex", + "SUPR0UnlockMem", + "SUPReadTscWithDelta", + "SUPSemEventClose", + "SUPSemEventCreate", + "SUPSemEventGetResolution", + "SUPSemEventMultiClose", + "SUPSemEventMultiCreate", + "SUPSemEventMultiGetResolution", + "SUPSemEventMultiReset", + "SUPSemEventMultiSignal", + "SUPSemEventMultiWait", + "SUPSemEventMultiWaitNoResume", + "SUPSemEventMultiWaitNsAbsIntr", + "SUPSemEventMultiWaitNsRelIntr", + "SUPSemEventSignal", + "SUPSemEventWait", + "SUPSemEventWaitNoResume", + "SUPSemEventWaitNsAbsIntr", + "SUPSemEventWaitNsRelIntr", + "g_pSUPGlobalInfoPage", + "g_pszRTAssertExpr", + "g_pszRTAssertFile", + "g_pszRTAssertFunction", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2", + "g_u32RTAssertLine" + ], "ImportedFunctions": [ + "strchr", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "strncpy", - "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest" + "RtlInitUnicodeString", + "ObfDereferenceObject", + "ExUnregisterCallback", + "IofCompleteRequest", + "__C_specific_handler", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IoIs32bitProcess", + "ZwSetSystemInformation", + "ExRegisterCallback", + "ExCreateCallback", + "MmGetSystemRoutineAddress", + "RtlQueryRegistryValues", + "DbgPrint", + "KeSetTimerEx", + "KeInsertQueueDpc", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeSetImportanceDpc", + "KeInitializeDpc", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "KeDelayExecutionThread", + "ZwYieldExecution", + "KeSetPriorityThread", + "KeWaitForSingleObject", + "ZwClose", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeInitializeMutex", + "KeReleaseMutex", + "KeReadStateMutex", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeResetEvent", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "ProbeForRead", + "ProbeForWrite", + "MmHighestUserAddress", + "MmSystemRangeStart", + "KeSetTargetProcessorDpc", + "KeNumberProcessors", + "PsGetVersion", + "MmIsAddressValid", + "MmUnmapIoSpace", + "MmUnlockPages", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocateContiguousMemorySpecifyCache", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2009-07-15 23:59:59", - "Signature": "9a65f5d8d7e1a4d05dded87d7bc3eec408c256d08cdcedac228de750060d072ca0a46995cc99dfcc6331cfb0c1e496cb38ce21fb7ce7580a2321072c9097abd89604935453ba3a1048720d85ec1b0a4125cc7d6cac7b03f1f7783cf2a840d05572dbbe0b28b5c8c705fed3e0b521dcbc40b7bebc60f5b8e3d85e3b65dd66565f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "CN=Vektor T13 Technology", + "ValidFrom": "2018-08-10 07:42:52", + "ValidTo": "2039-12-31 23:59:59", + "Signature": "4819acb135277102eb22d1ebf53707b6651b1dac668cbe264acefb52a0567dee778627ae98f2f8a69142e210ed9a585a826bea9339108f6cc8567a8a0d3b471dde8e932b4d7b466e657e0592faa7578e548c1d1f3b746190fac243e75735ad18bb9cf901d94d92ed4bfbe7729d439bdd300a6cb5fb75d17364033f92a8d15398", + "SignatureAlgorithmOID": "1.3.14.3.2.29" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=KR, ST=Kyungki,Do, L=Suwon, O=Samsung Electronics CO., LTD., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Computer System, CN=Samsung Electronics CO., LTD.", - "ValidFrom": "2005-11-08 00:00:00", - "ValidTo": "2006-12-17 23:59:59", - "Signature": "4dceac99bddd261b0cba819d675d9769f4c0b78bb6916510b1bc30653c37c6a5a7deb1448f344a0064400030008a5c4a335b81453e39bf13b05e4172ae494162f8f58ea0c1ed36701a58eff239fa8456b3a2414812e2c78bea6745689beffb6d4f8f7fa4b65b3d6b3bb69102aac1f8fd41ac6a48b4cd651a7f80f2742b4277396250e1efb948c20a44fef90a1690db36677710078c60b2886c92174c9d680a20a77f0d9fce50c22311c8f78ec6519a558fc8a51ee9fca41a7213336555bda8fade96b9dbc789754f6b6fa715487cc2be4a2405d8c7f1512f530afeeba35deb952cfa8e3264a793a089d99d74ba6c84cba3d9910e82a5c0ca84b12dc707a4feb5", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4ffbf40bae31d4c367d68e83e3e6712f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "4d87df1b3d1e239b405dc85d0a0bad22", + "Issuer": "CN=Vektor T13 Technology" } ] } ] - } - ], - "Tags": [ - "SSPORT.sys" - ] - }, - { - "Id": "94eb0694-29ba-4f8e-b763-86c6371db6cc", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create winio64.sys binPath=C:\\windows\\temp\\winio64.sys type=kernel && sc.exe start winio64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "winio64.sys", - "MD5": "97221e16e7a99a00592ca278c49ffbfc", - "SHA1": "943593e880b4d340f2548548e6e673ef6f61eed3", - "SHA256": "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf", - "Signature": [ - "Exacq Technologies, Inc.", - "StartCom Class 3 Primary Intermediate Object CA", - "StartCom Certification Authority" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "VBoxDrv.sys", + "MD5": "962a33a191dbe56915fd196e3a868cf0", + "SHA1": "449ff4f5ce2fdddac05a6c82e45a7e802b1c1305", + "SHA256": "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c", "Authentihash": { - "MD5": "241252e4ebe7b4fdf6fd5a34ece5b127", - "SHA1": "eaba3ed3a83a8ef75db88c1f0def5160c3835a8c", - "SHA256": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb" + "MD5": "5491106d0dc46b737e07072122359638", + "SHA1": "2fa597885c165e354736143e9645570e3637b57b", + "SHA256": "c62bf9d0cc1edfffc15f3f002cd7f51efe3372320ec89d9dc96011000915c186" }, - "InternalName": "", - "Copyright": "", + "Description": "VirtualBox Support Driver", + "Company": "Sun Microsystems, Inc.", + "InternalName": "VBoxDrv.sys", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "3.0.0.r49315", + "Product": "Sun VirtualBox", + "ProductVersion": "3.0.0.r49315", + "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "?RTThreadAdopt@@YAHW4RTTHREADTYPE@@IPEBDPEAPEAURTTHREADINT@@@Z", + "AssertMsg1", + "AssertMsg2", + "RTAssertShouldPanic", + "RTAvlPVDestroy", + "RTAvlPVDoWithAll", + "RTAvlPVGet", + "RTAvlPVGetBestFit", + "RTAvlPVInsert", + "RTAvlPVRemove", + "RTAvlPVRemoveBestFit", + "RTErrConvertFromNtStatus", + "RTHandleTableAllocWithCtx", + "RTHandleTableCreate", + "RTHandleTableCreateEx", + "RTHandleTableDestroy", + "RTHandleTableFreeWithCtx", + "RTHandleTableLookupWithCtx", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCopyGroupsAndFlags", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDestroy", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetDefaultInstance", + "RTLogSetCustomPrefixCallback", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDup", + "RTMemDupEx", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTMpPokeCpu", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0Init", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapKernelEx", + "RTR0MemObjMapUser", + "RTR0MemObjProtect", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTThreadCreate", + "RTThreadCreateF", + "RTThreadCreateV", + "RTThreadFromNative", + "RTThreadGetName", + "RTThreadGetNative", + "RTThreadGetType", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptIsPending", + "RTThreadPreemptIsPendingTrusty", + "RTThreadPreemptRestore", + "RTThreadSelf", + "RTThreadSelfName", + "RTThreadSetName", + "RTThreadSetType", + "RTThreadSleep", + "RTThreadUserReset", + "RTThreadUserSignal", + "RTThreadUserWait", + "RTThreadUserWaitNoResume", + "RTThreadWait", + "RTThreadWaitNoResume", + "RTThreadYield", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNow", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetPagingMode", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0PageProtect", + "SUPR0UnlockMem", + "SUPSemEventClose", + "SUPSemEventCreate", + "SUPSemEventMultiClose", + "SUPSemEventMultiCreate", + "SUPSemEventMultiReset", + "SUPSemEventMultiSignal", + "SUPSemEventMultiWait", + "SUPSemEventMultiWaitNoResume", + "SUPSemEventSignal", + "SUPSemEventWait", + "SUPSemEventWaitNoResume", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwClose", - "ZwOpenSection", - "ObReferenceObjectByHandle", - "ZwUnmapViewOfSection", - "KeBugCheckEx", - "IoDeleteSymbolicLink", "IoDeleteDevice", - "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "ExUnregisterCallback", + "IofCompleteRequest", + "DbgPrint", + "IoIs32bitProcess", + "ExRegisterCallback", + "ExCreateCallback", "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" + "IoGetStackLimits", + "memchr", + "strncmp", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeWaitForSingleObject", + "KeResetEvent", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeDelayExecutionThread", + "ZwYieldExecution", + "ExFreePoolWithTag", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", + "ExAllocatePoolWithTag", + "KeQueryActiveProcessors", + "strchr", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "KeSetTimerEx", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "__C_specific_handler", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "MmUnmapIoSpace", + "MmUnlockPages", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "KeSetPriorityThread", + "ZwClose", + "ObReferenceObjectByHandle", + "PsCreateSystemThread" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority", - "ValidFrom": "2011-04-15 20:13:19", - "ValidTo": "2021-04-15 20:23:19", - "Signature": "375933ca5e487d489a5be42fdbdb59a8c61f77c0a58747e86508c6672688d95c58e2c631ac0c32b96f7cc58748db2c0a23484d0dcf1116ef60577ed5326e22de373cc7dc16f3c9ce2939fb37daf5e4e741d8a2f82db3498a601f64ef9c1364b3469a82cc650f18550776c9e9337790a644daefa64d551038316f3a58ed31486190c04615b4c0a64e5493c00db524e55017c6d62392226992e0abab297508255399959f50b65b6753aaa2ba905a6ea3e35b5c830e54426dbdb917a8205284b51a4fb24d68d2c28ff8f9ae837c24a6e6c17f9a932f2e550df87bc1be336fab0cd934585c9c40ce284a015529655d5bfd525a54591171470b3eff2c9ae931d9046a33871d2f880fc99aab14a8c20b4f8589ac25490dff54395513d6b84d6bf44aad1833bc8e0052b476c2eccd8beb60d57880844a0eb93d4d560d1b17176f60fcdbd867cd3d4082b55c567f8d274cc76d5da410b57c410c39912f41d2c6310686eb405087d8131e852f10448b7a0361693b29fedfcdd3e07d19ba3b84e34e9ad78c7cd73d9dd7fd50108f06683bd8be3bbbaa284552eadde83a334caf38c715e3e97cee83eb2a1cbdd8fdf5394e7c5f25b39349ca88e56152f0dd14f8394ead47182aefcc6b29493fd7a48e7abd6f6bee675db7b167a60055014532b842fe96fc06b9cecfcff9fb6eab728718451afce3846a414f36714c77eea3191ab87d098c01", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA", - "ValidFrom": "2007-10-24 22:03:55", - "ValidTo": "2017-10-24 22:03:55", - "Signature": "b8eba5382cab9038cfbe906919952f964e48103545b043712eb90e670f618458ed651ae0d8515c96c4df69cafb62bf35ea4a6923f2f67f60db652925e8ba5ef9485920745c9998fa7ed74eaf43963b88880e81f1d0a6a9af1df5e73e045be8927b624a531d3b7aaf94a20502da0fada1a732166a1d5d88f1ddc5da7e91b00a53124ddbefcdea9f48dfbfb27c0192f9816379a06f0e97d99044a550b8874b5cd89ca27aad4b91f31174e6a82342d4265ca83d85a035ec5308ddb62d1c21c8484ac4c83ab06e2f43e6df64097586fe0e68d26354a066e49eefdb5c74a0a8dc40e97b67d63b3ed286d31621d1e13252a3e6c2e1637e74431abeec29ae56e11811fa650b37340eb44799f86fb4994ed235b04764b5fee9afb69a23c282c838b6d4a42e3421ce03ef4c3841502f0dad40c82827e9eb7c2bd1704e2c8818c87c3f24505dcb5354679fd7a109980b0b8b2169ba72a6127bb05a0e697cc706ba2c7a950f079463235657a5382a63c4206a9e84438fdad8d03fd07d9592132916c0d868cae5fe7598b6f410e17c309eb990292035e31c56b30afd86717cfbbc0b2e8c94e35469c4784d1e0af80f33b9e256d789841c9cdf6fc50b8f998351066b441d6f30bcbef93a190bccfae6bc223f3d5475b80a647f7f65bba29049c3f227f7bbb97eb7688782cd43ec6cacab29c7d040e2bb3a0218315077ae33b1a9a8c62d4570ff", + "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", + "ValidFrom": "2008-06-11 00:00:00", + "ValidTo": "2011-06-11 23:59:59", + "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Hdgwyqp6jNS97z8P, C=US, ST=Indiana, L=Fishers, O=Exacq Technologies, Inc., CN=Exacq Technologies, Inc., emailAddress=info@exacq.com", - "ValidFrom": "2014-07-24 18:00:20", - "ValidTo": "2017-07-24 09:00:56", - "Signature": "b4fea6e9fcf641e617b115ceca7bf10bbdcce8ed5a6644fe006af7a42a7e67ce269bef720dc937e258a7df51c342f9b00a5202ee5d651f76a3d1a7729cacb3db6a811d17df6042f447a26544de87b59d9d241a7446af330bd89fae3f9a07f8ea86ae276fb5f0c325ac0b7ba62c7e58a551e319daf55bfb4a1cde484b9519fb07f7f4801afe43ed99b6275cc66d36c23d0b1aebf05bebd79a1f16f7084c5bc1b2d935e6868ed0e1ca7100a6ef14af0194439e0e33de20ab71e5fe453c632c6686dbc5ecb969619e8519fd5f79da2ddf35936daa73c0c6216661e290de4d6473b3a1a964917567692568e8365de7ed1e4801749a004b915e58755de83a0e23f2e3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0f69", - "Issuer": "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Object CA" + "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "winio64.sys", - "MD5": "11fb599312cb1cf43ca5e879ed6fb71e", - "SHA1": "b4d014b5edd6e19ce0e8395a64faedf49688ecb5", - "SHA256": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "VBoxDrv.sys", + "MD5": "3e87e3346441539d3a90278a120766df", + "SHA1": "ce5681896e7631b6e83cccb7aa056a33e72a1bbe", + "SHA256": "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4", "Authentihash": { - "MD5": "198111fd73515aa7fe4387612f027f0f", - "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", - "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" + "MD5": "d8e8d4c6d5dd6ba5ca58979f569cba95", + "SHA1": "c9027b3e1c731d0a16acd94c947f446df1a23318", + "SHA256": "681de794238060ec929aa5cf6c4701069f113a8524d31fb2f411648968ca17de" }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "IoDeleteDevice", - "ZwUnmapViewOfSection", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "ObfDereferenceObject", - "IoCreateDevice", - "RtlAssert", - "ZwOpenSection", - "DbgPrint", - "KeBugCheckEx", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2017-10-05 17:44:16", - "ValidTo": "2018-10-05 17:44:16", - "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000001f9800c911029569be00000000001f", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] - } - ], - "Tags": [ - "winio64.sys" - ] - }, - { - "Id": "7bb5ff05-25f8-410d-ae99-c8e8f082d24f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create WinRing0.sys binPath=C:\\windows\\temp\\WinRing0.sys type=kernel && sc.exe start WinRing0.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WinRing0.sys", - "MD5": "828bb9cb1dd449cd65a29b18ec46055f", - "SHA1": "558aad879b6a47d94a968f39d0a4e3a3aaef1ef1", - "SHA256": "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8", - "Signature": [ - "TOSHIBA AMERICA INFORMATION SYSTEMS, INC.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "WinRing0", - "Product": "WinRing0", - "ProductVersion": "1.0.1.2", - "FileVersion": "1.0.1.2", + "Description": "VirtualBox Support Driver", + "Company": "Pinduoduo Ltd Corp", + "InternalName": "VBoxDrv", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "1.2.0.137904", + "Product": "Pinduoduo Secure VDI", + "ProductVersion": "1.2.0.137904", + "Copyright": "Copyright (C) 2015-2021 Pinduoduo Corporation", "MachineType": "AMD64", - "OriginalFilename": "WinRing0.sys", - "Authentihash": { - "MD5": "650fa4b522e8d06d0cdfa4bf278e85f1", - "SHA1": "dfe2533a4398d67dfc722eb8d9f8ffa3a823a721", - "SHA256": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3" - }, - "InternalName": "WinRing0.sys", - "Copyright": "Copyright (C) 2007 OpenLibSys.org. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "?RTAsn1VideotexString_CheckSanity@@YAHPEBURTASN1STRING@@IPEAURTERRINFO@@PEBD@Z", + "?RTAsn1VideotexString_Clone@@YAHPEAURTASN1STRING@@PEBU1@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTAsn1VideotexString_Compare@@YAHPEBURTASN1STRING@@0@Z", + "?RTAsn1VideotexString_DecodeAsn1@@YAHPEAURTASN1CURSOR@@IPEAURTASN1STRING@@PEBD@Z", + "?RTAsn1VideotexString_Delete@@YAXPEAURTASN1STRING@@@Z", + "?RTAsn1VideotexString_Enum@@YAHPEAURTASN1STRING@@P6AHPEAURTASN1CORE@@PEBDIPEAX@ZI3@Z", + "?RTAsn1VideotexString_Init@@YAHPEAURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrPkcs7Cert_SetAcV1@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrPkcs7Cert_SetAcV2@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrPkcs7Cert_SetExtendedCert@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrPkcs7Cert_SetOtherCert@@YAHPEAURTCRPKCS7CERT@@PEBURTASN1CORE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrPkcs7Cert_SetX509Cert@@YAHPEAURTCRPKCS7CERT@@PEBURTCRX509CERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrSpcLink_SetFile@@YAHPEAURTCRSPCLINK@@PEBURTCRSPCSTRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrSpcLink_SetMoniker@@YAHPEAURTCRSPCLINK@@PEBURTCRSPCSERIALIZEDOBJECT@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrSpcLink_SetUrl@@YAHPEAURTCRSPCLINK@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrSpcString_SetAscii@@YAHPEAURTCRSPCSTRING@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrSpcString_SetUcs2@@YAHPEAURTCRSPCSTRING@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrTafTrustAnchorChoice_SetCertificate@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRX509CERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrTafTrustAnchorChoice_SetTaInfo@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRTAFTRUSTANCHORINFO@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrTafTrustAnchorChoice_SetTbsCert@@YAHPEAURTCRTAFTRUSTANCHORCHOICE@@PEBURTCRX509TBSCERTIFICATE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280@@YA_NPEBURTCRX509ATTRIBUTETYPEANDVALUE@@0@Z", + "?RTCrX509GeneralName_SetDirectoryName@@YAHPEAURTCRX509GENERALNAME@@PEBURTCRX509NAME@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetDnsType@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetEdiPartyName@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1DYNTYPE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetIpAddress@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1OCTETSTRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetOtherName@@YAHPEAURTCRX509GENERALNAME@@PEBURTCRX509OTHERNAME@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetRegisteredId@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1OBJID@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetRfc822@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetUri@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1STRING@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509GeneralName_SetX400Address@@YAHPEAURTCRX509GENERALNAME@@PEBURTASN1DYNTYPE@@PEBURTASN1ALLOCATORVTABLE@@@Z", + "?RTCrX509RelativeDistinguishedName_MatchByRfc5280@@YA_NPEBURTCRX509ATTRIBUTETYPEANDVALUES@@0@Z", + "ASMAtomicBitClear", + "ASMAtomicXchgU16", + "ASMAtomicXchgU8", + "ASMCpuIdExSlow", + "ASMGetCS", + "ASMGetDS", + "ASMGetES", + "ASMGetFS", + "ASMGetFlags", + "ASMGetGS", + "ASMGetIDTR", + "ASMGetSS", + "ASMMemFirstMismatchingU8", + "ASMMemFirstNonZero", + "ASMMultU64ByU32DivByU32", + "ASMNopPause", + "ASMSetFlags", + "RTAsn1BitString_AreContentBitsValid", + "RTAsn1BitString_CheckSanity", + "RTAsn1BitString_Clone", + "RTAsn1BitString_Compare", + "RTAsn1BitString_DecodeAsn1", + "RTAsn1BitString_DecodeAsn1Ex", + "RTAsn1BitString_Delete", + "RTAsn1BitString_Enum", + "RTAsn1BitString_GetAsUInt64", + "RTAsn1BitString_Init", + "RTAsn1BitString_RefreshContent", + "RTAsn1BmpString_CheckSanity", + "RTAsn1BmpString_Clone", + "RTAsn1BmpString_Compare", + "RTAsn1BmpString_DecodeAsn1", + "RTAsn1BmpString_Delete", + "RTAsn1BmpString_Enum", + "RTAsn1BmpString_Init", + "RTAsn1Boolean_CheckSanity", + "RTAsn1Boolean_Clone", + "RTAsn1Boolean_Compare", + "RTAsn1Boolean_DecodeAsn1", + "RTAsn1Boolean_Delete", + "RTAsn1Boolean_Enum", + "RTAsn1Boolean_Init", + "RTAsn1Boolean_InitDefault", + "RTAsn1Boolean_Set", + "RTAsn1ContentAllocZ", + "RTAsn1ContentDup", + "RTAsn1ContentFree", + "RTAsn1ContentReallocZ", + "RTAsn1ContextTagN_Clone", + "RTAsn1ContextTagN_Init", + "RTAsn1Core_ChangeTag", + "RTAsn1Core_CheckSanity", + "RTAsn1Core_Clone", + "RTAsn1Core_CloneContent", + "RTAsn1Core_CloneNoContent", + "RTAsn1Core_Compare", + "RTAsn1Core_CompareEx", + "RTAsn1Core_DecodeAsn1", + "RTAsn1Core_Delete", + "RTAsn1Core_Enum", + "RTAsn1Core_Init", + "RTAsn1Core_InitDefault", + "RTAsn1Core_InitEx", + "RTAsn1Core_ResetImplict", + "RTAsn1Core_SetTagAndFlags", + "RTAsn1CursorCheckEnd", + "RTAsn1CursorCheckOctStrEnd", + "RTAsn1CursorCheckSeqEnd", + "RTAsn1CursorCheckSetEnd", + "RTAsn1CursorGetBitString", + "RTAsn1CursorGetBitStringEx", + "RTAsn1CursorGetBmpString", + "RTAsn1CursorGetBoolean", + "RTAsn1CursorGetContextTagNCursor", + "RTAsn1CursorGetCore", + "RTAsn1CursorGetDynType", + "RTAsn1CursorGetIa5String", + "RTAsn1CursorGetInteger", + "RTAsn1CursorGetNull", + "RTAsn1CursorGetObjId", + "RTAsn1CursorGetOctetString", + "RTAsn1CursorGetSequenceCursor", + "RTAsn1CursorGetSetCursor", + "RTAsn1CursorGetString", + "RTAsn1CursorGetTime", + "RTAsn1CursorGetUtf8String", + "RTAsn1CursorInitAllocation", + "RTAsn1CursorInitArrayAllocation", + "RTAsn1CursorInitPrimary", + "RTAsn1CursorInitSub", + "RTAsn1CursorInitSubFromCore", + "RTAsn1CursorIsEnd", + "RTAsn1CursorIsNextEx", + "RTAsn1CursorMatchTagClassFlagsEx", + "RTAsn1CursorPeek", + "RTAsn1CursorReadHdr", + "RTAsn1CursorSetInfo", + "RTAsn1CursorSetInfoV", + "RTAsn1Dummy_InitEx", + "RTAsn1Dump", + "RTAsn1DynType_CheckSanity", + "RTAsn1DynType_Clone", + "RTAsn1DynType_Compare", + "RTAsn1DynType_DecodeAsn1", + "RTAsn1DynType_Delete", + "RTAsn1DynType_Enum", + "RTAsn1DynType_Init", + "RTAsn1EncodePrepare", + "RTAsn1EncodeRecalcHdrSize", + "RTAsn1EncodeToBuffer", + "RTAsn1EncodeWrite", + "RTAsn1EncodeWriteHeader", + "RTAsn1GeneralString_CheckSanity", + "RTAsn1GeneralString_Clone", + "RTAsn1GeneralString_Compare", + "RTAsn1GeneralString_DecodeAsn1", + "RTAsn1GeneralString_Delete", + "RTAsn1GeneralString_Enum", + "RTAsn1GeneralString_Init", + "RTAsn1GeneralizedTime_CheckSanity", + "RTAsn1GeneralizedTime_Clone", + "RTAsn1GeneralizedTime_Compare", + "RTAsn1GeneralizedTime_DecodeAsn1", + "RTAsn1GeneralizedTime_Delete", + "RTAsn1GeneralizedTime_Enum", + "RTAsn1GeneralizedTime_Init", + "RTAsn1GraphicString_CheckSanity", + "RTAsn1GraphicString_Clone", + "RTAsn1GraphicString_Compare", + "RTAsn1GraphicString_DecodeAsn1", + "RTAsn1GraphicString_Delete", + "RTAsn1GraphicString_Enum", + "RTAsn1GraphicString_Init", + "RTAsn1Ia5String_CheckSanity", + "RTAsn1Ia5String_Clone", + "RTAsn1Ia5String_Compare", + "RTAsn1Ia5String_DecodeAsn1", + "RTAsn1Ia5String_Delete", + "RTAsn1Ia5String_Enum", + "RTAsn1Ia5String_Init", + "RTAsn1Integer_CheckSanity", + "RTAsn1Integer_Clone", + "RTAsn1Integer_Compare", + "RTAsn1Integer_DecodeAsn1", + "RTAsn1Integer_Delete", + "RTAsn1Integer_Enum", + "RTAsn1Integer_FromBigNum", + "RTAsn1Integer_Init", + "RTAsn1Integer_InitDefault", + "RTAsn1Integer_InitU64", + "RTAsn1Integer_ToBigNum", + "RTAsn1Integer_ToString", + "RTAsn1Integer_UnsignedCompare", + "RTAsn1Integer_UnsignedCompareWithU32", + "RTAsn1Integer_UnsignedCompareWithU64", + "RTAsn1Integer_UnsignedLastBit", + "RTAsn1MemAllocZ", + "RTAsn1MemDup", + "RTAsn1MemFree", + "RTAsn1MemFreeArray", + "RTAsn1MemInitAllocation", + "RTAsn1MemInitArrayAllocation", + "RTAsn1MemResizeArray", + "RTAsn1Null_CheckSanity", + "RTAsn1Null_Clone", + "RTAsn1Null_Compare", + "RTAsn1Null_DecodeAsn1", + "RTAsn1Null_Delete", + "RTAsn1Null_Enum", + "RTAsn1Null_Init", + "RTAsn1NumericString_CheckSanity", + "RTAsn1NumericString_Clone", + "RTAsn1NumericString_Compare", + "RTAsn1NumericString_DecodeAsn1", + "RTAsn1NumericString_Delete", + "RTAsn1NumericString_Enum", + "RTAsn1NumericString_Init", + "RTAsn1ObjIdCountComponents", + "RTAsn1ObjIdGetComponentsAsUInt32", + "RTAsn1ObjIdGetLastComponentsAsUInt32", + "RTAsn1ObjId_CheckSanity", + "RTAsn1ObjId_Clone", + "RTAsn1ObjId_Compare", + "RTAsn1ObjId_CompareWithString", + "RTAsn1ObjId_DecodeAsn1", + "RTAsn1ObjId_Delete", + "RTAsn1ObjId_Enum", + "RTAsn1ObjId_Init", + "RTAsn1ObjId_InitFromString", + "RTAsn1ObjId_StartsWith", + "RTAsn1OctetString_AreContentBytesValid", + "RTAsn1OctetString_CheckSanity", + "RTAsn1OctetString_Clone", + "RTAsn1OctetString_Compare", + "RTAsn1OctetString_DecodeAsn1", + "RTAsn1OctetString_Delete", + "RTAsn1OctetString_Enum", + "RTAsn1OctetString_Init", + "RTAsn1OctetString_RefreshContent", + "RTAsn1PrintableString_CheckSanity", + "RTAsn1PrintableString_Clone", + "RTAsn1PrintableString_Compare", + "RTAsn1PrintableString_DecodeAsn1", + "RTAsn1PrintableString_Delete", + "RTAsn1PrintableString_Enum", + "RTAsn1PrintableString_Init", + "RTAsn1QueryObjIdName", + "RTAsn1SeqOfBitStrings_CheckSanity", + "RTAsn1SeqOfBitStrings_Clone", + "RTAsn1SeqOfBitStrings_Compare", + "RTAsn1SeqOfBitStrings_DecodeAsn1", + "RTAsn1SeqOfBitStrings_Delete", + "RTAsn1SeqOfBitStrings_Enum", + "RTAsn1SeqOfBitStrings_Erase", + "RTAsn1SeqOfBitStrings_Init", + "RTAsn1SeqOfBitStrings_InsertEx", + "RTAsn1SeqOfBooleans_CheckSanity", + "RTAsn1SeqOfBooleans_Clone", + "RTAsn1SeqOfBooleans_Compare", + "RTAsn1SeqOfBooleans_DecodeAsn1", + "RTAsn1SeqOfBooleans_Delete", + "RTAsn1SeqOfBooleans_Enum", + "RTAsn1SeqOfBooleans_Erase", + "RTAsn1SeqOfBooleans_Init", + "RTAsn1SeqOfBooleans_InsertEx", + "RTAsn1SeqOfCore_Clone", + "RTAsn1SeqOfCore_Init", + "RTAsn1SeqOfCores_CheckSanity", + "RTAsn1SeqOfCores_Clone", + "RTAsn1SeqOfCores_Compare", + "RTAsn1SeqOfCores_DecodeAsn1", + "RTAsn1SeqOfCores_Delete", + "RTAsn1SeqOfCores_Enum", + "RTAsn1SeqOfCores_Erase", + "RTAsn1SeqOfCores_Init", + "RTAsn1SeqOfCores_InsertEx", + "RTAsn1SeqOfIntegers_CheckSanity", + "RTAsn1SeqOfIntegers_Clone", + "RTAsn1SeqOfIntegers_Compare", + "RTAsn1SeqOfIntegers_DecodeAsn1", + "RTAsn1SeqOfIntegers_Delete", + "RTAsn1SeqOfIntegers_Enum", + "RTAsn1SeqOfIntegers_Erase", + "RTAsn1SeqOfIntegers_Init", + "RTAsn1SeqOfIntegers_InsertEx", + "RTAsn1SeqOfObjIds_CheckSanity", + "RTAsn1SeqOfObjIds_Clone", + "RTAsn1SeqOfObjIds_Compare", + "RTAsn1SeqOfObjIds_DecodeAsn1", + "RTAsn1SeqOfObjIds_Delete", + "RTAsn1SeqOfObjIds_Enum", + "RTAsn1SeqOfObjIds_Erase", + "RTAsn1SeqOfObjIds_Init", + "RTAsn1SeqOfObjIds_InsertEx", + "RTAsn1SeqOfOctetStrings_CheckSanity", + "RTAsn1SeqOfOctetStrings_Clone", + "RTAsn1SeqOfOctetStrings_Compare", + "RTAsn1SeqOfOctetStrings_DecodeAsn1", + "RTAsn1SeqOfOctetStrings_Delete", + "RTAsn1SeqOfOctetStrings_Enum", + "RTAsn1SeqOfOctetStrings_Erase", + "RTAsn1SeqOfOctetStrings_Init", + "RTAsn1SeqOfOctetStrings_InsertEx", + "RTAsn1SeqOfStrings_CheckSanity", + "RTAsn1SeqOfStrings_Clone", + "RTAsn1SeqOfStrings_Compare", + "RTAsn1SeqOfStrings_DecodeAsn1", + "RTAsn1SeqOfStrings_Delete", + "RTAsn1SeqOfStrings_Enum", + "RTAsn1SeqOfStrings_Erase", + "RTAsn1SeqOfStrings_Init", + "RTAsn1SeqOfStrings_InsertEx", + "RTAsn1SeqOfTimes_CheckSanity", + "RTAsn1SeqOfTimes_Clone", + "RTAsn1SeqOfTimes_Compare", + "RTAsn1SeqOfTimes_DecodeAsn1", + "RTAsn1SeqOfTimes_Delete", + "RTAsn1SeqOfTimes_Enum", + "RTAsn1SeqOfTimes_Erase", + "RTAsn1SeqOfTimes_Init", + "RTAsn1SeqOfTimes_InsertEx", + "RTAsn1SequenceCore_Clone", + "RTAsn1SequenceCore_Init", + "RTAsn1SetCore_Clone", + "RTAsn1SetCore_Init", + "RTAsn1SetOfBitStrings_CheckSanity", + "RTAsn1SetOfBitStrings_Clone", + "RTAsn1SetOfBitStrings_Compare", + "RTAsn1SetOfBitStrings_DecodeAsn1", + "RTAsn1SetOfBitStrings_Delete", + "RTAsn1SetOfBitStrings_Enum", + "RTAsn1SetOfBitStrings_Erase", + "RTAsn1SetOfBitStrings_Init", + "RTAsn1SetOfBitStrings_InsertEx", + "RTAsn1SetOfBooleans_CheckSanity", + "RTAsn1SetOfBooleans_Clone", + "RTAsn1SetOfBooleans_Compare", + "RTAsn1SetOfBooleans_DecodeAsn1", + "RTAsn1SetOfBooleans_Delete", + "RTAsn1SetOfBooleans_Enum", + "RTAsn1SetOfBooleans_Erase", + "RTAsn1SetOfBooleans_Init", + "RTAsn1SetOfBooleans_InsertEx", + "RTAsn1SetOfCore_Clone", + "RTAsn1SetOfCore_Init", + "RTAsn1SetOfCores_CheckSanity", + "RTAsn1SetOfCores_Clone", + "RTAsn1SetOfCores_Compare", + "RTAsn1SetOfCores_DecodeAsn1", + "RTAsn1SetOfCores_Delete", + "RTAsn1SetOfCores_Enum", + "RTAsn1SetOfCores_Erase", + "RTAsn1SetOfCores_Init", + "RTAsn1SetOfCores_InsertEx", + "RTAsn1SetOfIntegers_CheckSanity", + "RTAsn1SetOfIntegers_Clone", + "RTAsn1SetOfIntegers_Compare", + "RTAsn1SetOfIntegers_DecodeAsn1", + "RTAsn1SetOfIntegers_Delete", + "RTAsn1SetOfIntegers_Enum", + "RTAsn1SetOfIntegers_Erase", + "RTAsn1SetOfIntegers_Init", + "RTAsn1SetOfIntegers_InsertEx", + "RTAsn1SetOfObjIdSeqs_CheckSanity", + "RTAsn1SetOfObjIdSeqs_Clone", + "RTAsn1SetOfObjIdSeqs_Compare", + "RTAsn1SetOfObjIdSeqs_DecodeAsn1", + "RTAsn1SetOfObjIdSeqs_Delete", + "RTAsn1SetOfObjIdSeqs_Enum", + "RTAsn1SetOfObjIdSeqs_Erase", + "RTAsn1SetOfObjIdSeqs_Init", + "RTAsn1SetOfObjIdSeqs_InsertEx", + "RTAsn1SetOfObjIds_CheckSanity", + "RTAsn1SetOfObjIds_Clone", + "RTAsn1SetOfObjIds_Compare", + "RTAsn1SetOfObjIds_DecodeAsn1", + "RTAsn1SetOfObjIds_Delete", + "RTAsn1SetOfObjIds_Enum", + "RTAsn1SetOfObjIds_Erase", + "RTAsn1SetOfObjIds_Init", + "RTAsn1SetOfObjIds_InsertEx", + "RTAsn1SetOfOctetStrings_CheckSanity", + "RTAsn1SetOfOctetStrings_Clone", + "RTAsn1SetOfOctetStrings_Compare", + "RTAsn1SetOfOctetStrings_DecodeAsn1", + "RTAsn1SetOfOctetStrings_Delete", + "RTAsn1SetOfOctetStrings_Enum", + "RTAsn1SetOfOctetStrings_Erase", + "RTAsn1SetOfOctetStrings_Init", + "RTAsn1SetOfOctetStrings_InsertEx", + "RTAsn1SetOfStrings_CheckSanity", + "RTAsn1SetOfStrings_Clone", + "RTAsn1SetOfStrings_Compare", + "RTAsn1SetOfStrings_DecodeAsn1", + "RTAsn1SetOfStrings_Delete", + "RTAsn1SetOfStrings_Enum", + "RTAsn1SetOfStrings_Erase", + "RTAsn1SetOfStrings_Init", + "RTAsn1SetOfStrings_InsertEx", + "RTAsn1SetOfTimes_CheckSanity", + "RTAsn1SetOfTimes_Clone", + "RTAsn1SetOfTimes_Compare", + "RTAsn1SetOfTimes_DecodeAsn1", + "RTAsn1SetOfTimes_Delete", + "RTAsn1SetOfTimes_Enum", + "RTAsn1SetOfTimes_Erase", + "RTAsn1SetOfTimes_Init", + "RTAsn1SetOfTimes_InsertEx", + "RTAsn1String_CheckSanity", + "RTAsn1String_Clone", + "RTAsn1String_Compare", + "RTAsn1String_CompareEx", + "RTAsn1String_CompareValues", + "RTAsn1String_CompareWithString", + "RTAsn1String_DecodeAsn1", + "RTAsn1String_Delete", + "RTAsn1String_Enum", + "RTAsn1String_Init", + "RTAsn1String_InitEx", + "RTAsn1String_InitWithValue", + "RTAsn1String_QueryUtf8", + "RTAsn1String_QueryUtf8Len", + "RTAsn1String_RecodeAsUtf8", + "RTAsn1T61String_CheckSanity", + "RTAsn1T61String_Clone", + "RTAsn1T61String_Compare", + "RTAsn1T61String_DecodeAsn1", + "RTAsn1T61String_Delete", + "RTAsn1T61String_Enum", + "RTAsn1T61String_Init", + "RTAsn1Time_CheckSanity", + "RTAsn1Time_Clone", + "RTAsn1Time_Compare", + "RTAsn1Time_CompareWithTimeSpec", + "RTAsn1Time_DecodeAsn1", + "RTAsn1Time_Delete", + "RTAsn1Time_Enum", + "RTAsn1Time_Init", + "RTAsn1Time_InitEx", + "RTAsn1UniversalString_CheckSanity", + "RTAsn1UniversalString_Clone", + "RTAsn1UniversalString_Compare", + "RTAsn1UniversalString_DecodeAsn1", + "RTAsn1UniversalString_Delete", + "RTAsn1UniversalString_Enum", + "RTAsn1UniversalString_Init", + "RTAsn1UtcTime_CheckSanity", + "RTAsn1UtcTime_Clone", + "RTAsn1UtcTime_Compare", + "RTAsn1UtcTime_DecodeAsn1", + "RTAsn1UtcTime_Delete", + "RTAsn1UtcTime_Enum", + "RTAsn1UtcTime_Init", + "RTAsn1Utf8String_CheckSanity", + "RTAsn1Utf8String_Clone", + "RTAsn1Utf8String_Compare", + "RTAsn1Utf8String_DecodeAsn1", + "RTAsn1Utf8String_Delete", + "RTAsn1Utf8String_Enum", + "RTAsn1Utf8String_Init", + "RTAsn1VisibleString_CheckSanity", + "RTAsn1VisibleString_Clone", + "RTAsn1VisibleString_Compare", + "RTAsn1VisibleString_DecodeAsn1", + "RTAsn1VisibleString_Delete", + "RTAsn1VisibleString_Enum", + "RTAsn1VisibleString_Init", + "RTAsn1VtCheckSanity", + "RTAsn1VtClone", + "RTAsn1VtCompare", + "RTAsn1VtDeepEnum", + "RTAsn1VtDelete", + "RTAssertAreQuiet", + "RTAssertMayPanic", + "RTAssertMsg1", + "RTAssertMsg1Weak", + "RTAssertMsg2AddV", + "RTAssertMsg2V", + "RTAssertMsg2Weak", + "RTAssertMsg2WeakV", + "RTAssertSetMayPanic", + "RTAssertSetQuiet", + "RTAssertShouldPanic", + "RTAvlPVDestroy", + "RTAvlPVDoWithAll", + "RTAvlPVGet", + "RTAvlPVGetBestFit", + "RTAvlPVInsert", + "RTAvlPVRemove", + "RTAvlPVRemoveBestFit", + "RTBigNumAdd", + "RTBigNumAssign", + "RTBigNumBitWidth", + "RTBigNumByteWidth", + "RTBigNumClone", + "RTBigNumCompare", + "RTBigNumCompareWithS64", + "RTBigNumCompareWithU64", + "RTBigNumDestroy", + "RTBigNumDivide", + "RTBigNumDivideLong", + "RTBigNumExponentiate", + "RTBigNumInit", + "RTBigNumInitZero", + "RTBigNumModExp", + "RTBigNumModulo", + "RTBigNumMultiply", + "RTBigNumNegate", + "RTBigNumNegateThis", + "RTBigNumShiftLeft", + "RTBigNumShiftRight", + "RTBigNumSubtract", + "RTBigNumToBytesBigEndian", + "RTCrCertCtxRelease", + "RTCrCertCtxRetain", + "RTCrDigestClone", + "RTCrDigestCreate", + "RTCrDigestCreateByObjId", + "RTCrDigestCreateByObjIdString", + "RTCrDigestCreateByType", + "RTCrDigestFinal", + "RTCrDigestFindByObjId", + "RTCrDigestFindByObjIdString", + "RTCrDigestFindByType", + "RTCrDigestGetAlgorithmOid", + "RTCrDigestGetConsumedSize", + "RTCrDigestGetFlags", + "RTCrDigestGetHash", + "RTCrDigestGetHashSize", + "RTCrDigestGetType", + "RTCrDigestIsFinalized", + "RTCrDigestMatch", + "RTCrDigestRelease", + "RTCrDigestReset", + "RTCrDigestRetain", + "RTCrDigestTypeToAlgorithmOid", + "RTCrDigestTypeToHashSize", + "RTCrDigestTypeToName", + "RTCrDigestUpdate", + "RTCrKeyCreateFromPublicAlgorithmAndBits", + "RTCrKeyCreateFromSubjectPublicKeyInfo", + "RTCrKeyGetBitCount", + "RTCrKeyGetType", + "RTCrKeyHasPrivatePart", + "RTCrKeyHasPublicPart", + "RTCrKeyQueryRsaModulus", + "RTCrKeyQueryRsaPrivateExponent", + "RTCrKeyRelease", + "RTCrKeyRetain", + "RTCrPkcs7Attribute_CheckSanity", + "RTCrPkcs7Attribute_Clone", + "RTCrPkcs7Attribute_Compare", + "RTCrPkcs7Attribute_DecodeAsn1", + "RTCrPkcs7Attribute_Delete", + "RTCrPkcs7Attribute_Enum", + "RTCrPkcs7Attribute_Init", + "RTCrPkcs7Attributes_CheckSanity", + "RTCrPkcs7Attributes_Clone", + "RTCrPkcs7Attributes_Compare", + "RTCrPkcs7Attributes_DecodeAsn1", + "RTCrPkcs7Attributes_Delete", + "RTCrPkcs7Attributes_Enum", + "RTCrPkcs7Attributes_Erase", + "RTCrPkcs7Attributes_Init", + "RTCrPkcs7Attributes_InsertEx", + "RTCrPkcs7Cert_CheckSanity", + "RTCrPkcs7Cert_Clone", + "RTCrPkcs7Cert_Compare", + "RTCrPkcs7Cert_DecodeAsn1", + "RTCrPkcs7Cert_Delete", + "RTCrPkcs7Cert_Enum", + "RTCrPkcs7Cert_Init", + "RTCrPkcs7ContentInfo_CheckSanity", + "RTCrPkcs7ContentInfo_Clone", + "RTCrPkcs7ContentInfo_Compare", + "RTCrPkcs7ContentInfo_DecodeAsn1", + "RTCrPkcs7ContentInfo_Delete", + "RTCrPkcs7ContentInfo_Enum", + "RTCrPkcs7ContentInfo_Init", + "RTCrPkcs7ContentInfo_IsSignedData", + "RTCrPkcs7DigestInfo_CheckSanity", + "RTCrPkcs7DigestInfo_Clone", + "RTCrPkcs7DigestInfo_Compare", + "RTCrPkcs7DigestInfo_DecodeAsn1", + "RTCrPkcs7DigestInfo_Delete", + "RTCrPkcs7DigestInfo_Enum", + "RTCrPkcs7DigestInfo_Init", + "RTCrPkcs7IssuerAndSerialNumber_CheckSanity", + "RTCrPkcs7IssuerAndSerialNumber_Clone", + "RTCrPkcs7IssuerAndSerialNumber_Compare", + "RTCrPkcs7IssuerAndSerialNumber_DecodeAsn1", + "RTCrPkcs7IssuerAndSerialNumber_Delete", + "RTCrPkcs7IssuerAndSerialNumber_Enum", + "RTCrPkcs7IssuerAndSerialNumber_Init", + "RTCrPkcs7SetOfCerts_CheckSanity", + "RTCrPkcs7SetOfCerts_Clone", + "RTCrPkcs7SetOfCerts_Compare", + "RTCrPkcs7SetOfCerts_DecodeAsn1", + "RTCrPkcs7SetOfCerts_Delete", + "RTCrPkcs7SetOfCerts_Enum", + "RTCrPkcs7SetOfCerts_Erase", + "RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber", + "RTCrPkcs7SetOfCerts_Init", + "RTCrPkcs7SetOfCerts_InsertEx", + "RTCrPkcs7SetOfContentInfos_CheckSanity", + "RTCrPkcs7SetOfContentInfos_Clone", + "RTCrPkcs7SetOfContentInfos_Compare", + "RTCrPkcs7SetOfContentInfos_DecodeAsn1", + "RTCrPkcs7SetOfContentInfos_Delete", + "RTCrPkcs7SetOfContentInfos_Enum", + "RTCrPkcs7SetOfContentInfos_Erase", + "RTCrPkcs7SetOfContentInfos_Init", + "RTCrPkcs7SetOfContentInfos_InsertEx", + "RTCrPkcs7SetOfSignedData_CheckSanity", + "RTCrPkcs7SetOfSignedData_Clone", + "RTCrPkcs7SetOfSignedData_Compare", + "RTCrPkcs7SetOfSignedData_DecodeAsn1", + "RTCrPkcs7SetOfSignedData_Delete", + "RTCrPkcs7SetOfSignedData_Enum", + "RTCrPkcs7SetOfSignedData_Erase", + "RTCrPkcs7SetOfSignedData_Init", + "RTCrPkcs7SetOfSignedData_InsertEx", + "RTCrPkcs7SignedData_CheckSanity", + "RTCrPkcs7SignedData_Clone", + "RTCrPkcs7SignedData_Compare", + "RTCrPkcs7SignedData_DecodeAsn1", + "RTCrPkcs7SignedData_Delete", + "RTCrPkcs7SignedData_Enum", + "RTCrPkcs7SignedData_Init", + "RTCrPkcs7SignerInfo_CheckSanity", + "RTCrPkcs7SignerInfo_Clone", + "RTCrPkcs7SignerInfo_Compare", + "RTCrPkcs7SignerInfo_DecodeAsn1", + "RTCrPkcs7SignerInfo_Delete", + "RTCrPkcs7SignerInfo_Enum", + "RTCrPkcs7SignerInfo_GetMsTimestamp", + "RTCrPkcs7SignerInfo_GetSigningTime", + "RTCrPkcs7SignerInfo_Init", + "RTCrPkcs7SignerInfos_CheckSanity", + "RTCrPkcs7SignerInfos_Clone", + "RTCrPkcs7SignerInfos_Compare", + "RTCrPkcs7SignerInfos_DecodeAsn1", + "RTCrPkcs7SignerInfos_Delete", + "RTCrPkcs7SignerInfos_Enum", + "RTCrPkcs7SignerInfos_Erase", + "RTCrPkcs7SignerInfos_Init", + "RTCrPkcs7SignerInfos_InsertEx", + "RTCrPkcs7VerifyCertCallbackCodeSigning", + "RTCrPkcs7VerifyCertCallbackDefault", + "RTCrPkcs7VerifySignedData", + "RTCrPkcs7VerifySignedDataWithExternalData", + "RTCrPkixGetCiperOidFromSignatureAlgorithm", + "RTCrPkixPubKeyVerifySignature", + "RTCrPkixPubKeyVerifySignedDigest", + "RTCrPkixPubKeyVerifySignedDigestByCertPubKeyInfo", + "RTCrPkixSignatureCreate", + "RTCrPkixSignatureCreateByObjId", + "RTCrPkixSignatureCreateByObjIdString", + "RTCrPkixSignatureRelease", + "RTCrPkixSignatureRetain", + "RTCrPkixSignatureSign", + "RTCrPkixSignatureVerify", + "RTCrPkixSignatureVerifyBitString", + "RTCrPkixSignatureVerifyOctetString", + "RTCrRsaDigestInfo_CheckSanity", + "RTCrRsaDigestInfo_Clone", + "RTCrRsaDigestInfo_Compare", + "RTCrRsaDigestInfo_DecodeAsn1", + "RTCrRsaDigestInfo_Delete", + "RTCrRsaDigestInfo_Enum", + "RTCrRsaDigestInfo_Init", + "RTCrRsaOtherPrimeInfo_CheckSanity", + "RTCrRsaOtherPrimeInfo_Clone", + "RTCrRsaOtherPrimeInfo_Compare", + "RTCrRsaOtherPrimeInfo_DecodeAsn1", + "RTCrRsaOtherPrimeInfo_Delete", + "RTCrRsaOtherPrimeInfo_Enum", + "RTCrRsaOtherPrimeInfo_Init", + "RTCrRsaOtherPrimeInfos_CheckSanity", + "RTCrRsaOtherPrimeInfos_Clone", + "RTCrRsaOtherPrimeInfos_Compare", + "RTCrRsaOtherPrimeInfos_DecodeAsn1", + "RTCrRsaOtherPrimeInfos_Delete", + "RTCrRsaOtherPrimeInfos_Enum", + "RTCrRsaOtherPrimeInfos_Erase", + "RTCrRsaOtherPrimeInfos_Init", + "RTCrRsaOtherPrimeInfos_InsertEx", + "RTCrRsaPrivateKey_CheckSanity", + "RTCrRsaPrivateKey_Clone", + "RTCrRsaPrivateKey_Compare", + "RTCrRsaPrivateKey_DecodeAsn1", + "RTCrRsaPrivateKey_Delete", + "RTCrRsaPrivateKey_Enum", + "RTCrRsaPrivateKey_Init", + "RTCrRsaPublicKey_CheckSanity", + "RTCrRsaPublicKey_Clone", + "RTCrRsaPublicKey_Compare", + "RTCrRsaPublicKey_DecodeAsn1", + "RTCrRsaPublicKey_Delete", + "RTCrRsaPublicKey_Enum", + "RTCrRsaPublicKey_Init", + "RTCrSpcAttributeTypeAndOptionalValue_CheckSanity", + "RTCrSpcAttributeTypeAndOptionalValue_Clone", + "RTCrSpcAttributeTypeAndOptionalValue_Compare", + "RTCrSpcAttributeTypeAndOptionalValue_DecodeAsn1", + "RTCrSpcAttributeTypeAndOptionalValue_Delete", + "RTCrSpcAttributeTypeAndOptionalValue_Enum", + "RTCrSpcAttributeTypeAndOptionalValue_Init", + "RTCrSpcIndirectDataContent_CheckSanity", + "RTCrSpcIndirectDataContent_CheckSanityEx", + "RTCrSpcIndirectDataContent_Clone", + "RTCrSpcIndirectDataContent_Compare", + "RTCrSpcIndirectDataContent_DecodeAsn1", + "RTCrSpcIndirectDataContent_Delete", + "RTCrSpcIndirectDataContent_Enum", + "RTCrSpcIndirectDataContent_GetPeImageObjAttrib", + "RTCrSpcIndirectDataContent_Init", + "RTCrSpcLink_CheckSanity", + "RTCrSpcLink_Clone", + "RTCrSpcLink_Compare", + "RTCrSpcLink_DecodeAsn1", + "RTCrSpcLink_Delete", + "RTCrSpcLink_Enum", + "RTCrSpcLink_Init", + "RTCrSpcPeImageData_CheckSanity", + "RTCrSpcPeImageData_Clone", + "RTCrSpcPeImageData_Compare", + "RTCrSpcPeImageData_DecodeAsn1", + "RTCrSpcPeImageData_Delete", + "RTCrSpcPeImageData_Enum", + "RTCrSpcPeImageData_Init", + "RTCrSpcSerializedObjectAttribute_CheckSanity", + "RTCrSpcSerializedObjectAttribute_Clone", + "RTCrSpcSerializedObjectAttribute_Compare", + "RTCrSpcSerializedObjectAttribute_DecodeAsn1", + "RTCrSpcSerializedObjectAttribute_Delete", + "RTCrSpcSerializedObjectAttribute_Enum", + "RTCrSpcSerializedObjectAttribute_Init", + "RTCrSpcSerializedObjectAttributes_CheckSanity", + "RTCrSpcSerializedObjectAttributes_Clone", + "RTCrSpcSerializedObjectAttributes_Compare", + "RTCrSpcSerializedObjectAttributes_DecodeAsn1", + "RTCrSpcSerializedObjectAttributes_Delete", + "RTCrSpcSerializedObjectAttributes_Enum", + "RTCrSpcSerializedObjectAttributes_Erase", + "RTCrSpcSerializedObjectAttributes_Init", + "RTCrSpcSerializedObjectAttributes_InsertEx", + "RTCrSpcSerializedObject_CheckSanity", + "RTCrSpcSerializedObject_Clone", + "RTCrSpcSerializedObject_Compare", + "RTCrSpcSerializedObject_DecodeAsn1", + "RTCrSpcSerializedObject_Delete", + "RTCrSpcSerializedObject_Enum", + "RTCrSpcSerializedObject_Init", + "RTCrSpcSerializedPageHashes_CheckSanity", + "RTCrSpcSerializedPageHashes_Clone", + "RTCrSpcSerializedPageHashes_Compare", + "RTCrSpcSerializedPageHashes_DecodeAsn1", + "RTCrSpcSerializedPageHashes_Delete", + "RTCrSpcSerializedPageHashes_Enum", + "RTCrSpcSerializedPageHashes_Init", + "RTCrSpcSerializedPageHashes_UpdateDerivedData", + "RTCrSpcString_CheckSanity", + "RTCrSpcString_Clone", + "RTCrSpcString_Compare", + "RTCrSpcString_DecodeAsn1", + "RTCrSpcString_Delete", + "RTCrSpcString_Enum", + "RTCrSpcString_Init", + "RTCrStoreCertAddEncoded", + "RTCrStoreCertByIssuerAndSerialNo", + "RTCrStoreCertCount", + "RTCrStoreCertFindAll", + "RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280", + "RTCrStoreCertSearchDestroy", + "RTCrStoreCertSearchNext", + "RTCrStoreCreateInMem", + "RTCrStoreRelease", + "RTCrStoreRetain", + "RTCrTafCertPathControls_CheckSanity", + "RTCrTafCertPathControls_Clone", + "RTCrTafCertPathControls_Compare", + "RTCrTafCertPathControls_DecodeAsn1", + "RTCrTafCertPathControls_Delete", + "RTCrTafCertPathControls_Enum", + "RTCrTafCertPathControls_Init", + "RTCrTafTrustAnchorChoice_CheckSanity", + "RTCrTafTrustAnchorChoice_Clone", + "RTCrTafTrustAnchorChoice_Compare", + "RTCrTafTrustAnchorChoice_DecodeAsn1", + "RTCrTafTrustAnchorChoice_Delete", + "RTCrTafTrustAnchorChoice_Enum", + "RTCrTafTrustAnchorChoice_Init", + "RTCrTafTrustAnchorInfo_CheckSanity", + "RTCrTafTrustAnchorInfo_Clone", + "RTCrTafTrustAnchorInfo_Compare", + "RTCrTafTrustAnchorInfo_DecodeAsn1", + "RTCrTafTrustAnchorInfo_Delete", + "RTCrTafTrustAnchorInfo_Enum", + "RTCrTafTrustAnchorInfo_Init", + "RTCrTafTrustAnchorList_CheckSanity", + "RTCrTafTrustAnchorList_Clone", + "RTCrTafTrustAnchorList_Compare", + "RTCrTafTrustAnchorList_DecodeAsn1", + "RTCrTafTrustAnchorList_Delete", + "RTCrTafTrustAnchorList_Enum", + "RTCrTafTrustAnchorList_Erase", + "RTCrTafTrustAnchorList_Init", + "RTCrTafTrustAnchorList_InsertEx", + "RTCrTspAccuracy_CheckSanity", + "RTCrTspAccuracy_Clone", + "RTCrTspAccuracy_Compare", + "RTCrTspAccuracy_DecodeAsn1", + "RTCrTspAccuracy_Delete", + "RTCrTspAccuracy_Enum", + "RTCrTspAccuracy_Init", + "RTCrTspMessageImprint_CheckSanity", + "RTCrTspMessageImprint_Clone", + "RTCrTspMessageImprint_Compare", + "RTCrTspMessageImprint_DecodeAsn1", + "RTCrTspMessageImprint_Delete", + "RTCrTspMessageImprint_Enum", + "RTCrTspMessageImprint_Init", + "RTCrTspTstInfo_CheckSanity", + "RTCrTspTstInfo_Clone", + "RTCrTspTstInfo_Compare", + "RTCrTspTstInfo_DecodeAsn1", + "RTCrTspTstInfo_Delete", + "RTCrTspTstInfo_Enum", + "RTCrTspTstInfo_Init", + "RTCrX509AlgorithmIdentifier_CheckSanity", + "RTCrX509AlgorithmIdentifier_Clone", + "RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest", + "RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid", + "RTCrX509AlgorithmIdentifier_Compare", + "RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest", + "RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid", + "RTCrX509AlgorithmIdentifier_CompareWithString", + "RTCrX509AlgorithmIdentifier_DecodeAsn1", + "RTCrX509AlgorithmIdentifier_Delete", + "RTCrX509AlgorithmIdentifier_Enum", + "RTCrX509AlgorithmIdentifier_Init", + "RTCrX509AlgorithmIdentifier_QueryDigestSize", + "RTCrX509AlgorithmIdentifier_QueryDigestType", + "RTCrX509AlgorithmIdentifiers_CheckSanity", + "RTCrX509AlgorithmIdentifiers_Clone", + "RTCrX509AlgorithmIdentifiers_Compare", + "RTCrX509AlgorithmIdentifiers_DecodeAsn1", + "RTCrX509AlgorithmIdentifiers_Delete", + "RTCrX509AlgorithmIdentifiers_Enum", + "RTCrX509AlgorithmIdentifiers_Erase", + "RTCrX509AlgorithmIdentifiers_Init", + "RTCrX509AlgorithmIdentifiers_InsertEx", + "RTCrX509AttributeTypeAndValue_CheckSanity", + "RTCrX509AttributeTypeAndValue_Clone", + "RTCrX509AttributeTypeAndValue_Compare", + "RTCrX509AttributeTypeAndValue_DecodeAsn1", + "RTCrX509AttributeTypeAndValue_Delete", + "RTCrX509AttributeTypeAndValue_Enum", + "RTCrX509AttributeTypeAndValue_Init", + "RTCrX509AttributeTypeAndValues_CheckSanity", + "RTCrX509AttributeTypeAndValues_Clone", + "RTCrX509AttributeTypeAndValues_Compare", + "RTCrX509AttributeTypeAndValues_DecodeAsn1", + "RTCrX509AttributeTypeAndValues_Delete", + "RTCrX509AttributeTypeAndValues_Enum", + "RTCrX509AttributeTypeAndValues_Erase", + "RTCrX509AttributeTypeAndValues_Init", + "RTCrX509AttributeTypeAndValues_InsertEx", + "RTCrX509AuthorityKeyIdentifier_CheckSanity", + "RTCrX509AuthorityKeyIdentifier_Clone", + "RTCrX509AuthorityKeyIdentifier_Compare", + "RTCrX509AuthorityKeyIdentifier_DecodeAsn1", + "RTCrX509AuthorityKeyIdentifier_Delete", + "RTCrX509AuthorityKeyIdentifier_Enum", + "RTCrX509AuthorityKeyIdentifier_Init", + "RTCrX509BasicConstraints_CheckSanity", + "RTCrX509BasicConstraints_Clone", + "RTCrX509BasicConstraints_Compare", + "RTCrX509BasicConstraints_DecodeAsn1", + "RTCrX509BasicConstraints_Delete", + "RTCrX509BasicConstraints_Enum", + "RTCrX509BasicConstraints_Init", + "RTCrX509CertPathsBuild", + "RTCrX509CertPathsCreate", + "RTCrX509CertPathsCreateEx", + "RTCrX509CertPathsDumpAll", + "RTCrX509CertPathsDumpOne", + "RTCrX509CertPathsGetPathCount", + "RTCrX509CertPathsGetPathLength", + "RTCrX509CertPathsGetPathNodeCert", + "RTCrX509CertPathsGetPathVerifyResult", + "RTCrX509CertPathsQueryPathInfo", + "RTCrX509CertPathsRelease", + "RTCrX509CertPathsRetain", + "RTCrX509CertPathsSetTrustedStore", + "RTCrX509CertPathsSetUntrustedArray", + "RTCrX509CertPathsSetUntrustedSet", + "RTCrX509CertPathsSetUntrustedStore", + "RTCrX509CertPathsSetValidTime", + "RTCrX509CertPathsSetValidTimeSpec", + "RTCrX509CertPathsValidateAll", + "RTCrX509CertPathsValidateOne", + "RTCrX509CertificatePolicies_CheckSanity", + "RTCrX509CertificatePolicies_Clone", + "RTCrX509CertificatePolicies_Compare", + "RTCrX509CertificatePolicies_DecodeAsn1", + "RTCrX509CertificatePolicies_Delete", + "RTCrX509CertificatePolicies_Enum", + "RTCrX509CertificatePolicies_Erase", + "RTCrX509CertificatePolicies_Init", + "RTCrX509CertificatePolicies_InsertEx", + "RTCrX509Certificate_CheckSanity", + "RTCrX509Certificate_Clone", + "RTCrX509Certificate_Compare", + "RTCrX509Certificate_DecodeAsn1", + "RTCrX509Certificate_Delete", + "RTCrX509Certificate_Enum", + "RTCrX509Certificate_Init", + "RTCrX509Certificate_IsSelfSigned", + "RTCrX509Certificate_MatchIssuerAndSerialNumber", + "RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280", + "RTCrX509Certificate_VerifySignature", + "RTCrX509Certificate_VerifySignatureSelfSigned", + "RTCrX509Certificates_CheckSanity", + "RTCrX509Certificates_Clone", + "RTCrX509Certificates_Compare", + "RTCrX509Certificates_DecodeAsn1", + "RTCrX509Certificates_Delete", + "RTCrX509Certificates_Enum", + "RTCrX509Certificates_Erase", + "RTCrX509Certificates_FindByIssuerAndSerialNumber", + "RTCrX509Certificates_Init", + "RTCrX509Certificates_InsertEx", + "RTCrX509Extension_CheckSanity", + "RTCrX509Extension_Clone", + "RTCrX509Extension_Compare", + "RTCrX509Extension_DecodeAsn1", + "RTCrX509Extension_Delete", + "RTCrX509Extension_Enum", + "RTCrX509Extension_ExtnValue_DecodeAsn1", + "RTCrX509Extension_Init", + "RTCrX509Extensions_CheckSanity", + "RTCrX509Extensions_Clone", + "RTCrX509Extensions_Compare", + "RTCrX509Extensions_DecodeAsn1", + "RTCrX509Extensions_Delete", + "RTCrX509Extensions_Enum", + "RTCrX509Extensions_Erase", + "RTCrX509Extensions_Init", + "RTCrX509Extensions_InsertEx", + "RTCrX509GeneralName_CheckSanity", + "RTCrX509GeneralName_Clone", + "RTCrX509GeneralName_Compare", + "RTCrX509GeneralName_ConstraintMatch", + "RTCrX509GeneralName_DecodeAsn1", + "RTCrX509GeneralName_Delete", + "RTCrX509GeneralName_Enum", + "RTCrX509GeneralName_Init", + "RTCrX509GeneralNames_CheckSanity", + "RTCrX509GeneralNames_Clone", + "RTCrX509GeneralNames_Compare", + "RTCrX509GeneralNames_DecodeAsn1", + "RTCrX509GeneralNames_Delete", + "RTCrX509GeneralNames_Enum", + "RTCrX509GeneralNames_Erase", + "RTCrX509GeneralNames_Init", + "RTCrX509GeneralNames_InsertEx", + "RTCrX509GeneralSubtree_CheckSanity", + "RTCrX509GeneralSubtree_Clone", + "RTCrX509GeneralSubtree_Compare", + "RTCrX509GeneralSubtree_ConstraintMatch", + "RTCrX509GeneralSubtree_DecodeAsn1", + "RTCrX509GeneralSubtree_Delete", + "RTCrX509GeneralSubtree_Enum", + "RTCrX509GeneralSubtree_Init", + "RTCrX509GeneralSubtrees_CheckSanity", + "RTCrX509GeneralSubtrees_Clone", + "RTCrX509GeneralSubtrees_Compare", + "RTCrX509GeneralSubtrees_DecodeAsn1", + "RTCrX509GeneralSubtrees_Delete", + "RTCrX509GeneralSubtrees_Enum", + "RTCrX509GeneralSubtrees_Erase", + "RTCrX509GeneralSubtrees_Init", + "RTCrX509GeneralSubtrees_InsertEx", + "RTCrX509NameConstraints_CheckSanity", + "RTCrX509NameConstraints_Clone", + "RTCrX509NameConstraints_Compare", + "RTCrX509NameConstraints_DecodeAsn1", + "RTCrX509NameConstraints_Delete", + "RTCrX509NameConstraints_Enum", + "RTCrX509NameConstraints_Init", + "RTCrX509Name_CheckSanity", + "RTCrX509Name_Clone", + "RTCrX509Name_Compare", + "RTCrX509Name_ConstraintMatch", + "RTCrX509Name_DecodeAsn1", + "RTCrX509Name_Delete", + "RTCrX509Name_Enum", + "RTCrX509Name_Erase", + "RTCrX509Name_FormatAsString", + "RTCrX509Name_GetShortRdn", + "RTCrX509Name_Init", + "RTCrX509Name_InsertEx", + "RTCrX509Name_MatchByRfc5280", + "RTCrX509Name_MatchWithString", + "RTCrX509Name_RecodeAsUtf8", + "RTCrX509OldAuthorityKeyIdentifier_CheckSanity", + "RTCrX509OldAuthorityKeyIdentifier_Clone", + "RTCrX509OldAuthorityKeyIdentifier_Compare", + "RTCrX509OldAuthorityKeyIdentifier_DecodeAsn1", + "RTCrX509OldAuthorityKeyIdentifier_Delete", + "RTCrX509OldAuthorityKeyIdentifier_Enum", + "RTCrX509OldAuthorityKeyIdentifier_Init", + "RTCrX509OtherName_CheckSanity", + "RTCrX509OtherName_Clone", + "RTCrX509OtherName_Compare", + "RTCrX509OtherName_DecodeAsn1", + "RTCrX509OtherName_Delete", + "RTCrX509OtherName_Enum", + "RTCrX509OtherName_Init", + "RTCrX509PolicyConstraints_CheckSanity", + "RTCrX509PolicyConstraints_Clone", + "RTCrX509PolicyConstraints_Compare", + "RTCrX509PolicyConstraints_DecodeAsn1", + "RTCrX509PolicyConstraints_Delete", + "RTCrX509PolicyConstraints_Enum", + "RTCrX509PolicyConstraints_Init", + "RTCrX509PolicyInformation_CheckSanity", + "RTCrX509PolicyInformation_Clone", + "RTCrX509PolicyInformation_Compare", + "RTCrX509PolicyInformation_DecodeAsn1", + "RTCrX509PolicyInformation_Delete", + "RTCrX509PolicyInformation_Enum", + "RTCrX509PolicyInformation_Init", + "RTCrX509PolicyMapping_CheckSanity", + "RTCrX509PolicyMapping_Clone", + "RTCrX509PolicyMapping_Compare", + "RTCrX509PolicyMapping_DecodeAsn1", + "RTCrX509PolicyMapping_Delete", + "RTCrX509PolicyMapping_Enum", + "RTCrX509PolicyMapping_Init", + "RTCrX509PolicyMappings_CheckSanity", + "RTCrX509PolicyMappings_Clone", + "RTCrX509PolicyMappings_Compare", + "RTCrX509PolicyMappings_DecodeAsn1", + "RTCrX509PolicyMappings_Delete", + "RTCrX509PolicyMappings_Enum", + "RTCrX509PolicyMappings_Erase", + "RTCrX509PolicyMappings_Init", + "RTCrX509PolicyMappings_InsertEx", + "RTCrX509PolicyQualifierInfo_CheckSanity", + "RTCrX509PolicyQualifierInfo_Clone", + "RTCrX509PolicyQualifierInfo_Compare", + "RTCrX509PolicyQualifierInfo_DecodeAsn1", + "RTCrX509PolicyQualifierInfo_Delete", + "RTCrX509PolicyQualifierInfo_Enum", + "RTCrX509PolicyQualifierInfo_Init", + "RTCrX509PolicyQualifierInfos_CheckSanity", + "RTCrX509PolicyQualifierInfos_Clone", + "RTCrX509PolicyQualifierInfos_Compare", + "RTCrX509PolicyQualifierInfos_DecodeAsn1", + "RTCrX509PolicyQualifierInfos_Delete", + "RTCrX509PolicyQualifierInfos_Enum", + "RTCrX509PolicyQualifierInfos_Erase", + "RTCrX509PolicyQualifierInfos_Init", + "RTCrX509PolicyQualifierInfos_InsertEx", + "RTCrX509SubjectPublicKeyInfo_CheckSanity", + "RTCrX509SubjectPublicKeyInfo_Clone", + "RTCrX509SubjectPublicKeyInfo_Compare", + "RTCrX509SubjectPublicKeyInfo_DecodeAsn1", + "RTCrX509SubjectPublicKeyInfo_Delete", + "RTCrX509SubjectPublicKeyInfo_Enum", + "RTCrX509SubjectPublicKeyInfo_Init", + "RTCrX509TbsCertificate_CheckSanity", + "RTCrX509TbsCertificate_Clone", + "RTCrX509TbsCertificate_Compare", + "RTCrX509TbsCertificate_DecodeAsn1", + "RTCrX509TbsCertificate_Delete", + "RTCrX509TbsCertificate_Enum", + "RTCrX509TbsCertificate_Init", + "RTCrX509TbsCertificate_ReprocessExtensions", + "RTCrX509Validity_CheckSanity", + "RTCrX509Validity_Clone", + "RTCrX509Validity_Compare", + "RTCrX509Validity_DecodeAsn1", + "RTCrX509Validity_Delete", + "RTCrX509Validity_Enum", + "RTCrX509Validity_Init", + "RTCrX509Validity_IsValidAtTimeSpec", + "RTCrc32", + "RTCrc32Finish", + "RTCrc32Process", + "RTCrc32Start", + "RTErrConvertFromErrno", + "RTErrConvertFromNtStatus", + "RTErrConvertToErrno", + "RTErrInfoAdd", + "RTErrInfoAddF", + "RTErrInfoAddV", + "RTErrInfoLogAndAdd", + "RTErrInfoLogAndAddF", + "RTErrInfoLogAndAddV", + "RTErrInfoLogAndSet", + "RTErrInfoLogAndSetF", + "RTErrInfoLogAndSetV", + "RTErrInfoSet", + "RTErrInfoSetF", + "RTErrInfoSetV", + "RTErrVarsAreEqual", + "RTErrVarsHaveChanged", + "RTErrVarsRestore", + "RTErrVarsSave", + "RTHandleTableAllocWithCtx", + "RTHandleTableCreate", + "RTHandleTableCreateEx", + "RTHandleTableDestroy", + "RTHandleTableFreeWithCtx", + "RTHandleTableLookupWithCtx", + "RTLatin1CalcUtf8Len", + "RTLatin1CalcUtf8LenEx", + "RTLatin1ToUtf8ExTag", + "RTLatin1ToUtf8Tag", + "RTLdrArchName", + "RTLdrClose", + "RTLdrEnumDbgInfo", + "RTLdrEnumSegments", + "RTLdrEnumSymbols", + "RTLdrGetArch", + "RTLdrGetBits", + "RTLdrGetEndian", + "RTLdrGetFormat", + "RTLdrGetFunction", + "RTLdrGetHostArch", + "RTLdrGetSymbol", + "RTLdrGetSymbolEx", + "RTLdrGetType", + "RTLdrHashImage", + "RTLdrLinkAddressToRva", + "RTLdrLinkAddressToSegOffset", + "RTLdrOpenWithReader", + "RTLdrQueryForwarderInfo", + "RTLdrQueryProp", + "RTLdrQueryPropEx", + "RTLdrRelocate", + "RTLdrRvaToSegOffset", + "RTLdrSegOffsetToRva", + "RTLdrSize", + "RTLdrUnwindFrame", + "RTLdrVerifySignature", + "RTLogClearFileDelayFlag", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDefaultInstanceEx", + "RTLogDestinations", + "RTLogDestroy", + "RTLogDumpPrintfV", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGetDefaultInstanceEx", + "RTLogGetDestinations", + "RTLogGetFlags", + "RTLogGetGroupSettings", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelGetDefaultInstance", + "RTLogRelGetDefaultInstanceEx", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetBuffering", + "RTLogRelSetDefaultInstance", + "RTLogSetBuffering", + "RTLogSetCustomPrefixCallback", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMd2", + "RTMd2Final", + "RTMd2Init", + "RTMd2Update", + "RTMd5", + "RTMd5Final", + "RTMd5FromString", + "RTMd5Init", + "RTMd5ToString", + "RTMd5Update", + "RTMemAllocExTag", + "RTMemAllocTag", + "RTMemAllocVarTag", + "RTMemAllocZTag", + "RTMemAllocZVarTag", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDupExTag", + "RTMemDupTag", + "RTMemExecAllocTag", + "RTMemExecFree", + "RTMemFree", + "RTMemFreeEx", + "RTMemFreeZ", + "RTMemReallocTag", + "RTMemReallocZTag", + "RTMemSaferAllocZExTag", + "RTMemSaferAllocZTag", + "RTMemSaferFree", + "RTMemSaferReallocZExTag", + "RTMemSaferReallocZTag", + "RTMemSaferScramble", + "RTMemSaferUnscramble", + "RTMemTmpAllocTag", + "RTMemTmpAllocZTag", + "RTMemTmpFree", + "RTMemTmpFreeZ", + "RTMemWipeThoroughly", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpCurSetIndex", + "RTMpCurSetIndexAndId", + "RTMpGetArraySize", + "RTMpGetCount", + "RTMpGetCpuGroupCounts", + "RTMpGetMaxCpuGroupCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCoreCount", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetPresentCoreCount", + "RTMpGetPresentCount", + "RTMpGetPresentSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuPresent", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnAllIsConcurrentSafe", + "RTMpOnOthers", + "RTMpOnPair", + "RTMpOnPairIsConcurrentExecSupported", + "RTMpOnSpecific", + "RTMpPokeCpu", + "RTMpSetIndexFromCpuGroupMember", + "RTNetIPv4AddDataChecksum", + "RTNetIPv4AddTCPChecksum", + "RTNetIPv4AddUDPChecksum", + "RTNetIPv4FinalizeChecksum", + "RTNetIPv4HdrChecksum", + "RTNetIPv4IsDHCPValid", + "RTNetIPv4IsHdrValid", + "RTNetIPv4IsTCPSizeValid", + "RTNetIPv4IsTCPValid", + "RTNetIPv4IsUDPSizeValid", + "RTNetIPv4IsUDPValid", + "RTNetIPv4PseudoChecksum", + "RTNetIPv4PseudoChecksumBits", + "RTNetIPv4TCPChecksum", + "RTNetIPv4UDPChecksum", + "RTNetIPv6PseudoChecksum", + "RTNetIPv6PseudoChecksumBits", + "RTNetIPv6PseudoChecksumEx", + "RTNetTCPChecksum", + "RTNetUDPChecksum", + "RTNtPathExpand8dot3Path", + "RTNtPathExpand8dot3PathA", + "RTNtPathFindPossible8dot3Name", + "RTOnceReset", + "RTOnceSlow", + "RTPathChangeToUnixSlashes", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0AssertPanicSystem", + "RTR0DbgKrnlInfoGetSymbol", + "RTR0DbgKrnlInfoOpen", + "RTR0DbgKrnlInfoQueryMember", + "RTR0DbgKrnlInfoQuerySize", + "RTR0DbgKrnlInfoQuerySymbol", + "RTR0DbgKrnlInfoRelease", + "RTR0DbgKrnlInfoRetain", + "RTR0Init", + "RTR0MemAreKrnlAndUsrDifferent", + "RTR0MemKernelCopyFrom", + "RTR0MemKernelCopyTo", + "RTR0MemKernelIsValidAddr", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocContTag", + "RTR0MemObjAllocLowTag", + "RTR0MemObjAllocPageTag", + "RTR0MemObjAllocPhysExTag", + "RTR0MemObjAllocPhysNCTag", + "RTR0MemObjAllocPhysTag", + "RTR0MemObjEnterPhysTag", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernelTag", + "RTR0MemObjLockUserTag", + "RTR0MemObjMapKernelExTag", + "RTR0MemObjMapKernelTag", + "RTR0MemObjMapUserExTag", + "RTR0MemObjMapUserTag", + "RTR0MemObjProtect", + "RTR0MemObjReserveKernelTag", + "RTR0MemObjReserveUserTag", + "RTR0MemObjSize", + "RTR0MemUserCopyFrom", + "RTR0MemUserCopyTo", + "RTR0MemUserIsValidAddr", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTR0TermForced", + "RTRandAdvBytes", + "RTRandAdvCreateParkMiller", + "RTRandAdvCreateSystemFaster", + "RTRandAdvDestroy", + "RTRandAdvRestoreState", + "RTRandAdvS32", + "RTRandAdvS32Ex", + "RTRandAdvS64", + "RTRandAdvS64Ex", + "RTRandAdvSaveState", + "RTRandAdvSeed", + "RTRandAdvU32", + "RTRandAdvU32Ex", + "RTRandAdvU64", + "RTRandAdvU64Ex", + "RTRandBytes", + "RTRandS32", + "RTRandS32Ex", + "RTRandS64", + "RTRandS64Ex", + "RTRandU32", + "RTRandU32Ex", + "RTRandU64", + "RTRandU64Ex", + "RTSemEventCreate", + "RTSemEventCreateEx", + "RTSemEventDestroy", + "RTSemEventGetResolution", + "RTSemEventMultiCreate", + "RTSemEventMultiCreateEx", + "RTSemEventMultiDestroy", + "RTSemEventMultiGetResolution", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitEx", + "RTSemEventMultiWaitExDebug", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitEx", + "RTSemEventWaitExDebug", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSemMutexCreate", + "RTSemMutexCreateEx", + "RTSemMutexDestroy", + "RTSemMutexIsOwned", + "RTSemMutexRelease", + "RTSemMutexRequest", + "RTSemMutexRequestDebug", + "RTSemMutexRequestNoResume", + "RTSemMutexRequestNoResumeDebug", + "RTSemSpinMutexCreate", + "RTSemSpinMutexDestroy", + "RTSemSpinMutexRelease", + "RTSemSpinMutexRequest", + "RTSemSpinMutexTryRequest", + "RTSha1", + "RTSha1Check", + "RTSha1Final", + "RTSha1FromString", + "RTSha1Init", + "RTSha1ToString", + "RTSha1Update", + "RTSha224", + "RTSha224Check", + "RTSha224Final", + "RTSha224Init", + "RTSha224Update", + "RTSha256", + "RTSha256Check", + "RTSha256Final", + "RTSha256FromString", + "RTSha256Init", + "RTSha256ToString", + "RTSha256Update", + "RTSha384", + "RTSha384Check", + "RTSha384Final", + "RTSha384Init", + "RTSha384Update", + "RTSha512", + "RTSha512Check", + "RTSha512Final", + "RTSha512FromString", + "RTSha512Init", + "RTSha512ToString", + "RTSha512Update", + "RTSha512t224", + "RTSha512t224Check", + "RTSha512t224Final", + "RTSha512t224Init", + "RTSha512t224Update", + "RTSha512t256", + "RTSha512t256Check", + "RTSha512t256Final", + "RTSha512t256Init", + "RTSha512t256Update", + "RTSpinlockAcquire", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTStrAAppendNTag", + "RTStrAAppendTag", + "RTStrATruncateTag", + "RTStrAllocExTag", + "RTStrAllocTag", + "RTStrCalcLatin1Len", + "RTStrCalcLatin1LenEx", + "RTStrCalcUtf16Len", + "RTStrCalcUtf16LenEx", + "RTStrCat", + "RTStrCmp", + "RTStrConvertHexBytes", + "RTStrConvertHexBytesEx", + "RTStrCopy", + "RTStrCopyEx", + "RTStrCopyP", + "RTStrDupExTag", + "RTStrDupNTag", + "RTStrDupTag", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatR80", + "RTStrFormatR80u2", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatU128", + "RTStrFormatU16", + "RTStrFormatU256", + "RTStrFormatU32", + "RTStrFormatU512", + "RTStrFormatU64", + "RTStrFormatU8", + "RTStrFormatV", + "RTStrFree", + "RTStrGetCpExInternal", + "RTStrGetCpInternal", + "RTStrGetCpNExInternal", + "RTStrICmp", + "RTStrICmpAscii", + "RTStrIStr", + "RTStrIsValidEncoding", + "RTStrNCmp", + "RTStrNICmp", + "RTStrNLen", + "RTStrPrevCp", + "RTStrPrintHexBytes", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrPurgeComplementSet", + "RTStrPurgeEncoding", + "RTStrPutCpInternal", + "RTStrReallocTag", + "RTStrStrip", + "RTStrStripL", + "RTStrStripR", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToLatin1ExTag", + "RTStrToLatin1Tag", + "RTStrToLower", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTStrToUni", + "RTStrToUniEx", + "RTStrToUpper", + "RTStrToUtf16BigExTag", + "RTStrToUtf16BigTag", + "RTStrToUtf16ExTag", + "RTStrToUtf16Tag", + "RTStrUniLen", + "RTStrUniLenEx", + "RTStrValidateEncoding", + "RTStrValidateEncodingEx", + "RTTermDeregisterCallback", + "RTTermRegisterCallback", + "RTTermRunCallbacks", + "RTThreadCreate", + "RTThreadCreateF", + "RTThreadCreateV", + "RTThreadCtxHookCreate", + "RTThreadCtxHookDestroy", + "RTThreadCtxHookDisable", + "RTThreadCtxHookEnable", + "RTThreadCtxHookIsEnabled", + "RTThreadFromNative", + "RTThreadGetName", + "RTThreadGetNative", + "RTThreadGetType", + "RTThreadIsInInterrupt", + "RTThreadIsInitialized", + "RTThreadIsMain", + "RTThreadIsSelfAlive", + "RTThreadIsSelfKnown", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptIsPending", + "RTThreadPreemptIsPendingTrusty", + "RTThreadPreemptIsPossible", + "RTThreadPreemptRestore", + "RTThreadSelf", + "RTThreadSelfName", + "RTThreadSetName", + "RTThreadSetType", + "RTThreadSleep", + "RTThreadUserReset", + "RTThreadUserSignal", + "RTThreadUserWait", + "RTThreadUserWaitNoResume", + "RTThreadWait", + "RTThreadWaitNoResume", + "RTThreadYield", + "RTTimeCompare", + "RTTimeConvertToZulu", + "RTTimeExplode", + "RTTimeFromRfc2822", + "RTTimeFromString", + "RTTimeImplode", + "RTTimeIsLeapYear", + "RTTimeLocalNormalize", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNormalize", + "RTTimeNow", + "RTTimeSpecFromString", + "RTTimeSpecToString", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimeToRfc2822", + "RTTimeToString", + "RTTimeToStringEx", + "RTTimerCanDoHighResolution", + "RTTimerChangeInterval", + "RTTimerCreate", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "RTUInt128MulByU64", + "RTUtf16AllocTag", + "RTUtf16BigCalcUtf8Len", + "RTUtf16BigCalcUtf8LenEx", + "RTUtf16BigGetCpExInternal", + "RTUtf16BigToUtf8ExTag", + "RTUtf16BigToUtf8Tag", + "RTUtf16CalcUtf8Len", + "RTUtf16CalcUtf8LenEx", + "RTUtf16CatAscii", + "RTUtf16Cmp", + "RTUtf16CmpUtf8", + "RTUtf16CopyAscii", + "RTUtf16DupExTag", + "RTUtf16DupTag", + "RTUtf16End", + "RTUtf16Free", + "RTUtf16GetCpExInternal", + "RTUtf16GetCpInternal", + "RTUtf16ICmpAscii", + "RTUtf16IsValidEncoding", + "RTUtf16Len", + "RTUtf16LittleCalcUtf8Len", + "RTUtf16LittleCalcUtf8LenEx", + "RTUtf16LittleToUtf8ExTag", + "RTUtf16LittleToUtf8Tag", + "RTUtf16PurgeComplementSet", + "RTUtf16PutCpInternal", + "RTUtf16ReallocTag", + "RTUtf16ToUtf8ExTag", + "RTUtf16ToUtf8Tag", + "RTUtf16ValidateEncoding", + "RTUtf16ValidateEncodingEx", + "RTUuidClear", + "RTUuidCompare", + "RTUuidCompare2Strs", + "RTUuidCompareStr", + "RTUuidFromStr", + "RTUuidFromUtf16", + "RTUuidIsNull", + "RTUuidToStr", + "RTUuidToUtf16", + "SUPGetCpuHzFromGipForAsyncMode", + "SUPGetGIP", + "SUPGetTscDeltaSlow", + "SUPIsTscFreqCompatible", + "SUPIsTscFreqCompatibleEx", + "SUPR0BadContext", + "SUPR0ChangeCR4", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetCurrentGdtRw", + "SUPR0GetDefaultLogInstanceEx", + "SUPR0GetDefaultLogRelInstanceEx", + "SUPR0GetHwvirtMsrs", + "SUPR0GetKernelFeatures", + "SUPR0GetPagingMode", + "SUPR0GetSessionGVM", + "SUPR0GetSessionVM", + "SUPR0GetSvmUsability", + "SUPR0GetVTSupport", + "SUPR0GetVmxUsability", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0IoCtlCleanup", + "SUPR0IoCtlPerform", + "SUPR0IoCtlSetupForHandle", + "SUPR0LdrIsLockOwnerByMod", + "SUPR0LdrLock", + "SUPR0LdrModByName", + "SUPR0LdrModRelease", + "SUPR0LdrModRetain", + "SUPR0LdrUnlock", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0PageProtect", + "SUPR0Printf", + "SUPR0QueryUcodeRev", + "SUPR0QueryVTCaps", + "SUPR0ResumeVTxOnCpu", + "SUPR0SetSessionVM", + "SUPR0SuspendVTxOnCpu", + "SUPR0TracerDeregisterDrv", + "SUPR0TracerDeregisterImpl", + "SUPR0TracerFireProbe", + "SUPR0TracerRegisterDrv", + "SUPR0TracerRegisterImpl", + "SUPR0TracerRegisterModule", + "SUPR0TracerUmodProbeFire", + "SUPR0TscDeltaMeasureBySetIndex", + "SUPR0UnlockMem", + "SUPReadTscWithDelta", + "SUPSemEventClose", + "SUPSemEventCreate", + "SUPSemEventGetResolution", + "SUPSemEventMultiClose", + "SUPSemEventMultiCreate", + "SUPSemEventMultiGetResolution", + "SUPSemEventMultiReset", + "SUPSemEventMultiSignal", + "SUPSemEventMultiWait", + "SUPSemEventMultiWaitNoResume", + "SUPSemEventMultiWaitNsAbsIntr", + "SUPSemEventMultiWaitNsRelIntr", + "SUPSemEventSignal", + "SUPSemEventWait", + "SUPSemEventWaitNoResume", + "SUPSemEventWaitNsAbsIntr", + "SUPSemEventWaitNsRelIntr", + "g_RTAsn1BitString_Vtable", + "g_RTAsn1Boolean_Vtable", + "g_RTAsn1Core_Vtable", + "g_RTAsn1DefaultAllocator", + "g_RTAsn1Integer_Vtable", + "g_RTAsn1Null_Vtable", + "g_RTAsn1ObjId_Vtable", + "g_RTAsn1OctetString_Vtable", + "g_RTAsn1SaferAllocator", + "g_RTAsn1String_Vtable", + "g_RTAsn1Time_Vtable", + "g_aRTUniLowerRanges", + "g_aRTUniUpperRanges", + "g_abRTZero16K", + "g_abRTZero32K", + "g_abRTZero4K", + "g_abRTZero64K", + "g_abRTZero8K", + "g_abRTZeroPage", + "g_pSUPGlobalInfoPage", + "g_pszRTAssertExpr", + "g_pszRTAssertFile", + "g_pszRTAssertFunction", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2", + "g_u32RTAssertLine" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "strchr", "IoDeleteDevice", "IoCreateDevice", - "KeBugCheckEx", "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", + "IofCompleteRequest", + "PsGetCurrentProcessId", + "PsGetCurrentThreadId", + "ObfDereferenceObject", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "ObQueryNameString", + "PsGetProcessImageFileName", + "ZwClose", + "PsGetProcessId", + "IoGetCurrentProcess", + "LpcPortObjectType", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "PsLookupProcessByProcessId", + "ZwQuerySystemInformation", + "ObReferenceObjectByName", + "PsGetProcessSessionId", + "PsThreadType", + "PsLookupThreadByThreadId", + "ObOpenObjectByPointer", + "PsProcessType", + "PsInitialSystemProcess", + "PsIsProcessBeingDebugged", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IoIs32bitProcess", + "ZwSetSystemInformation", + "ObfReferenceObject", + "ExGetPreviousMode", + "PsGetProcessInheritedFromUniqueProcessId", + "IoThreadToProcess", + "PsSetCreateProcessNotifyRoutine", + "DbgPrint", + "ZwRequestWaitReplyPort", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExUnregisterCallback", + "ExRegisterCallback", + "ExCreateCallback", + "RtlQueryRegistryValues", + "ZwReadFile", + "ZwQueryInformationFile", + "RtlEqualSid", + "ZwQuerySecurityObject", + "ZwQueryObject", + "ZwCreateFile", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "__chkstk", + "ZwQueryInformationThread", + "ZwQueryInformationProcess", + "KeSetTimerEx", + "KeInsertQueueDpc", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeInitializeDpc", + "KeInitializeTimer", + "KeQueryTimeIncrement", + "KeDelayExecutionThread", + "ZwYieldExecution", + "KeSetPriorityThread", + "PsCreateSystemThread", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeInitializeMutex", + "KeReleaseMutex", + "KeReadStateMutex", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeResetEvent", + "ProbeForRead", + "ProbeForWrite", + "MmHighestUserAddress", + "MmSystemRangeStart", + "KeNumberProcessors", + "ZwQueryDirectoryFile", + "MmIsAddressValid", + "MmUnmapIoSpace", + "MmUnlockPages", + "MmFreeContiguousMemory", + "IoFreeMdl", + "ExFreePool", + "MmUnmapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ExAllocatePool", + "MmProtectMdlSystemAddress", + "MmAllocateContiguousMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPages", + "IoBuildPartialMdl", + "MmGetPhysicalAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=CN, ST=Guangdong, L=Heyuan, O=No Organization Affiliation, OU=Individual Developer, CN=Huiping Zhong", + "ValidFrom": "2013-07-18 00:00:00", + "ValidTo": "2014-07-18 23:59:59", + "Signature": "b0adb278c1270674ee67a03d06eae088afed344bb288e3ee4374147d355eed1ad772a5217c265921af4b61b4e582ddbe3f09682ea4dc7f8fc250945aaf2099899dbc855ff62d5f4ac58536f542b0d1f5a0e1ed5a039bbcd0f89f6286fb5cfe8daf551661b2685c7b61db150cb4dce8f0b0cdf5a4747c67ae1b363e5f58c90c48318145dd6609fc5b31e734d0ab3fa09a4ee243018ff40a82b223b99fcbece516fb04e0e1785939df2ffc6f74bcf54f818fa340534c55db6086a8352edba5323477dea3e7341782f969cf26f12d224cb2ae462fe50527da03c96cde8c262b10fee42da29a6271d2b6cbb21bd9625e451f63d54b88ccf4395ff6339582362aad87", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Irvine, O=TOSHIBA AMERICA INFORMATION SYSTEMS, INC., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TOSHIBA AMERICA INFORMATION SYSTEMS, INC.", - "ValidFrom": "2006-11-30 00:00:00", - "ValidTo": "2010-01-29 23:59:59", - "Signature": "35f3925f76c3466b8c0daadad42eb075428bf02b75db96deb7707f1c83e412baede827abc43aa2ec558328ebdd68366e3b218e534ac5e9d1df82072d5256a2cd701f2bd3548a3c18cf5264763f06886720342754f9279d80d673e9f2b2637e470ad966c0fefcc280b24786dd8fbe2f36c5e4d64376fd5d92a86d27312afdf6f6694c2954a180da2d67eeda7f61f86118b7fec7d4ac4492896c151497239031ebfaa871f762f67eed10288530df1949b56799160071956db962d3bec37a6cdcbdae597a2c2299a6c07beb4746824bc4db989f9debabf682f36ed8597e3a1123267e0cb8ec2337daf0b0b5c03d6ac0167cca5ee4ff0c9cef4b0215801bd32c9cdb", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "450d3382b4c87b8d7220cff8951f1aa2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "77769240d819a3f2eb2e7f8baffecd26", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] }, { - "Filename": "WinRing0.sys", - "MD5": "12cecc3c14160f32b21279c1a36b8338", - "SHA1": "7fb52290883a6b69a96d480f2867643396727e83", - "SHA256": "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84", - "Signature": [ - "Noriyuki MIYAZAKI", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "WinRing0", - "Product": "WinRing0", - "ProductVersion": "1.0.1.2", - "FileVersion": "1.0.1.2", - "MachineType": "AMD64", - "OriginalFilename": "WinRing0.sys", + "FileName": "VBoxDrv.sys", + "MD5": "e3bdb307b32b13b8f7e621e8d5cc8cd3", + "SHA1": "58fe23f1bb9d4bcc1b07b102222a7d776cc90f6c", + "SHA256": "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924", "Authentihash": { - "MD5": "650fa4b522e8d06d0cdfa4bf278e85f1", - "SHA1": "dfe2533a4398d67dfc722eb8d9f8ffa3a823a721", - "SHA256": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3" + "MD5": "eb532e54636f61b9af61f97d46ca8cae", + "SHA1": "018d626382f2453ef584b732e1e03ceab51e84db", + "SHA256": "6ab14c5c89759695dbb4b310b7cad68d9ec2007277e3b4f3abb883bd05ef557c" }, - "InternalName": "WinRing0.sys", - "Copyright": "Copyright (C) 2007 OpenLibSys.org. All rights reserved.", + "Description": "VirtualBox Support Driver", + "Company": "Sun Microsystems, Inc.", + "InternalName": "VBoxDrv.sys", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "2.2.0.r45846", + "Product": "Sun VirtualBox", + "ProductVersion": "2.2.0.r45846", + "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "AssertMsg1", + "AssertMsg2", + "RTAssertShouldPanic", + "RTErrConvertFromNtStatus", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCopyGroupsAndFlags", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDestroy", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetDefaultInstance", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDup", + "RTMemDupEx", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0Init", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapKernelEx", + "RTR0MemObjMapUser", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptRestore", + "RTThreadSleep", + "RTThreadYield", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNow", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetPagingMode", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAlloc", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0UnlockMem", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", + "ObfDereferenceObject", + "ExUnregisterCallback", + "IofCompleteRequest", + "DbgPrint", + "IoIs32bitProcess", + "ExRegisterCallback", + "ExCreateCallback", "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", - "ValidFrom": "2007-09-24 10:50:55", - "ValidTo": "2008-09-24 10:50:55", - "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", - "ValidFrom": "2003-12-16 13:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", - "ValidFrom": "2007-02-05 09:00:00", - "ValidTo": "2014-01-27 09:00:00", - "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "01000000000115372421a8", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - }, - { - "Filename": "WinRing0.sys", - "MD5": "27bcbeec8a466178a6057b64bef66512", - "SHA1": "012db3a80faf1f7f727b538cbe5d94064e7159de", - "SHA256": "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062", - "Signature": [ - "EVGA", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "WinRing0", - "Product": "WinRing0", - "ProductVersion": "1.2.0.5", - "FileVersion": "1.2.0.5", - "MachineType": "AMD64", - "OriginalFilename": "WinRing0.sys", - "Authentihash": { - "MD5": "c4355451eccb590e5e6d817760d2d2ef", - "SHA1": "7aed8186977fcf7ee219da493baecdb95ec8040d", - "SHA256": "9305f0834e67aa16fb252bd30927e5f835639ef4b868f20d232260edffefd6f0" - }, - "InternalName": "WinRing0.sys", - "Copyright": "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "IoCreateDevice", + "IoGetStackLimits", + "memchr", + "strncmp", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeWaitForSingleObject", + "KeResetEvent", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeDelayExecutionThread", + "ZwYieldExecution", + "ExFreePoolWithTag", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", + "ExAllocatePoolWithTag", + "KeQueryActiveProcessors", + "strchr", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "KeSetTimerEx", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", + "MmUnlockPages", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocatePagesForMdl", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2012-02-29 00:00:00", - "ValidTo": "2014-04-15 23:59:59", - "Signature": "d77d9dbdeea6d42d15335f0b16117963e49d39b89af081160a467824968e611f0947648a83375d1380acca6cbe1117f488b428bcab943b20dad29e72dd48e7d01b080b12c444727bba415a098799abd5e5673dd7eda91787920c3cc53aac068e0a3d1faef713c14f7ec6f68f69a33340b70e81083db2ce1daf45592063235d05232a1d3d8052fc3f102b2b71e1c46275eff3d4a2dc5ee0d5d727d180da205055a3709a32ad6bd11317b1f109e7c5eca18c8293c937ba6f76278bc306c10f0f1bc865cedcf2c2331e7a7f5c0bcfab91786b8ff848d8ef9c59937ddb94f6369884162148f882e7d0c4343538ad23aeb6ab3db0f6d125a8e2fe3889e40ed66bc66a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows", + "ValidFrom": "2021-09-02 18:23:41", + "ValidTo": "2022-09-01 18:23:41", + "Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", + "ValidFrom": "2011-10-19 18:41:42", + "ValidTo": "2026-10-19 18:51:42", + "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "26d7f5563eb3e42a81f7c715fcd2799d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" } ] } ] - } - ], - "Tags": [ - "WinRing0.sys" - ] - }, - { - "Id": "a845a05c-5357-4b78-9783-16b4d34b2cb0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create aswVmm.sys binPath=C:\\windows\\temp\\aswVmm.sys type=kernel && sc.exe start aswVmm.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/tanduRE/AvastHV", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "aswVmm.sys", - "MD5": "a5f637d61719d37a5b4868c385e363c0", - "SHA1": "34c85afe6d84cd3deec02c0a72e5abfa7a2886c3", - "SHA256": "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10", - "Signature": [ - "AVAST Software", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "AVAST Software", - "Description": "avast! VM Monitor", - "Product": "avast! Antivirus", - "ProductVersion": "8.0.1497.376", - "FileVersion": "8.0.1497.376", - "MachineType": "I386", - "OriginalFilename": "aswVmm.sys", + "FileName": "VBoxDrv.sys", + "MD5": "443689645455987cb347154b391f734d", + "SHA1": "2fed7eddd63f10ed4649d9425b94f86140f91385", + "SHA256": "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada", "Authentihash": { - "MD5": "14260121e1984480cf6e7ec1adead3a3", - "SHA1": "bce48d80831090b849b7f0d2f9dffd36ec44d894", - "SHA256": "a2b0b2e9e458016b22ebbf47411008f0a87efd9103b125870ce37246ab5bdff0" + "MD5": "ed53ea124ed4c30df39c29a4f5b01182", + "SHA1": "2903352a4e038c68c044a48edebd118af7e80098", + "SHA256": "79e3b14b68f1fcf805ccfe7bc2dc81b98346d2e83a6335816b276970e2e2691a" }, - "InternalName": "aswVmm.sys", - "Copyright": "Copyright (c) 2013 AVAST Software", + "Description": "VirtualBox Support Driver", + "Company": "Sun Microsystems, Inc.", + "InternalName": "VBoxDrv.sys", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "2.2.4.r47978", + "Product": "Sun VirtualBox", + "ProductVersion": "2.2.4.r47978", + "Copyright": "Copyright (C) 2009 Sun Microsystems, Inc.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "AssertMsg1", + "AssertMsg2", + "RTAssertShouldPanic", + "RTErrConvertFromNtStatus", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCopyGroupsAndFlags", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDestroy", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelDefaultInstance", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetDefaultInstance", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAlloc", + "RTMemAllocZ", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDup", + "RTMemDupEx", + "RTMemExecAlloc", + "RTMemExecFree", + "RTMemFree", + "RTMemRealloc", + "RTMemTmpAlloc", + "RTMemTmpAllocZ", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpGetCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnOthers", + "RTMpOnSpecific", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0Init", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocCont", + "RTR0MemObjAllocLow", + "RTR0MemObjAllocPage", + "RTR0MemObjAllocPhys", + "RTR0MemObjAllocPhysNC", + "RTR0MemObjEnterPhys", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernel", + "RTR0MemObjLockUser", + "RTR0MemObjMapKernel", + "RTR0MemObjMapKernelEx", + "RTR0MemObjMapUser", + "RTR0MemObjReserveKernel", + "RTR0MemObjReserveUser", + "RTR0MemObjSize", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTSemEventCreate", + "RTSemEventDestroy", + "RTSemEventMultiCreate", + "RTSemEventMultiDestroy", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSpinlockAcquire", + "RTSpinlockAcquireNoInts", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTSpinlockReleaseNoInts", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptRestore", + "RTThreadSleep", + "RTThreadYield", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNow", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetPagingMode", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAlloc", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0UnlockMem", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "memcpy", "IoDeleteDevice", - "ZwClose", "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "ExDeleteResourceLite", - "IoReleaseRemoveLockAndWaitEx", - "KeCancelTimer", - "ExFreePoolWithTag", - "IoUnregisterShutdownNotification", - "KeSetTimerEx", - "KeInitializeDpc", - "KeInitializeTimerEx", - "IoCreateSymbolicLink", - "KeInitializeEvent", - "IoRegisterShutdownNotification", - "RtlAppendUnicodeToString", - "RtlCopyUnicodeString", - "ExAllocatePoolWithTag", - "ExInitializeResourceLite", - "IoAcquireRemoveLockEx", - "IoInitializeRemoveLockEx", - "IoIsWdmVersionAvailable", - "KeQueryActiveProcessors", - "InitSafeBootMode", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "_allrem", - "_alldiv", - "MmUnmapIoSpace", - "MmMapIoSpace", - "MmFreePagesFromMdl", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "IoReleaseRemoveLockEx", + "ObfDereferenceObject", + "ExUnregisterCallback", "IofCompleteRequest", - "KeLeaveCriticalRegion", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "KeEnterCriticalRegion", - "ExAcquireResourceSharedLite", - "IoFreeMdl", - "MmUnlockPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "RtlLookupElementGenericTableAvl", - "RtlDeleteElementGenericTableAvl", - "RtlInsertElementGenericTableAvl", - "_aullshr", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "RtlInitializeGenericTableAvl", - "RtlEnumerateGenericTableAvl", - "RtlIsGenericTableEmptyAvl", - "ZwOpenFile", - "_allshr", - "_allmul", - "MmIsAddressValid", - "MmGetSystemRoutineAddress", - "IoFreeWorkItem", - "PsGetProcessWin32Process", - "IoGetCurrentProcess", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "MmAllocateContiguousMemorySpecifyCache", + "DbgPrint", + "IoIs32bitProcess", "ExRegisterCallback", "ExCreateCallback", - "ExUnregisterCallback", - "PsRemoveLoadImageNotifyRoutine", - "PsSetLoadImageNotifyRoutine", - "PsSetCreateProcessNotifyRoutine", - "KeResetEvent", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoGetStackLimits", + "memchr", + "strncmp", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", "KeSetEvent", - "MmGetPhysicalMemoryRanges", - "MmAllocatePagesForMdl", - "RtlCheckRegistryKey", - "RtlCompareUnicodeString", - "ZwCreateKey", - "ZwQueryValueKey", - "PsTerminateSystemThread", "KeWaitForSingleObject", - "KeSetSystemAffinityThread", - "KeSetPriorityThread", - "ObReferenceObjectByHandle", - "PsThreadType", - "PsCreateSystemThread", - "KeWaitForMultipleObjects", - "DbgPrint", - "MmFreeMappingAddress", - "MmAllocateMappingAddress", - "ProbeForRead", - "ExGetPreviousMode", - "KeTickCount", - "KeBugCheckEx", - "_allshl", - "memset", - "ObfDereferenceObject", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlUnwind", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwOpenKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwCreateSection", - "KfLowerIrql", - "KeGetCurrentIrql", - "KeRaiseIrqlToDpcLevel" + "KeResetEvent", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeDelayExecutionThread", + "ZwYieldExecution", + "ExFreePoolWithTag", + "KeInsertQueueDpc", + "KeSetTargetProcessorDpc", + "KeSetImportanceDpc", + "KeInitializeDpc", + "ExAllocatePoolWithTag", + "KeQueryActiveProcessors", + "strchr", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "KeSetTimerEx", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "MmUnmapIoSpace", + "MmUnlockPages", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocatePagesForMdl", + "__C_specific_handler", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=Menlo Park, O=Sun Microsystems, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sun Microsystems, Inc.", + "ValidFrom": "2008-06-11 00:00:00", + "ValidTo": "2011-06-11 23:59:59", + "Signature": "537c2adf2d3f7cf7cfc86476029fe81f7b8f12596a595cda0d5fbbfd227cce6bce2f8ad1af7fbb1a92a8b8de23a8797748094aae39bc845308e3ccd8fb9dc09b51bdf7b26c4eb8fb4052a8bdc714eaf36fca04d720e06798e36308c2fcaf50c48e61087a3ba0c4b0e77972a69af1ecc9d05e3f001e02ad94db98aa5e1453b541b0c257337fd78bb0372dc7841987424e0abce9cb1f0102a934bd037475b39cfe29dc27e77b3eb89fe805f8c6b1574d768dd2805d1a4b98143b7b6208abfebe7645a607084b1fd13ec7f088ac49cd5adc916090bcebe2e63786a7b80a009abd81349a9f34e135a7f4a2d569be474fe316b1b9f06ddf4d90a6650f7340181a27e1", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -67658,480 +61569,616 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=CZ, ST=Praha, L=Praha 4, O=AVAST Software, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=AVAST Software", - "ValidFrom": "2011-01-31 00:00:00", - "ValidTo": "2014-01-30 23:59:59", - "Signature": "55d3e7e20555513f967fd483dbac39db82fadd950749cd336948b207edaf3a80b6aa50d6b4ffa06d68ceee6dc9897ab0db21d4f20614bf368254d736ece3929496cfa89b9a62b01fd2e289ff89d98ef138790741db87736de22fd69f8025e2da7c1e2981ac77061c2b3d9ff6cdb7461078d6dc4d2e4788fb64b5ad381654f126cae280a8a273bb35816c15c1af0b7d25336949b24e899643a9bddbe40d4823100c076ca91c6c2da844d73a142e2722aaf71e4fa040b6d99ad564c93b216200d58f079f83f90000d05e62ff90fc4994dd0ac1d8d01220698839d38c99adbd219f1fe1d5b18bba8e60a0cac5753dce332728041f6626e1ab13da1a7e2bd961b7ba", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0dd6d671fe0364d43b632131417e7b3f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "693a64818c1e086b1b15aee63fa054a2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "aswVmm.sys" - ] - }, - { - "Id": "b45a3fdf-592a-4cd9-81e2-8fe03d554cad", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create windows7-32.sys binPath=C:\\windows\\temp\\windows7-32.sys type=kernel type=kernel && sc.exe start windows7-32.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "windows7-32.sys", - "SHA256": "4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "windows7-32.sys" - ] - }, - { - "Id": "3fb743b8-d3ed-4873-9c95-e212720dde21", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create Lurker.sys binPath=C:\\windows\\temp\\Lurker.sys type=kernel && sc.exe start Lurker.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Lurker.sys", - "SHA256": "0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "Lurker.sys" - ] - }, - { - "Id": "57f63efb-dc43-4dba-9413-173e3e4be750", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrSmartConnectDrv.sys binPath=C:\\windows\\temp\\AsrSmartConnectDrv.sys type=kernel && sc.exe start AsrSmartConnectDrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "AsrSmartConnectDrv.sys", - "MD5": "56a515173b211832e20fbc64e5a0447c", - "SHA1": "1d0df45ee3fa758f0470e055915004e6eae54c95", - "SHA256": "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "RW-Everything", - "Description": "RW-Everything Read & Write Driver", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "RwDrv.sys", + "FileName": "VBoxDrv.sys", + "MD5": "6beb1d8146f5a4aaa2f7b8c0c9bced30", + "SHA1": "07f62d9b6321bed0008e106e9ce4240cb3f76da2", + "SHA256": "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40", "Authentihash": { - "MD5": "fc88782a34ab832abb9c04c63c76830b", - "SHA1": "a7bcabd8e465e5e1a0bad564d887a47f378dfdaa", - "SHA256": "f43d977a5fb1bdc10837e7c4ff03526d2b8fa9757da9dd8bd6514cd31748a858" + "MD5": "71bbd7b5164d35bc41d5a7f61a2d81f0", + "SHA1": "eec7692de436743eed432729fb620c5da3d5318f", + "SHA256": "1c9c86ba5ae540bb5729626cdaec89ca421f8129e4bbf6e1ea49c532b44ea0c9" }, - "InternalName": "RwDrv.sys", - "Copyright": "Copyright (C) 2008 RW-Everything", + "Description": "VirtualBox Support Driver", + "Company": "Vektor T13 Security Service", + "InternalName": "VBoxDrv", + "OriginalFilename": "VBoxDrv.sys", + "FileVersion": "1.4.0.119230", + "Product": "Antidetect 2019 Public", + "ProductVersion": "1.4.0.119230", + "Copyright": "Copyright (C) 2009-2019 Oracle Corporation", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "ASMAtomicBitClear", + "ASMAtomicXchgU16", + "ASMAtomicXchgU8", + "ASMGetCS", + "ASMGetDS", + "ASMGetES", + "ASMGetFS", + "ASMGetGS", + "ASMGetIDTR", + "ASMGetSS", + "ASMMultU64ByU32DivByU32", + "ASMNopPause", + "RTAssertAreQuiet", + "RTAssertMayPanic", + "RTAssertMsg1", + "RTAssertMsg1Weak", + "RTAssertMsg2AddV", + "RTAssertMsg2V", + "RTAssertMsg2Weak", + "RTAssertMsg2WeakV", + "RTAssertSetMayPanic", + "RTAssertSetQuiet", + "RTAssertShouldPanic", + "RTAvlPVDestroy", + "RTAvlPVDoWithAll", + "RTAvlPVGet", + "RTAvlPVGetBestFit", + "RTAvlPVInsert", + "RTAvlPVRemove", + "RTAvlPVRemoveBestFit", + "RTCrc32", + "RTCrc32Finish", + "RTCrc32Process", + "RTCrc32Start", + "RTErrConvertFromErrno", + "RTErrConvertFromNtStatus", + "RTErrConvertToErrno", + "RTErrInfoAdd", + "RTErrInfoAddF", + "RTErrInfoAddV", + "RTErrInfoSet", + "RTErrInfoSetF", + "RTErrInfoSetV", + "RTErrVarsAreEqual", + "RTErrVarsHaveChanged", + "RTErrVarsRestore", + "RTErrVarsSave", + "RTHandleTableAllocWithCtx", + "RTHandleTableCreate", + "RTHandleTableCreateEx", + "RTHandleTableDestroy", + "RTHandleTableFreeWithCtx", + "RTHandleTableLookupWithCtx", + "RTLatin1CalcUtf8Len", + "RTLatin1CalcUtf8LenEx", + "RTLatin1ToUtf8ExTag", + "RTLatin1ToUtf8Tag", + "RTLogClearFileDelayFlag", + "RTLogCloneRC", + "RTLogComPrintf", + "RTLogComPrintfV", + "RTLogCreate", + "RTLogCreateEx", + "RTLogCreateExV", + "RTLogDefaultInit", + "RTLogDefaultInstance", + "RTLogDefaultInstanceEx", + "RTLogDestinations", + "RTLogDestroy", + "RTLogDumpPrintfV", + "RTLogFlags", + "RTLogFlush", + "RTLogFlushRC", + "RTLogFlushToLogger", + "RTLogFormatV", + "RTLogGetDefaultInstance", + "RTLogGetDefaultInstanceEx", + "RTLogGetDestinations", + "RTLogGetFlags", + "RTLogGetGroupSettings", + "RTLogGroupSettings", + "RTLogLogger", + "RTLogLoggerEx", + "RTLogLoggerExV", + "RTLogLoggerV", + "RTLogPrintf", + "RTLogPrintfV", + "RTLogRelGetDefaultInstance", + "RTLogRelGetDefaultInstanceEx", + "RTLogRelLoggerV", + "RTLogRelPrintfV", + "RTLogRelSetBuffering", + "RTLogRelSetDefaultInstance", + "RTLogSetBuffering", + "RTLogSetCustomPrefixCallback", + "RTLogSetDefaultInstance", + "RTLogSetDefaultInstanceThread", + "RTLogWriteCom", + "RTLogWriteDebugger", + "RTLogWriteStdErr", + "RTLogWriteStdOut", + "RTLogWriteUser", + "RTMemAllocExTag", + "RTMemAllocTag", + "RTMemAllocVarTag", + "RTMemAllocZTag", + "RTMemAllocZVarTag", + "RTMemContAlloc", + "RTMemContFree", + "RTMemDupExTag", + "RTMemDupTag", + "RTMemExecAllocTag", + "RTMemExecFree", + "RTMemFree", + "RTMemFreeEx", + "RTMemReallocTag", + "RTMemTmpAllocTag", + "RTMemTmpAllocZTag", + "RTMemTmpFree", + "RTMpCpuId", + "RTMpCpuIdFromSetIndex", + "RTMpCpuIdToSetIndex", + "RTMpCurSetIndex", + "RTMpCurSetIndexAndId", + "RTMpGetArraySize", + "RTMpGetCount", + "RTMpGetCpuGroupCounts", + "RTMpGetMaxCpuGroupCount", + "RTMpGetMaxCpuId", + "RTMpGetOnlineCoreCount", + "RTMpGetOnlineCount", + "RTMpGetOnlineSet", + "RTMpGetPresentCoreCount", + "RTMpGetPresentCount", + "RTMpGetPresentSet", + "RTMpGetSet", + "RTMpIsCpuOnline", + "RTMpIsCpuPossible", + "RTMpIsCpuPresent", + "RTMpIsCpuWorkPending", + "RTMpNotificationDeregister", + "RTMpNotificationRegister", + "RTMpOnAll", + "RTMpOnAllIsConcurrentSafe", + "RTMpOnOthers", + "RTMpOnPair", + "RTMpOnPairIsConcurrentExecSupported", + "RTMpOnSpecific", + "RTMpPokeCpu", + "RTMpSetIndexFromCpuGroupMember", + "RTNetIPv4AddDataChecksum", + "RTNetIPv4AddTCPChecksum", + "RTNetIPv4AddUDPChecksum", + "RTNetIPv4FinalizeChecksum", + "RTNetIPv4HdrChecksum", + "RTNetIPv4IsDHCPValid", + "RTNetIPv4IsHdrValid", + "RTNetIPv4IsTCPSizeValid", + "RTNetIPv4IsTCPValid", + "RTNetIPv4IsUDPSizeValid", + "RTNetIPv4IsUDPValid", + "RTNetIPv4PseudoChecksum", + "RTNetIPv4PseudoChecksumBits", + "RTNetIPv4TCPChecksum", + "RTNetIPv4UDPChecksum", + "RTNetIPv6PseudoChecksum", + "RTNetIPv6PseudoChecksumBits", + "RTNetIPv6PseudoChecksumEx", + "RTNetTCPChecksum", + "RTNetUDPChecksum", + "RTOnceReset", + "RTOnceSlow", + "RTPowerNotificationDeregister", + "RTPowerNotificationRegister", + "RTPowerSignalEvent", + "RTProcSelf", + "RTR0AssertPanicSystem", + "RTR0Init", + "RTR0MemAreKrnlAndUsrDifferent", + "RTR0MemKernelCopyFrom", + "RTR0MemKernelCopyTo", + "RTR0MemKernelIsValidAddr", + "RTR0MemObjAddress", + "RTR0MemObjAddressR3", + "RTR0MemObjAllocContTag", + "RTR0MemObjAllocLowTag", + "RTR0MemObjAllocPageTag", + "RTR0MemObjAllocPhysExTag", + "RTR0MemObjAllocPhysNCTag", + "RTR0MemObjAllocPhysTag", + "RTR0MemObjEnterPhysTag", + "RTR0MemObjFree", + "RTR0MemObjGetPagePhysAddr", + "RTR0MemObjIsMapping", + "RTR0MemObjLockKernelTag", + "RTR0MemObjLockUserTag", + "RTR0MemObjMapKernelExTag", + "RTR0MemObjMapKernelTag", + "RTR0MemObjMapUserTag", + "RTR0MemObjProtect", + "RTR0MemObjReserveKernelTag", + "RTR0MemObjReserveUserTag", + "RTR0MemObjSize", + "RTR0MemUserCopyFrom", + "RTR0MemUserCopyTo", + "RTR0MemUserIsValidAddr", + "RTR0ProcHandleSelf", + "RTR0Term", + "RTR0TermForced", + "RTSemEventCreate", + "RTSemEventCreateEx", + "RTSemEventDestroy", + "RTSemEventGetResolution", + "RTSemEventMultiCreate", + "RTSemEventMultiCreateEx", + "RTSemEventMultiDestroy", + "RTSemEventMultiGetResolution", + "RTSemEventMultiReset", + "RTSemEventMultiSignal", + "RTSemEventMultiWait", + "RTSemEventMultiWaitEx", + "RTSemEventMultiWaitExDebug", + "RTSemEventMultiWaitNoResume", + "RTSemEventSignal", + "RTSemEventWait", + "RTSemEventWaitEx", + "RTSemEventWaitExDebug", + "RTSemEventWaitNoResume", + "RTSemFastMutexCreate", + "RTSemFastMutexDestroy", + "RTSemFastMutexRelease", + "RTSemFastMutexRequest", + "RTSemMutexCreate", + "RTSemMutexCreateEx", + "RTSemMutexDestroy", + "RTSemMutexIsOwned", + "RTSemMutexRelease", + "RTSemMutexRequest", + "RTSemMutexRequestDebug", + "RTSemMutexRequestNoResume", + "RTSemMutexRequestNoResumeDebug", + "RTSemSpinMutexCreate", + "RTSemSpinMutexDestroy", + "RTSemSpinMutexRelease", + "RTSemSpinMutexRequest", + "RTSemSpinMutexTryRequest", + "RTSpinlockAcquire", + "RTSpinlockCreate", + "RTSpinlockDestroy", + "RTSpinlockRelease", + "RTStrAAppendNTag", + "RTStrAAppendTag", + "RTStrATruncateTag", + "RTStrAllocExTag", + "RTStrAllocTag", + "RTStrCalcLatin1Len", + "RTStrCalcLatin1LenEx", + "RTStrCalcUtf16Len", + "RTStrCalcUtf16LenEx", + "RTStrCat", + "RTStrConvertHexBytes", + "RTStrCopy", + "RTStrCopyEx", + "RTStrCopyP", + "RTStrDupExTag", + "RTStrDupNTag", + "RTStrDupTag", + "RTStrFormat", + "RTStrFormatNumber", + "RTStrFormatTypeDeregister", + "RTStrFormatTypeRegister", + "RTStrFormatTypeSetUser", + "RTStrFormatV", + "RTStrFree", + "RTStrGetCpExInternal", + "RTStrGetCpInternal", + "RTStrGetCpNExInternal", + "RTStrIsValidEncoding", + "RTStrNCmp", + "RTStrPrevCp", + "RTStrPrintf", + "RTStrPrintfEx", + "RTStrPrintfExV", + "RTStrPrintfV", + "RTStrPurgeComplementSet", + "RTStrPurgeEncoding", + "RTStrPutCpInternal", + "RTStrReallocTag", + "RTStrToInt16", + "RTStrToInt16Ex", + "RTStrToInt16Full", + "RTStrToInt32", + "RTStrToInt32Ex", + "RTStrToInt32Full", + "RTStrToInt64", + "RTStrToInt64Ex", + "RTStrToInt64Full", + "RTStrToInt8", + "RTStrToInt8Ex", + "RTStrToInt8Full", + "RTStrToLatin1ExTag", + "RTStrToLatin1Tag", + "RTStrToUInt16", + "RTStrToUInt16Ex", + "RTStrToUInt16Full", + "RTStrToUInt32", + "RTStrToUInt32Ex", + "RTStrToUInt32Full", + "RTStrToUInt64", + "RTStrToUInt64Ex", + "RTStrToUInt64Full", + "RTStrToUInt8", + "RTStrToUInt8Ex", + "RTStrToUInt8Full", + "RTStrToUni", + "RTStrToUniEx", + "RTStrToUtf16BigExTag", + "RTStrToUtf16BigTag", + "RTStrToUtf16ExTag", + "RTStrToUtf16Tag", + "RTStrUniLen", + "RTStrUniLenEx", + "RTStrValidateEncoding", + "RTStrValidateEncodingEx", + "RTTermDeregisterCallback", + "RTTermRegisterCallback", + "RTTermRunCallbacks", + "RTThreadCreate", + "RTThreadCreateF", + "RTThreadCreateV", + "RTThreadCtxHookCreate", + "RTThreadCtxHookDestroy", + "RTThreadCtxHookDisable", + "RTThreadCtxHookEnable", + "RTThreadCtxHookIsEnabled", + "RTThreadFromNative", + "RTThreadGetName", + "RTThreadGetNative", + "RTThreadGetType", + "RTThreadIsInInterrupt", + "RTThreadIsInitialized", + "RTThreadIsMain", + "RTThreadIsSelfAlive", + "RTThreadIsSelfKnown", + "RTThreadNativeSelf", + "RTThreadPreemptDisable", + "RTThreadPreemptIsEnabled", + "RTThreadPreemptIsPending", + "RTThreadPreemptIsPendingTrusty", + "RTThreadPreemptIsPossible", + "RTThreadPreemptRestore", + "RTThreadSelf", + "RTThreadSelfName", + "RTThreadSetName", + "RTThreadSetType", + "RTThreadSleep", + "RTThreadUserReset", + "RTThreadUserSignal", + "RTThreadUserWait", + "RTThreadUserWaitNoResume", + "RTThreadWait", + "RTThreadWaitNoResume", + "RTThreadYield", + "RTTimeExplode", + "RTTimeFromString", + "RTTimeImplode", + "RTTimeIsLeapYear", + "RTTimeMilliTS", + "RTTimeNanoTS", + "RTTimeNormalize", + "RTTimeNow", + "RTTimeSpecFromString", + "RTTimeSpecToString", + "RTTimeSystemMilliTS", + "RTTimeSystemNanoTS", + "RTTimeToString", + "RTTimerCanDoHighResolution", + "RTTimerChangeInterval", + "RTTimerCreate", + "RTTimerCreateEx", + "RTTimerDestroy", + "RTTimerGetSystemGranularity", + "RTTimerReleaseSystemGranularity", + "RTTimerRequestSystemGranularity", + "RTTimerStart", + "RTTimerStop", + "RTUuidClear", + "RTUuidCompare", + "RTUuidCompare2Strs", + "RTUuidCompareStr", + "RTUuidFromStr", + "RTUuidFromUtf16", + "RTUuidIsNull", + "RTUuidToStr", + "RTUuidToUtf16", + "SUPGetCpuHzFromGipForAsyncMode", + "SUPGetGIP", + "SUPGetTscDeltaSlow", + "SUPIsTscFreqCompatible", + "SUPIsTscFreqCompatibleEx", + "SUPR0BadContext", + "SUPR0ChangeCR4", + "SUPR0ComponentDeregisterFactory", + "SUPR0ComponentQueryFactory", + "SUPR0ComponentRegisterFactory", + "SUPR0ContAlloc", + "SUPR0ContFree", + "SUPR0EnableVTx", + "SUPR0GetCurrentGdtRw", + "SUPR0GetKernelFeatures", + "SUPR0GetPagingMode", + "SUPR0GetSessionGVM", + "SUPR0GetSessionVM", + "SUPR0GetSvmUsability", + "SUPR0GetVmxUsability", + "SUPR0GipMap", + "SUPR0GipUnmap", + "SUPR0LockMem", + "SUPR0LowAlloc", + "SUPR0LowFree", + "SUPR0MemAlloc", + "SUPR0MemFree", + "SUPR0MemGetPhys", + "SUPR0ObjAddRef", + "SUPR0ObjAddRefEx", + "SUPR0ObjRegister", + "SUPR0ObjRelease", + "SUPR0ObjVerifyAccess", + "SUPR0PageAllocEx", + "SUPR0PageFree", + "SUPR0PageMapKernel", + "SUPR0PageProtect", + "SUPR0Printf", + "SUPR0QueryUcodeRev", + "SUPR0QueryVTCaps", + "SUPR0ResumeVTxOnCpu", + "SUPR0SetSessionVM", + "SUPR0SuspendVTxOnCpu", + "SUPR0TracerDeregisterDrv", + "SUPR0TracerDeregisterImpl", + "SUPR0TracerFireProbe", + "SUPR0TracerRegisterDrv", + "SUPR0TracerRegisterImpl", + "SUPR0TracerRegisterModule", + "SUPR0TracerUmodProbeFire", + "SUPR0TscDeltaMeasureBySetIndex", + "SUPR0UnlockMem", + "SUPReadTscWithDelta", + "SUPSemEventClose", + "SUPSemEventCreate", + "SUPSemEventGetResolution", + "SUPSemEventMultiClose", + "SUPSemEventMultiCreate", + "SUPSemEventMultiGetResolution", + "SUPSemEventMultiReset", + "SUPSemEventMultiSignal", + "SUPSemEventMultiWait", + "SUPSemEventMultiWaitNoResume", + "SUPSemEventMultiWaitNsAbsIntr", + "SUPSemEventMultiWaitNsRelIntr", + "SUPSemEventSignal", + "SUPSemEventWait", + "SUPSemEventWaitNoResume", + "SUPSemEventWaitNsAbsIntr", + "SUPSemEventWaitNsRelIntr", + "g_pSUPGlobalInfoPage", + "g_pszRTAssertExpr", + "g_pszRTAssertFile", + "g_pszRTAssertFunction", + "g_szRTAssertMsg1", + "g_szRTAssertMsg2", + "g_u32RTAssertLine" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", + "strchr", "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", - "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "AsrSmartConnectDrv.sys" - ] - }, - { - "Id": "45f2c348-bf17-40ab-8306-ef14231cc996", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create WinIO32B.sys binPath=C:\\windows\\temp\\WinIO32B.sys type=kernel && sc.exe start WinIO32B.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WinIO32B.sys", - "SHA1": "f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "WinIO32B.sys" - ] - }, - { - "Id": "a5792a63-ba77-44ac-bd4a-134b24b01033", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create 1.sys binPath=C:\\windows\\temp\\1.sys type=kernel && sc.exe start 1.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "1.sys", - "SHA256": "64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "1.sys" - ] - }, - { - "Id": "5af9abf0-d8de-4e9b-8141-e9e97a31901a", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrDrv102.sys binPath=C:\\windows\\temp\\AsrDrv102.sys type=kernel && sc.exe start AsrDrv102.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsrDrv102.sys", - "MD5": "76bb1a4332666222a8e3e1339e267179", - "SHA1": "9923c8f1e565a05b3c738d283cf5c0ed61a0b90f", - "SHA256": "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", - "Authentihash": { - "MD5": "c36c748b4297cedfdc5f38de22a40b5a", - "SHA1": "5f9c7d3552ffa98c9dcf9a9b7ad1263d2ab24a2f", - "SHA256": "11eecf9e6e2447856ed4cf86ee1cb779cfe0672c808bbd5934cf2f09a62d6170" - }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", "RtlInitUnicodeString", - "IoDeleteDevice", + "ObfDereferenceObject", + "ExUnregisterCallback", + "IofCompleteRequest", + "__C_specific_handler", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IoIs32bitProcess", + "ZwSetSystemInformation", + "ExRegisterCallback", + "ExCreateCallback", + "MmGetSystemRoutineAddress", "RtlQueryRegistryValues", + "DbgPrint", + "KeSetTimerEx", + "KeInsertQueueDpc", + "KeRemoveQueueDpc", + "KeCancelTimer", + "KeSetImportanceDpc", + "KeInitializeDpc", + "KeInitializeTimerEx", + "KeQueryTimeIncrement", + "KeDelayExecutionThread", + "ZwYieldExecution", + "KeSetPriorityThread", + "KeWaitForSingleObject", + "ZwClose", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "KeInitializeMutex", + "KeReleaseMutex", + "KeReadStateMutex", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeResetEvent", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "ProbeForRead", + "ProbeForWrite", + "MmHighestUserAddress", + "MmSystemRangeStart", + "KeSetTargetProcessorDpc", + "KeNumberProcessors", + "PsGetVersion", + "MmIsAddressValid", "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", "MmUnlockPages", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmFreePagesFromMdl", + "MmUnsecureVirtualMemory", + "MmUnmapLockedPages", + "MmProtectMdlSystemAddress", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmAllocateContiguousMemorySpecifyCache", + "MmAllocatePagesForMdl", + "MmSecureVirtualMemory", + "MmProbeAndLockPages", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "CN=Vektor T13 Technology", + "ValidFrom": "2018-08-10 07:42:52", + "ValidTo": "2039-12-31 23:59:59", + "Signature": "4819acb135277102eb22d1ebf53707b6651b1dac668cbe264acefb52a0567dee778627ae98f2f8a69142e210ed9a585a826bea9339108f6cc8567a8a0d3b471dde8e932b4d7b466e657e0592faa7578e548c1d1f3b746190fac243e75735ad18bb9cf901d94d92ed4bfbe7729d439bdd300a6cb5fb75d17364033f92a8d15398", + "SignatureAlgorithmOID": "1.3.14.3.2.29" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2014-03-07 00:00:00", - "ValidTo": "2017-05-05 23:59:59", - "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "4d87df1b3d1e239b405dc85d0a0bad22", + "Issuer": "CN=Vektor T13 Technology" } ] } @@ -68139,27 +62186,70 @@ } ], "Tags": [ - "AsrDrv102.sys" - ] + "VBoxDrv.sys" + ], + "yara": true }, { - "Id": "1bf3b155-752a-4cc7-beb0-f202e525eb1a", + "Id": "ddbd60c3-0611-4a59-894d-aec84203906f", "Author": "Michael Haag", - "Created": "2023-02-28", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create full.sys binPath=C:\\windows\\temp\\full.sys type=kernel && sc.exe start full.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "full.sys", + "SHA1": "4b8c0445075f09aeef542ab1c86e5de6b06e91a3", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "full.sys" + ], + "yara": false + }, + { + "Id": "412f4aaf-5525-458c-b87e-311e504b856d", + "Author": "Guus Verbeek", + "Created": "2023-05-07", "MitreID": "T1068", "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create daxin_blank1.sys binPath=C:\\windows\\temp\\daxin_blank1.sys type=kernel && sc.exe start daxin_blank1.sys", - "Description": "Driver used in the Daxin malware campaign.", + "Command": "sc.exe create mJj0ge.sys binPath=C:\\windows\\temp\\mJj0ge.sys type=kernel && sc.exe start mJj0ge.sys", + "Description": "The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, with a legitimate WHCP certificate", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" ], "Acknowledgement": { "Person": "", @@ -68168,13 +62258,13 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "daxin_blank1.sys", - "MD5": "a6e9d6505f6d2326a8a9214667c61c67", - "SHA1": "cb3f30809b05cf02bc29d4a7796fb0650271e542", - "SHA256": "5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae", - "Signature": "A certificate was explicitly revoked by its issuer.", - "Date": "4:05 AM 2/6/2021", - "Publisher": "Fuqing Yuntan Network Tech Co.,Ltd.", + "Filename": "mJj0ge.sys", + "MD5": "3d0b3e19262099ade884b75ba86ca7e8", + "SHA1": "0883a9c54e8442a551994989db6fc694f1086d41", + "SHA256": "5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b", + "Signature": "", + "Date": "", + "Publisher": "", "Company": "", "Description": "", "Product": "", @@ -68183,22 +62273,20 @@ "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "7c9b3308f3eb98dd7ddb59b2f6b14656", - "SHA1": "6a9693e262ea82a33b6caee0426512f944366577", - "SHA256": "389d04a947be32b43eab5767f548fc193e9ac5fe5225a3b6dc26ddc80c326d7d" + "MD5": "83f21305be7f7633dd4c48cf1d523ad9", + "SHA1": "707122f1d7cac4419bd5e5d2da1eb947852d38c0", + "SHA256": "a720c9a95ab33b29c19fc37fed2b4d2079a2e4b9bd861d406043bd6010fc4d71" }, "InternalName": "", "Copyright": "", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "_stricmp", - "NdisDeregisterProtocol", + "rand", "ExAllocatePool", "NtQuerySystemInformation", "ExFreePoolWithTag", @@ -68219,10 +62307,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=CN, ST=Fuzhou, L=Fuqing, O=Fuqing Yuntan Network Tech Co.,Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Fuqing Yuntan Network Tech Co.,Ltd.", - "ValidFrom": "2013-04-09 00:00:00", - "ValidTo": "2014-04-09 23:59:59", - "Signature": "6946a8e63d6d38e19d41b4b5f4a71715c2c03ea0f9775b97dd3bf2d343be21049f4b78a351a0b1b8d30121393af537dfee0828f051ea2a87bed271ccc0e85e7ed9911d1d36d35da6e1141edc77520be857cf00bf3ac9b7e80722dd3580dd9eb7fab6f4134e4f1f1b794f1c28bc521ee4abbf5be4b6f2b149fca0f2beb4ba69616a0a442b06093c04ece1b42b0c121b0703c6a7d7af421a880bf3e45bfe28bcc4da347397d3aa67c89e3656062e9397dec782863abe49df79527e06388885b9d28c4bd078cc002a41206a266bfbe584b35748d6d0526fef478931c7527be7095fc9c7ee088f1c889834bb2533c3f45cfe41d1b19d0b80863ed52bc8a9d1b1d2ea", + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Beijing JoinHope Image Technology Ltd., CN=Beijing JoinHope Image Technology Ltd.", + "ValidFrom": "2014-05-16 00:00:00", + "ValidTo": "2015-05-16 23:59:59", + "Signature": "e896f8811ed9938fcbdc8c37f8c029045bb36722791c608d7d59f1d50b9e8923777b3ce973553c8164d7445f038c3720516d74f2f95fd734cd1349c1e6cf17f1c9042f069fb94350f7cd8f36f676fd175742d32adbc5d143423e3bc38bea71f9d021110303529d578ba7aab16d53c61642cf1f7e16964718a083182429d4347a09ea0047d9e53bad112ca5a5a14a180539ceb64000a677709bb70e9e3aea68158977072e7f130f1f99b08c2593b4003523f3f6cd441a7e4d8e88f3a2b871e6a03627dd3dadd97487df1dc5b93119ec65b60d1e4e0248a1978ee7480c08b8b8e54d890e7941aa852cf65d731cf0a6cf66584a0d0fba70d6697ee22a8d859919f4", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -68242,7 +62330,7 @@ ], "Signer": [ { - "SerialNumber": "516ceb03f17e10c24b45ffb6336e5915", + "SerialNumber": "0a005d2e2bcd4137168217d8c727747c", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -68251,26 +62339,27 @@ } ], "Tags": [ - "daxin_blank1.sys" - ] + "mJj0ge.sys" + ], + "yara": false }, { - "Id": "32ccd436-eb13-4ab3-83d4-3e5471f4e364", + "Id": "b45a3fdf-592a-4cd9-81e2-8fe03d554cad", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create AsrDrv103.sys binPath=C:\\windows\\temp\\AsrDrv103.sys type=kernel && sc.exe start AsrDrv103.sys", + "Command": "sc.exe create windows7-32.sys binPath=C:\\windows\\temp\\windows7-32.sys type=kernel type=kernel && sc.exe start windows7-32.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -68279,91 +62368,123 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "AsrDrv103.sys", - "MD5": "7c72a7e1d42b0790773efd8700e24952", - "SHA1": "15d1a6a904c8409fb47a82aefa42f8c3c7d8c370", - "SHA256": "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], + "Filename": "windows7-32.sys", + "SHA256": "4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8", + "Signature": [], "Date": "", "Publisher": "", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "windows7-32.sys" + ], + "yara": false + }, + { + "Id": "24fb7bab-b8c3-46ea-a370-c84d2f0ff614", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ADV64DRV.sys binPath=C:\\windows\\temp\\ADV64DRV.sys type=kernel && sc.exe start ADV64DRV.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "BlockRule", + "value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" + }, + { + "type": "IOC", + "value": "Utilize Windows Event Code 7045 to monitor for new kernel driver installation." + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ADV64DRV.sys", + "MD5": "778b7feea3c750d44745d3bf294bd4ce", + "SHA1": "2261198385d62d2117f50f631652eded0ecc71db", + "SHA256": "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162", + "Signature": [ + "FUJITSU LIMITED ", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "01:30 AM 08/29/2006", + "Publisher": "FUJITSU LIMITED", + "Company": "FUJITSU LIMITED.", + "Description": "", + "Product": "MicrosoftR WindowsR Operating System", + "ProductVersion": "2, 0, 0, 0", + "FileVersion": "2, 0, 0, 0", "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", + "OriginalFilename": "ADV64DRV.sys", "Authentihash": { - "MD5": "bb59340eceecb279389290775536523a", - "SHA1": "b3410021ea5a46818d9ff05a96c2809a9abe8e4a", - "SHA256": "b6bf2460e023b1005cc60e107b14a3cfdf9284cc378a086d92e5dcdf6e432e2c" + "MD5": "e1c188570d8720f9c35e194e17a7fd36", + "SHA1": "ca6b0d932e5ac9dbe1242aca48ba93a14cf9d151", + "SHA256": "b2b37ef379ada79d2abe78375312bfcd4b518139bc525a522c2a6329ba097cc4" }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", + "InternalName": "ADV64DRV.sys", + "Copyright": "Copyright(C) FUJITSU LIMITED 2005", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "cng.sys" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "RtlInitUnicodeString", "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", - "IoCreateSymbolicLink", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", + "IoWriteErrorLogEntry", + "IoDeleteSymbolicLink", "IoDeleteDevice", - "MmGetSystemRoutineAddress", + "IoCreateSymbolicLink", "IoCreateDevice", - "ZwClose", - "ObOpenObjectByPointer", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "RtlInitUnicodeString", - "MmFreeContiguousMemorySpecifyCache", - "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor", - "BCryptCloseAlgorithmProvider", - "BCryptGenerateSymmetricKey", - "BCryptOpenAlgorithmProvider", - "BCryptDecrypt", - "BCryptDestroyKey" + "KeBugCheckEx", + "IoAllocateErrorLogEntry", + "IofCompleteRequest", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -68371,24 +62492,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -68399,24 +62520,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2014-03-07 00:00:00", - "ValidTo": "2017-05-05 23:59:59", - "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=JP, ST=Kanagawa, L=Kawasaki, O=FUJITSU LIMITED , OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Personal Systems Business Unit, CN=FUJITSU LIMITED ", + "ValidFrom": "2006-05-31 00:00:00", + "ValidTo": "2007-06-01 23:59:59", + "Signature": "78ab202d129483254db90615ecfc16a8057fe3f49f614b5d04d92d593ef3aad056d06e29f50323337adb77ef869b046e060dbc793f2142cfdf59de270f02c3d5486ddfda1456be32f76fb5047ef6eefc08c99305a9029753af10ac21b04e76ba8b0651e80d64eccec56353f1fd7082ec8d38737b2f13b6f2d8db5720fe070285bf8ab99d932b52ac8a614cdc11ed0d52b119219dea9b2eeb31a2ea229f0a9de4d770c124872fb0c1154395c8e8cc967205ece6fcc4c976744874f9409a7cab02e612f08924794f8d9f8c1f026acdd269516a43042ebc0d055cae803266e8cc70b0121d8946650c9cbe6cb7f5c359ab80174c0e9208ff07c44980930c244bfc43", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "6b7f98e2e421c2f95c47f321abf1aef1", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -68424,17 +62538,90 @@ } ], "Tags": [ - "AsrDrv103.sys" - ] + "ADV64DRV.sys" + ], + "yara": true }, { - "Id": "13637210-2e1c-45a4-9f76-fe38c3c34264", + "Id": "4137ecf0-05e7-463a-94da-47b7259d4433", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create 81.sys binPath=C:\\windows\\temp\\81.sys type=kernel && sc.exe start 81.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "81.sys", + "SHA1": "faa870b0cb15c9ac2b9bba5d0470bd501ccd4326", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "81.sys", + "SHA1": "aca8e53483b40a06dfdee81bb364b1622f9156fe", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "81.sys", + "SHA1": "05ac1c64ca16ab0517fe85d4499d08199e63df26", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "81.sys" + ], + "yara": false + }, + { + "Id": "2d7c96d3-2d6c-44cd-a8a1-5239f571a24a", "Author": "Nasreddine Bencherchali", "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create HpPortIox64.sys binPath=C:\\windows\\temp\\HpPortIox64.sys type=kernel && sc.exe start HpPortIox64.sys", + "Commands": "sc.exe create HW.sys binPath=C:\\windows\\temp\\HW.sys type=kernel && sc.exe start HW.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -68446,26 +62633,47 @@ "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "HpPortIox64.sys", - "MD5": "7b9e1e5e8ff4f18f84108bb9f7b5d108", - "SHA1": "a59006308c4b5d33bb8f34ac6fb16701814fb8dc", - "SHA256": "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9", + "FileName": "HW.sys", + "MD5": "3cf7a55ec897cc938aebb8161cb8e74f", + "SHA1": "22fc833e07dd163315095d32ebcd3b3e377c33a4", + "SHA256": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c", "Authentihash": { - "MD5": "554fb2c6b328efeef850104fec12899c", - "SHA1": "12eb825418a932b1e4c6697dc7647e89ae52cf3f", - "SHA256": "4582adb2e67eebaff755ae740c1f24bc3af78e0f28e8e8decb99f86bf155ab23" + "MD5": "22db74f3f2e50ccdeb471c81e3a62532", + "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", + "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" }, - "Description": "HpPortIo", - "Company": "HP Inc.", - "InternalName": "HpPortIox64.sys", - "OriginalFilename": "HpPortIox64.sys", - "FileVersion": "1.0.0.0", - "Product": "HpPortIo", - "ProductVersion": "1.0.0.0", - "Copyright": "", + "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", + "Company": "Marvin Test Solutions, Inc.", + "InternalName": "Hw.sys", + "OriginalFilename": "HW.sys", + "FileVersion": "4.8.2.0", + "Product": "HW", + "ProductVersion": "4.8.2.0", + "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -68473,43 +62681,100 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", "RtlInitUnicodeString", + "RtlAppendUnicodeStringToString", + "ZwClose", + "ZwOpenProcess", + "KeReleaseMutex", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "KeInitializeDpc", + "MmGetSystemRoutineAddress", + "IoDeleteDevice", "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", + "PsGetVersion", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ExFreePoolWithTag", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "IoGetDeviceProperty", + "KeInitializeEvent", + "ObfDereferenceObject", + "ExAllocatePoolWithTag", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IofCompleteRequest", + "IoDisconnectInterrupt", + "KeReleaseInterruptSpinLock", + "KeAcquireInterruptSpinLock", + "ExEventObjectType", + "KeFlushQueuedDpcs", + "KeInsertQueueDpc", + "KeSetEvent", + "IoFreeMdl", + "ExAllocatePool", "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", - "ValidFrom": "2019-05-07 00:00:00", - "ValidTo": "2020-05-11 12:00:00", - "Signature": "aa3f4f546b3d6b83970947632b27c00eaf66df4d21f2f3d4437fe0eca7e4c09e690bdefd378870decaac098e2733296e3a168ad24619242c1b85b97536b196c8598179c433f6cbde589199dfd0d82a0d606918b9ff243c7bc159096f1a3c06119e399744ef024d36ea40b991816f9c7816c491c2508f87165bae72cc3cfae8ee0cab40f988ca2ef7bd084fa6956b79aff39fabe0793f3456f82b3da0d077fcd80f3effb0a788509d834c347957ba0b39f61747dae3b880b9bd70f58a87ed9d0dd8a6bd9aaca12fc7f4a49fa1703209a023a7685b253d095f2377167d9a8859b9edfd8a4377d0c06eb597fb929f900d30dbd3de83101ead341cfcf5a4f500c29b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", + "ValidFrom": "2015-06-17 17:46:36", + "ValidTo": "2018-05-04 18:44:13", + "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "09e002ed55ebc92b8a799574f80069fd", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -68517,27 +62782,27 @@ } ], "Tags": [ - "HpPortIox64.sys" - ] + "HW.sys" + ], + "yara": true }, { - "Id": "0590655c-baa2-481a-b909-463534bd7a5e", + "Id": "19897aed-9be8-4111-a7d8-35618b9d75b3", "Author": "Michael Haag", - "Created": "2023-02-28", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create daxin_blank5.sys binPath=C:\\windows\\temp\\daxin_blank5.sys type=kernel && sc.exe start daxin_blank5.sys", - "Description": "Driver used in the Daxin malware campaign.", + "Command": "sc.exe create smep_capcom.sys binPath=C:\\windows\\temp\\smep_capcom.sys type=kernel && sc.exe start smep_capcom.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", @@ -68546,188 +62811,226 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "daxin_blank5.sys", - "MD5": "f242cffd9926c0ccf94af3bf16b6e527", - "SHA1": "53f776d9a183c42b93960b270dddeafba74eb3fb", - "SHA256": "9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51", - "Signature": "Unsigned", - "Date": "1:29 AM 7/18/2008", - "Publisher": "n/a", + "Filename": "smep_capcom.sys", + "MD5": "f406c5536bcf9bacbeb7ce8a3c383bfa", + "SHA1": "21edff2937eb5cd6f6b0acb7ee5247681f624260", + "SHA256": "db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004", + "Signature": [ + "CAPCOM Co.,Ltd.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "I386", + "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "da0d70a9fd3a61a2802af4a07bed29d4", - "SHA1": "99a969b2deded8b2d403268cd49139463c06b484", - "SHA256": "954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6" + "MD5": "37458813b5115cbf06552da28fefbbbb", + "SHA1": "1d1cafc73c97c6bcd2331f8777d90fdca57125a3", + "SHA256": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "NDIS.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnlockPages", - "KeInsertQueueApc", - "strncmp", - "KeInitializeApc", - "MmProbeAndLockPages", - "IoAllocateMdl", - "_except_handler3", - "IoQueueWorkItem", - "KeAttachProcess", - "KeDetachProcess", - "IoGetCurrentProcess", - "IoFreeWorkItem", - "RtlFreeUnicodeString", - "ZwClose", - "ZwWriteFile", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "IofCompleteRequest", - "ExFreePool", - "ExAllocatePoolWithTag", - "InterlockedDecrement", - "MmMapLockedPagesSpecifyCache", - "IoFreeMdl", - "InterlockedExchange", - "InterlockedIncrement", - "swprintf", - "RtlCopyUnicodeString", - "ExfInterlockedInsertTailList", - "wcsncmp", + "MmGetSystemRoutineAddress", "IoCreateSymbolicLink", - "RtlInitUnicodeString", "IoCreateDevice", - "IoDeleteSymbolicLink", - "KeInitializeSpinLock", - "IoDeleteDevice", - "_strnicmp", - "ExfInterlockedRemoveHeadList", - "IoAllocateWorkItem", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "NdisAllocateMemory", - "NdisFreePacket", - "NdisAllocatePacket", - "NdisResetEvent", - "NdisCloseAdapter", - "NdisAllocateBuffer", - "NdisInitializeEvent", - "NdisOpenAdapter", - "NdisFreeMemory", - "NdisQueryAdapterInstanceName", - "NdisDeregisterProtocol", - "NdisSetEvent", - "NdisFreeBufferPool", - "NdisAllocatePacketPool", - "NdisFreePacketPool", - "NdisRegisterProtocol", - "NdisWaitEvent", - "NdisAllocateBufferPool", - "NdisCopyFromPacketToPacket" + "IoDeleteDevice" ], - "Signatures": {} + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=JP, ST=Osaka, L=Chuo,ku, O=CAPCOM Co.,Ltd., OU=R&D Asset Management Section, CN=CAPCOM Co.,Ltd.", + "ValidFrom": "2016-05-02 00:00:00", + "ValidTo": "2017-05-02 23:59:59", + "Signature": "6b29c609e5a3bc4d2e3b59a22b42cfdcf409104be6cc7767624c4f96d585ef8243554de2513754867f64e7fdd39b00956903eee7ac6087641b82d8d49548202b8349085d9298c8e2498f2094190aa46cdda0510d937d4ab73ba469229672407822b47c4f1312475a14adcb291a101f0360acdcfa64a6aac9147b034fcea762c2a68a103885208922461990ef0bf3e602ba942257b36604ef4832c715d5320b99d5fd5ba7a76128ed6d0ba7cf90c4362ee2a96422fa4a69d5af070babf4ad786adfa43a21d1ae93fedfcef13b7e2f56b7c619f7d40bcaf8756e09797a9928daa90a582c8e7180cdb62f47c0873cc708f3e396820a7fdef929190fe86dea0b2566", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "7e59408d3c99c511a853fb2f73c03dc4", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] } ], "Tags": [ - "daxin_blank5.sys" - ] + "smep_capcom.sys" + ], + "yara": false }, { - "Id": "d9f2c3d6-160c-4eb3-8547-894fcf810342", + "Id": "f4c22f4d-eff8-40c5-8b31-146abe5f17b7", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create driver7-x86-withoutdbg.sys binPath=C:\\windows\\temp\\driver7-x86-withoutdbg.sys type=kernel && sc.exe start driver7-x86-withoutdbg.sys", + "Command": "sc.exe create physmem.sys binPath=C:\\windows\\temp\\physmem.sys type=kernel && sc.exe start physmem.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala" + "https://github.com/jbaines-r7/dellicious", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/magicsword-io/LOLDrivers/issues/55", + "https://github.com/hfiref0x/KDU" ], "Acknowledgement": { - "Person": "", - "Handle": "" + "Person": "hfiref0x", + "Handle": "hfiref0x" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "driver7-x86-withoutdbg.sys", - "MD5": "4f191abc652d8f7442ca2636725e1ed6", - "SHA1": "4243dbbf6e5719d723f24d0f862afd0fcb40bc35", - "SHA256": "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], + "Filename": "physmem.sys", + "SHA1": "589a7d4df869395601ba7538a65afae8c4616385", + "Signature": [], "Date": "", "Publisher": "", - "Company": "ASUStek", - "Description": "The driver for the ECtool driver-based tools", - "Product": "EC tool", - "ProductVersion": "2.5", - "FileVersion": "2.5.0.2", - "MachineType": "I386", - "OriginalFilename": "Driver7", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "physmem.sys", + "MD5": "a0e2223868b6133c5712ba5ed20c3e8a", + "SHA1": "17614fdee3b89272e99758983b99111cbb1b312c", + "SHA256": "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "Hilscher Gesellschaft für Systemaoutomation mbH", + "Description": "Physical Memory Access Driver", + "Product": "Physical Memory Access Driver", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "physmem.sys", "Authentihash": { - "MD5": "7776703e27df791bf1d4af2acb94115d", - "SHA1": "8c08885be9ec2ad64537038f6dca6654e475106a", - "SHA256": "baa89ffd5255e5c72112ed57937353ae48a050c9af423cbde6b380978ecc235c" + "MD5": "f2cd816e7f899442730b832a2e03797e", + "SHA1": "fd0cb3ea1deb4fdb22536a7c15669eb53315e5c8", + "SHA256": "03a831e18d933954d432187835e0d6aea8bf10fd84dfbe36a23366e2b0538a11" }, - "InternalName": "Driver7.sys", - "Copyright": "Copyright ", + "InternalName": "physmem.sys", + "Copyright": "© Hilscher Gesellschaft für Systemaoutomation mbH. All rights reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObReferenceObjectByHandle", - "ZwOpenSection", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "ObfDereferenceObject", - "ZwMapViewOfSection", - "IoWMIOpenBlock", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", + "ExAllocatePoolWithQuotaTag", "KeBugCheckEx", + "MmGetSystemRoutineAddress", + "IoCreateDevice", "ZwClose", - "memset", - "memcpy", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "RtlAssert", - "IofCompleteRequest", - "IoWMIQueryAllData", - "DbgPrint", - "HalTranslateBusAddress", - "WRITE_PORT_ULONG", - "READ_PORT_ULONG", - "WRITE_PORT_USHORT", - "READ_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "KeGetCurrentIrql" + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString" ], "Signatures": [ { @@ -68735,52 +63038,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "Subject": "C=DE, ST=Hessen, L=Hattersheim, O=Hilscher Gesellschaft fuer Systemautomation mbH, OU=Entwicklung, CN=Hilscher Gesellschaft fuer Systemautomation mbH", + "ValidFrom": "2012-10-16 17:12:03", + "ValidTo": "2015-10-17 17:12:03", + "Signature": "a36a6ca0e8d7a5e3bdcde809e45422bdebd5f09b9a38ed003a7ceeb21a000268ccdd35e5887ed196c4a6d0994d557138e23bd2591e6e2e09008f3e8c62983609f12c4b910b4a17c32a772bc473321142415fd35003967debc7c029460615ed66fd427d1b440fa7ed2190ff6afd85e35bb9879b9b76959d9ebd661cd87b15e38b030610b1c88f9f36b4515a0b085c56cb9fd04623de00fe27d3ae86138c9c6ac9170f26314bad5c9225d7d27ab80a1f767d8db55ef55ccc8b544e465ff5243059f7e9af7d50b8493cbdb0f5a178669b870c1dc0e7cfdc6ed902837c94a0b972f273c3e8b3f3142aab2bd9f4c29e671a8f5655e39579d015488d50b5ed23a5b687", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "1121d48f27abe17574473e4066a863792d46", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -68788,26 +63084,27 @@ } ], "Tags": [ - "driver7-x86-withoutdbg.sys" - ] + "physmem.sys" + ], + "yara": false }, { - "Id": "0f6c3a28-4d04-474b-a098-37383f984686", + "Id": "2740a074-1e06-4f75-9c6a-dc57a3f85189", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-03-04", "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", + "Category": "malicious", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create WinIO32.sys binPath=C:\\windows\\temp\\WinIO32.sys type=kernel && sc.exe start WinIO32.sys", - "Description": "", + "Command": "sc.exe create POORTRY1.sys binPath=C:\\windows\\temp\\POORTRY1.sys type=kernel && sc.exe start POORTRY1.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" ], "Acknowledgement": { "Person": "", @@ -68816,11 +63113,15 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "WinIO32.sys", - "MD5": "", - "SHA1": "8fb149fc476cf5bf18dc575334edad7caf210996", - "SHA256": "", - "Signature": [], + "Filename": "POORTRY1.sys", + "MD5": "acac842a46f3501fe407b1db1b247a0b", + "SHA1": "31fac347aa26e92db4d8c9e1ba37a7c7a2234f08", + "SHA256": "575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], "Date": "", "Publisher": "", "Company": "", @@ -68828,22 +63129,82 @@ "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "887c566bdc8ed5231f45a37845d5ee89", + "SHA1": "e6ab2bbad89502d8985381b33d7351eb97cb2b78", + "SHA256": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoCreateFile", + "RtlInitString", + "RtlFreeUnicodeString", + "ZwQueryDirectoryFile", + "ZwClose", + "IofCompleteRequest", + "IoIsWdmVersionAvailable", + "IoCreateSymbolicLink", + "IoCreateDevice", + "DbgPrint", + "KeBugCheckEx", + "__chkstk" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] } ], "Tags": [ - "WinIO32.sys" - ] + "POORTRY1.sys" + ], + "yara": false }, { - "Id": "a0fbd397-64d5-4af2-844b-b096e08a1866", + "Id": "a7628504-9e35-4e42-91f7-0c0a512549f4", "Author": "Nasreddine Bencherchali", "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create libnicm.sys binPath=C:\\windows\\temp\\libnicm.sys type=kernel && sc.exe start libnicm.sys", + "Commands": "sc.exe create SANDRA binPath=C:\\windows\\temp\\SANDRA type=kernel && sc.exe start SANDRA", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -68855,105 +63216,101 @@ "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "libnicm.sys", - "MD5": "7a6a6d6921cd1a4e1d61f9672a4560d6", - "SHA1": "cb5229acdf87493e45d54886e6371fc59fc09ee5", - "SHA256": "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a", + "FileName": "SANDRA", + "MD5": "c842827d4704a5ef53a809463254e1cc", + "SHA1": "09c567b8dd7c7f93884c2e6b71a7149fc0a7a1b5", + "SHA256": "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75", "Authentihash": { - "MD5": "8804d6be09e294ab07e2691ca91e67a5", - "SHA1": "ffe0a81f1e2aee5cb4c5720da8d3ab2cdec52dc1", - "SHA256": "6aa427e7230a2b077bfecade35ffff67b2f15c051cf92fd207a3412c747f83c3" + "MD5": "e4c579f7ebcf89c4f5790a584eb5af4c", + "SHA1": "6cec31c2fa78387a8d4d06934ac370033dd24ade", + "SHA256": "959860cea7a720811a960e28e0318c470948d96ab3ba3312d20fea0f24bc0979" }, - "Description": "Novell XTCOM Services Driver", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "libnicm.sys", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "Description": "Sandra Device Driver (Win64 x64)(Unicode)", + "Company": "SiSoftware", + "InternalName": "SANDRA", + "OriginalFilename": "SANDRA", + "FileVersion": "10.7.1.1 built by: WinDDK", + "Product": "SiSoftware Sandra", + "ProductVersion": "10.7.1.1", + "Copyright": "Copyright © SiSoftware Ltd 1995-2007. All rights reserved.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAcquireResourceExclusiveLite", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "RtlEqualString", + "ZwSetValueKey", + "NtQueryInformationProcess", + "ZwClose", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoQueryDeviceDescription", + "ZwSetInformationThread", + "RtlUnicodeStringToAnsiString", + "MmMapLockedPagesSpecifyCache", "MmUnmapLockedPages", - "ProbeForRead", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "KeInitializeMutex", - "KeLeaveCriticalRegion", - "IoDeleteDevice", - "ProbeForWrite", "IoFreeMdl", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", - "IoUnregisterShutdownNotification", - "ZwClose", - "IofCompleteRequest", - "IoSetTopLevelIrp", - "KeWaitForSingleObject", - "MmProbeAndLockPages", - "MmUnlockPages", - "ExDeleteResourceLite", - "IoGetTopLevelIrp", - "IoCreateSymbolicLink", - "IoCreateDevice", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", "IoAllocateMdl", - "RtlCreateSecurityDescriptor", - "IoGetCurrentProcess", + "MmBuildMdlForNonPagedPool", "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "RtlInitUnicodeString", - "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "RtlInitString", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwLoadDriver", - "ZwOpenKey", + "IoRegisterShutdownNotification", + "MmResetDriverPaging", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "IofCompleteRequest", + "MmPageEntireDriver", + "IoUnregisterShutdownNotification", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "IoCreateDevice", + "IoCreateSymbolicLink", "KeBugCheckEx", - "__C_specific_handler" + "RtlAppendUnicodeToString", + "IoReportResourceUsage", + "RtlInitUnicodeString", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -68961,126 +63318,103 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", - "ValidFrom": "2021-09-02 18:32:59", - "ValidTo": "2022-09-01 18:32:59", - "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", + "ValidFrom": "2006-02-01 21:44:28", + "ValidTo": "2016-01-30 21:44:28", + "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", - "ValidFrom": "2011-07-08 20:59:09", - "ValidTo": "2026-07-08 21:09:09", - "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", + "ValidFrom": "2006-08-25 14:34:37", + "ValidTo": "2009-08-25 14:34:37", + "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", + "ValidFrom": "2006-02-13 15:40:22", + "ValidTo": "2016-02-11 15:40:22", + "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", + "ValidFrom": "2006-05-23 17:01:15", + "ValidTo": "2016-05-23 17:11:15", + "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000002528b33aaf895f339db000000000252", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + "SerialNumber": "008da900010020ba965fe3dc471ba8", + "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" } ] } ] }, { - "FileName": "libnicm.sys", - "MD5": "cfad9185ffcf5850b5810c28b24d5fc8", - "SHA1": "87f313fc30ec8759b391e9d6c08f79b02f3ecebd", - "SHA256": "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b", + "FileName": "SANDRA", + "MD5": "84b17daba8715089542641990c1ea3c2", + "SHA1": "3059bc49e027a79ff61f0147edbc5cd56ad5fc2d", + "SHA256": "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b", "Authentihash": { - "MD5": "e30ca4b88f80e5441aee1a7102dccf9a", - "SHA1": "5e68ae28b2e80d0045c01affba7c76f649241fb6", - "SHA256": "c5647d315fb5ca1dcf4b063ea3f54003e2545739871519b8f2c98dc5baf66bac" + "MD5": "22eb1c16aae2709fa26bb9da73ab3df8", + "SHA1": "deec6cefac2084349127f29ac7ccf26b24458d89", + "SHA256": "18dfe852fade6625862cc963922c1f2389a296af96df11eb7b62bbeddd61e18a" }, - "Description": "Novell XTCOM Services Driver", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "libnicm.sys", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "Description": "Sandra Device Driver (Win64 x64)(Unicode)", + "Company": "SiSoftware", + "InternalName": "SANDRA", + "OriginalFilename": "SANDRA", + "FileVersion": "10.5.1.1 built by: WinDDK", + "Product": "SiSoftware Sandra", + "ProductVersion": "10.5.1.1", + "Copyright": "Copyright © SiSoftware Ltd 1995-2006. All rights reserved.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "RtlEqualString", - "ExAcquireResourceExclusiveLite", - "ExAllocatePoolWithTag", - "strstr", - "IoFreeMdl", - "RtlCreateSecurityDescriptor", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", - "IoUnregisterShutdownNotification", + "ZwSetValueKey", + "NtQueryInformationProcess", "ZwClose", - "IofCompleteRequest", - "IoSetTopLevelIrp", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoQueryDeviceDescription", + "ZwSetInformationThread", + "RtlUnicodeStringToAnsiString", + "IoAllocateMdl", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", "MmUnmapLockedPages", - "KeWaitForSingleObject", - "ProbeForRead", - "MmProbeAndLockPages", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "MmUnlockPages", - "KeInitializeMutex", - "ExDeleteResourceLite", - "KeLeaveCriticalRegion", - "IoGetTopLevelIrp", + "IoFreeMdl", + "ZwCreateKey", + "IoCreateDevice", "IoCreateSymbolicLink", + "IoRegisterShutdownNotification", + "MmResetDriverPaging", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "IofCompleteRequest", + "MmPageEntireDriver", + "IoUnregisterShutdownNotification", + "IoDeleteSymbolicLink", "IoDeleteDevice", - "IoCreateDevice", - "ProbeForWrite", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", - "IoAllocateMdl", - "IoGetCurrentProcess", - "ZwLoadDriver", - "ZwReadFile", - "RtlInitUnicodeString", - "ZwOpenKey", - "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "RtlInitString", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwCreateKey", - "ZwOpenFile", - "RtlAnsiStringToUnicodeString", - "ZwQueryInformationFile", + "RtlQueryRegistryValues", "KeBugCheckEx", - "__C_specific_handler" + "RtlAppendUnicodeToString", + "IoReportResourceUsage", + "RtlInitUnicodeString", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -69088,149 +63422,103 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", + "ValidFrom": "2006-02-01 21:44:28", + "ValidTo": "2016-01-30 21:44:28", + "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", + "ValidFrom": "2006-08-25 14:34:37", + "ValidTo": "2009-08-25 14:34:37", + "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", + "ValidFrom": "2006-02-13 15:40:22", + "ValidTo": "2016-02-11 15:40:22", + "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", + "ValidFrom": "2006-05-23 17:01:15", + "ValidTo": "2016-05-23 17:11:15", + "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "008da900010020ba965fe3dc471ba8", + "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" } ] } ] }, { - "FileName": "libnicm.sys", - "MD5": "0809f48fd30845d983d569b847fa83cf", - "SHA1": "c02cb8256dfb37f690f2698473fe5428d17bc178", - "SHA256": "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e", + "FileName": "SANDRA", + "MD5": "e36f6f7401ae11e11f69d744703914db", + "SHA1": "dcdc9b2bc8e79d44846086d0d482cb7c589f09b8", + "SHA256": "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461", "Authentihash": { - "MD5": "1fd61feb0c5b905441426742e69ec997", - "SHA1": "faab67dd8387e4ccb17e28f3637ccce4096bd10b", - "SHA256": "fcdf0eaf9c8effa2786c82e774974f1ef4098dcd376461bad37fd4168dcab52b" + "MD5": "5ef46421c4cda0345e6d732ae4be93d5", + "SHA1": "c021fb8f391cdedb6f152a8eb839464c3770bf5d", + "SHA256": "9ce44d1643bc4d87e5029a4927613035bbd96b4e45a2400aed987396115791f7" }, - "Description": "Novell XTCOM Services Driver", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "libnicm.sys", - "FileVersion": "3.1.6.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.6", - "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", - "MachineType": "I386", + "Description": "Sandra Device Driver (Win64 x64)(Unicode)", + "Company": "SiSoftware", + "InternalName": "SANDRA", + "OriginalFilename": "SANDRA", + "FileVersion": "10.3.1.1 built by: WinDDK", + "Product": "SiSoftware Sandra", + "ProductVersion": "10.3.1.1", + "Copyright": "Copyright © SiSoftware Ltd 1995-2005. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlEqualString", - "RtlInitAnsiString", - "strstr", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwClose", - "NtSetSecurityObject", - "ZwCreateFile", - "RtlCreateSecurityDescriptor", - "IoSetTopLevelIrp", - "IoGetTopLevelIrp", + "ZwSetValueKey", + "ZwCreateKey", + "RtlAppendUnicodeToString", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoQueryDeviceDescription", + "ZwSetInformationThread", + "RtlUnicodeStringToAnsiString", + "__C_specific_handler", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "IoFreeMdl", + "NtQueryInformationProcess", + "IoReportResourceUsage", "IofCompleteRequest", + "KeReleaseSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "MmResetDriverPaging", + "MmPageEntireDriver", "IoDeleteDevice", "IoDeleteSymbolicLink", - "KeReleaseMutex", - "KeWaitForSingleObject", - "KeLeaveCriticalRegion", - "IoFreeMdl", - "MmUnlockPages", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "MmProbeAndLockPages", - "IoAllocateMdl", - "ProbeForWrite", - "ProbeForRead", - "KeEnterCriticalRegion", "IoUnregisterShutdownNotification", - "IoCreateSymbolicLink", + "RtlQueryRegistryValues", "IoRegisterShutdownNotification", + "IoCreateSymbolicLink", "IoCreateDevice", - "KeInitializeMutex", - "DbgPrintEx", - "IoGetCurrentProcess", - "KeDelayExecutionThread", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", - "ZwSetValueKey", - "RtlInitUnicodeString", - "ZwCreateKey", - "RtlAppendUnicodeStringToString", - "memset", - "ZwQuerySystemInformation", - "RtlUnicodeStringToAnsiString", - "ZwQueryValueKey", - "ZwOpenKey", - "ZwOpenFile", - "RtlCopyString", - "MmIsAddressValid", - "ZwWaitForSingleObject", - "ZwReadFile", - "ZwQueryInformationFile", - "RtlInitString", - "ZwQueryDirectoryFile", - "ZwLoadDriver", - "RtlAppendUnicodeToString", - "KeTickCount", "KeBugCheckEx", - "RtlUnwind" + "ZwClose", + "MmUnmapLockedPages", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress", + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -69238,10 +63526,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA", + "ValidFrom": "2003-08-06 00:00:00", + "ValidTo": "2013-08-05 23:59:59", + "Signature": "76b29cee139f1bf62d349294457334dc8e6b2e5cfc4c7d89ebc368f1d7990f2e1d17c8b5168bbecd8a0506f219493a035b05c9208e6d52e17681a0c3658a2267e41c53533746bfbcd72feb7b9ed014456c402108e25d757666301ef4df828a2fbdf3a20cbf1ddb9f14a29a72374db07748e84a3f09ce55192cefe60724e1afec", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -69252,133 +63540,106 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2007-04-04 00:00:00", - "ValidTo": "2010-04-27 23:59:59", - "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "CN=SiSoftware LTD, O=SiSoftware LTD, OU=Secure Application Development, C=UK, ST=London, L=London", + "ValidFrom": "2004-09-23 16:28:04", + "ValidTo": "2005-09-23 16:28:04", + "Signature": "2623e3d4f0ca2111695ee2c1493671d554de79106efd8d98928e0890eb65e7da15d2f4c8f739e5fd1ce3e2205327c540b29ad0a901b605a623b2de380e382e4b75b9b41c5b4deb75c974d02c1911fb58851e75b6fc20bb947fca991fc050dee03a914b69345c77aeba2fa02e1b22cd2b75ad2593d9f5caa24550a02db6a3506d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "3ea278", + "Issuer": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA" } ] } ] }, { - "FileName": "libnicm.sys", - "MD5": "6ae9d25e02b54367a4e93c2492b8b02e", - "SHA1": "cfdf9c9125755f4e81fa7cc5410d7740fdfea4ed", - "SHA256": "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d", + "FileName": "SANDRA", + "MD5": "1610342659cb8eb4a0361dbc047a2221", + "SHA1": "8d0f33d073720597164f7321603578cd13346d1f", + "SHA256": "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a", "Authentihash": { - "MD5": "e960feebe973feb9fa4ceae648439f05", - "SHA1": "85dd2e3e9e97e981542336ab7051035d5e611380", - "SHA256": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f" + "MD5": "04ef6182073a4cbc8a606a4480093e0c", + "SHA1": "3c722e2822e0af72d3f868fffb8e5b884e502254", + "SHA256": "68dca726b16c56c70259c8f936ec20adb9ecb8c3cc73985083f41358c83935f4" }, - "Description": "Novell XTCOM Services Driver", - "Company": "Novell, Inc.", - "InternalName": "", - "OriginalFilename": "libnicm.sys", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", - "MachineType": "AMD64", + "Description": "Sandra Device Driver (Win32 x86)(Unicode)", + "Company": "SiSoftware", + "InternalName": "SANDRA", + "OriginalFilename": "SANDRA", + "FileVersion": "10.7.1.1 built by: WinDDK", + "Product": "SiSoftware Sandra", + "ProductVersion": "10.7.1.1", + "Copyright": "Copyright © SiSoftware Ltd 1995-2007. All rights reserved.", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAcquireResourceExclusiveLite", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "RtlEqualString", + "READ_REGISTER_USHORT", + "READ_REGISTER_ULONG", + "IoQueryDeviceDescription", + "ZwSetInformationThread", + "RtlUnicodeStringToAnsiString", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "IoFreeMdl", "MmUnmapLockedPages", - "ProbeForRead", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "KeInitializeMutex", - "KeLeaveCriticalRegion", + "IoReportResourceUsage", + "READ_REGISTER_UCHAR", + "MmResetDriverPaging", + "MmPageEntireDriver", "IoDeleteDevice", - "ProbeForWrite", - "IoFreeMdl", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", + "IoDeleteSymbolicLink", "IoUnregisterShutdownNotification", - "ZwClose", - "IofCompleteRequest", - "IoSetTopLevelIrp", - "KeWaitForSingleObject", - "MmProbeAndLockPages", - "MmUnlockPages", - "ExDeleteResourceLite", - "IoGetTopLevelIrp", + "RtlQueryRegistryValues", + "IoRegisterShutdownNotification", "IoCreateSymbolicLink", "IoCreateDevice", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", - "IoAllocateMdl", - "RtlCreateSecurityDescriptor", - "IoGetCurrentProcess", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "RtlInitUnicodeString", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "WRITE_REGISTER_ULONG", + "WRITE_REGISTER_USHORT", + "WRITE_REGISTER_UCHAR", + "memset", + "MmUnmapIoSpace", + "MmMapIoSpace", "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", + "ZwCreateKey", "ZwSetValueKey", - "ZwQuerySystemInformation", - "RtlInitString", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwLoadDriver", - "ZwOpenKey", - "KeBugCheckEx", - "__C_specific_handler" + "NtQueryInformationProcess", + "ZwClose", + "IofCompleteRequest", + "RtlInitUnicodeString", + "KfReleaseSpinLock", + "HalGetInterruptVector", + "KeStallExecutionProcessor", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalTranslateBusAddress", + "KfAcquireSpinLock" ], "Signatures": [ { @@ -69386,151 +63647,316 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", - "ValidFrom": "2021-09-02 18:32:59", - "ValidTo": "2022-09-01 18:32:59", - "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", + "ValidFrom": "2006-02-01 21:44:28", + "ValidTo": "2016-01-30 21:44:28", + "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", - "ValidFrom": "2011-07-08 20:59:09", - "ValidTo": "2026-07-08 21:09:09", - "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", + "ValidFrom": "2006-08-25 14:34:37", + "ValidTo": "2009-08-25 14:34:37", + "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", + "ValidFrom": "2006-02-13 15:40:22", + "ValidTo": "2016-02-11 15:40:22", + "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", + "ValidFrom": "2006-05-23 17:01:15", + "ValidTo": "2016-05-23 17:11:15", + "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000002528b33aaf895f339db000000000252", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + "SerialNumber": "008da900010020ba965fe3dc471ba8", + "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" } ] } ] + } + ], + "Tags": [ + "SANDRA" + ], + "yara": true + }, + { + "Id": "058fb356-e0ff-4f5e-8293-319feb005db2", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create bandai.sys binPath=C:\\windows\\temp\\bandai.sys type=kernel && sc.exe start bandai.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "bandai.sys", + "SHA1": "0f780b7ada5dd8464d9f2cc537d973f5ac804e9c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" }, { - "FileName": "libnicm.sys", - "MD5": "34a7fab63a4ed5a0b61eb204828e08e5", - "SHA1": "469c04cb7841eedd43227facaf60a6d55cf21fd7", - "SHA256": "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48", + "Filename": "bandai.sys", + "SHA1": "ea360a9f23bb7cf67f08b88e6a185a699f0c5410", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "bandai.sys" + ], + "yara": false + }, + { + "Id": "2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create mhyprot3.sys binPath=C:\\windows\\temp\\mhyprot3.sys type=kernel && sc.exe start mhyprot3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "mhyprot3.sys", + "MD5": "5cc5c26fc99175997d84fe95c61ab2c2", + "SHA1": "a197a02025946aca96d6e74746f84774df31249e", + "SHA256": "475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a", + "Signature": [ + "miHoYo Co.,Ltd.", + "DigiCert SHA2 Assured ID Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "e960feebe973feb9fa4ceae648439f05", - "SHA1": "85dd2e3e9e97e981542336ab7051035d5e611380", - "SHA256": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f" + "MD5": "7ce959fb5b40f1ba40bcac22c8d95c75", + "SHA1": "82fe9b69f358ef5851eeaa26a9a03f2e1b231358", + "SHA256": "aac86a3143de3e18dea6eab813b285da0718e9fb6bc0bbb46c6e7638476061d8" }, - "Description": "Novell XTCOM Services Driver", - "Company": "Novell, Inc.", "InternalName": "", - "OriginalFilename": "libnicm.sys", - "FileVersion": "3.1.11.0", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", - "MachineType": "AMD64", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "WDFLDR.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAcquireResourceExclusiveLite", + "ExReleaseFastMutex", + "ObfDereferenceObject", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "RtlInitUnicodeString", + "KeSetEvent", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", + "ExInitializeResourceLite", + "ExAcquireResourceExclusiveLite", "ExReleaseResourceLite", - "RtlEqualString", - "MmUnmapLockedPages", - "ProbeForRead", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "KeInitializeMutex", - "KeLeaveCriticalRegion", - "IoDeleteDevice", - "ProbeForWrite", - "IoFreeMdl", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", - "IoUnregisterShutdownNotification", - "ZwClose", "IofCompleteRequest", - "IoSetTopLevelIrp", - "KeWaitForSingleObject", - "MmProbeAndLockPages", - "MmUnlockPages", - "ExDeleteResourceLite", - "IoGetTopLevelIrp", - "IoCreateSymbolicLink", "IoCreateDevice", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", - "IoAllocateMdl", - "RtlCreateSecurityDescriptor", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IoGetCurrentProcess", - "ZwCreateKey", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "MmIsAddressValid", + "PsGetCurrentProcessId", + "MmCopyVirtualMemory", + "vsprintf_s", + "swprintf_s", + "ExEventObjectType", + "_wcsicmp", + "RtlInitString", "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "RtlInitUnicodeString", - "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", - "ZwSetValueKey", + "RtlFreeUnicodeString", + "IoGetDeviceObjectPointer", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ObReferenceObjectByName", "ZwQuerySystemInformation", - "RtlInitString", + "__C_specific_handler", + "MmHighestUserAddress", + "IoDriverObjectType", + "KeQueryTimeIncrement", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsGetProcessWow64Process", + "PsGetProcessPeb", + "MmUnlockPages", + "ExAcquireFastMutex", + "MmUnmapLockedPages", + "IoFreeMdl", + "ZwTerminateProcess", + "PsGetProcessImageFileName", + "ZwQueryObject", + "ObOpenObjectByPointer", + "PsReferenceProcessFilePointer", + "IoQueryFileDosDeviceName", + "MmProbeAndLockPages", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "KeClearEvent", + "MmMapLockedPages", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetCreateThreadNotifyRoutine", + "PsRemoveCreateThreadNotifyRoutine", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "RtlUpcaseUnicodeChar", + "DbgPrint", + "ObRegisterCallbacks", + "ObUnRegisterCallbacks", + "ObGetFilterVersion", + "PsGetProcessId", + "IoThreadToProcess", + "strcmp", + "PsProcessType", + "PsThreadType", + "RtlEqualUnicodeString", + "RtlGetVersion", + "ObfReferenceObject", + "ObGetObjectType", + "ExEnumHandleTable", + "ExfUnblockPushLock", + "PsAcquireProcessExitSynchronization", + "PsReleaseProcessExitSynchronization", + "_snprintf", + "ZwCreateFile", + "ZwWriteFile", + "PsLookupThreadByThreadId", + "NtQueryInformationThread", + "PsGetThreadProcess", "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwLoadDriver", - "ZwOpenKey", - "KeBugCheckEx", - "__C_specific_handler" + "KdDisableDebugger", + "KdChangeOption", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KdDebuggerEnabled", + "PsGetVersion", + "RtlCopyUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePool", + "KeInitializeEvent", + "MmGetSystemRoutineAddress", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher", - "ValidFrom": "2022-01-27 19:31:19", - "ValidTo": "2023-01-26 19:31:19", - "Signature": "941777115fcaf24c60c4a8c891758c491887aa5e9f0902a704191e75dd6f99be3d14a24aa35b1f2a1c1c42dde08da3fa75a73edbf7b5ae0fe94b3716e43b838ff30149e19c51b8b87cc53377ae08bfc0f54c7fafa398db43e839de108493510bc34d0fe998a44fcd0a11b0dc0c7315421dac79ab09ca47f847f9fa88e15d57a564f7b074664409c0ce01c697b2dcfd31676fc908fbc6bb928f82170f0b5a54f52f4327797278b78188b87e37b192b493d00eaf661e30f12b9e67fbd1df9cc5843e6a1c68b45d4f62423450cdc990fab2367d7f57719cb8272f59d4f300284a36d88adfc976cb08c6b0da33d5e988be0e1a3cef2a9669b5227a5b8d027f804908", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=CN, L=Shanghai, O=miHoYo Co.,Ltd., OU=OPS, CN=miHoYo Co.,Ltd.", + "ValidFrom": "2019-04-04 00:00:00", + "ValidTo": "2022-04-08 12:00:00", + "Signature": "6a8b477edd819b3441be8cab0c2a07d82780ad3a65ff8064c039d44788740835910a4fa5e612987547bdc39e5d61b3204a3463be9dcb5ed1ad060c89943f8471c2960f8a80faae2b2731d5a37434e47f7eeffd43d8493ad2774e3550deb0e741389d22fe70f59e343a38ed2bb62163100055042797203364fcf94121ea5be8f8a20f85b7bc2b52efd87c1b4048c154c7c5a3a40d597c4cb99780f4378d25bff9ad5a1bc5e1f0bb57249efd238973b27f3a4ca6cffa37da752eba7734e3cee24036584b4317ef7ed61e486d8a7959275d2fa28cac8980333a5e2bf5ab6e7de2adcfe2f880972405fb10dad5a67a344e97d6da961c4fd0a1ad8299fbefdc5ebe10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", - "ValidFrom": "2011-10-19 18:41:42", - "ValidTo": "2026-10-19 18:51:42", - "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000036ce57eeb5d1cc2be1700000000036c", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" + "SerialNumber": "053ad4f9ee8438ef1662ab8d599213ba", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" } ] } @@ -69538,156 +63964,261 @@ } ], "Tags": [ - "libnicm.sys" - ] + "mhyprot3.sys" + ], + "yara": false }, { - "Id": "e6338692-90e0-41b1-9481-a47e0df144ad", + "Id": "ff74f03e-e4ce-4242-bfe3-60601056bb34", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "FALSE", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create fidpcidrv.sys binPath=C:\\windows\\temp\\fidpcidrv.sys type=kernel && sc.exe start fidpcidrv.sys", + "Command": "sc.exe create CorsairLLAccess64.sys binPath=C:\\windows\\temp\\CorsairLLAccess64.sys type=kernel && sc.exe start CorsairLLAccess64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "Filename": "fidpcidrv.sys", - "SHA1": "08596732304351b311970ff96b21f451f23b1e25", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b.yara" }, { - "Filename": "fidpcidrv.sys", - "SHA1": "7838fb56fdab816bc1900a4720eea2fc9972ef7a", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "Filename": "fidpcidrv.sys", - "SHA1": "4789b910023a667bee70ff1f1a8f369cffb10fe8", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" }, { - "Filename": "fidpcidrv.sys", - "SHA1": "eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec", - "Signature": [], + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "CorsairLLAccess64.sys", + "MD5": "803a371a78d528a44ef8777f67443b16", + "SHA1": "5fb9421be8a8b08ec395d05e00fd45eb753b593a", + "SHA256": "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Company": "Corsair Memory, Inc.", + "Description": "Corsair LL Access", + "Product": "Corsair LL Access", + "ProductVersion": "1.0.18.0", + "FileVersion": "1.0.18.0", + "MachineType": "AMD64", + "OriginalFilename": "Corsair LL Access", + "Authentihash": { + "MD5": "daa859bc87e256d7cbf1d86285d96f9b", + "SHA1": "d29d73b2add87a7daf3c626d593599ef6b9560ca", + "SHA256": "e4ac5c7fbb41ee988029b27d8b6be574725689fd1365f5a56f5a12d9120f86c6" + }, + "InternalName": "Corsair LL Access", + "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "RtlGetVersion", + "KeInitializeMutex", + "KeReleaseMutex", + "KeWaitForSingleObject", + "ExQueryDepthSList", + "ExpInterlockedPopEntrySList", + "ExpInterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "wcsncmp", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetRequestorProcessId", + "__C_specific_handler", + "KeBugCheckEx", + "wcsncat_s", + "MmUnmapLockedPages", + "wcscpy_s", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] } ], "Tags": [ - "fidpcidrv.sys" - ] + "CorsairLLAccess64.sys" + ], + "yara": true }, { - "Id": "cce291c8-4534-4362-af45-5f45cd32bd92", + "Id": "d9f2c3d6-160c-4eb3-8547-894fcf810342", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create smep_namco.sys binPath=C:\\windows\\temp\\smep_namco.sys type=kernel && sc.exe start smep_namco.sys", + "Command": "sc.exe create driver7-x86-withoutdbg.sys binPath=C:\\windows\\temp\\driver7-x86-withoutdbg.sys type=kernel && sc.exe start driver7-x86-withoutdbg.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "smep_namco.sys", - "MD5": "02198692732722681f246c1b33f7a9d9", - "SHA1": "f052dc35b74a1a6246842fbb35eb481577537826", - "SHA256": "7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d", + "Filename": "driver7-x86-withoutdbg.sys", + "MD5": "4f191abc652d8f7442ca2636725e1ed6", + "SHA1": "4243dbbf6e5719d723f24d0f862afd0fcb40bc35", + "SHA256": "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a", "Signature": [ - "NAMCO BANDAI Online Inc.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "Company": "ASUStek", + "Description": "The driver for the ECtool driver-based tools", + "Product": "EC tool", + "ProductVersion": "2.5", + "FileVersion": "2.5.0.2", + "MachineType": "I386", + "OriginalFilename": "Driver7", "Authentihash": { - "MD5": "5673638fc95d46f6b323144472c6e608", - "SHA1": "0f780b7ada5dd8464d9f2cc537d973f5ac804e9c", - "SHA256": "7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8" + "MD5": "7776703e27df791bf1d4af2acb94115d", + "SHA1": "8c08885be9ec2ad64537038f6dca6654e475106a", + "SHA256": "baa89ffd5255e5c72112ed57937353ae48a050c9af423cbde6b380978ecc235c" }, - "InternalName": "", - "Copyright": "", + "InternalName": "Driver7.sys", + "Copyright": "Copyright ", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", - "IofCompleteRequest", - "MmGetSystemRoutineAddress", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "ObfDereferenceObject", + "ZwMapViewOfSection", + "IoWMIOpenBlock", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IoCreateSymbolicLink", "IoCreateDevice", - "IoDeleteDevice" + "KeTickCount", + "KeBugCheckEx", + "ZwClose", + "memset", + "memcpy", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "RtlAssert", + "IofCompleteRequest", + "IoWMIQueryAllData", + "DbgPrint", + "HalTranslateBusAddress", + "WRITE_PORT_ULONG", + "READ_PORT_ULONG", + "WRITE_PORT_USHORT", + "READ_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "KeGetCurrentIrql" ], "Signatures": [ { @@ -69695,45 +64226,52 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=JP, ST=Tokyo, L=Shinagawa, O=NAMCO BANDAI Online Inc., CN=NAMCO BANDAI Online Inc.", - "ValidFrom": "2012-08-22 06:31:53", - "ValidTo": "2014-10-21 03:05:04", - "Signature": "a6adc313f1c743fa19363fba06d32bdaf2c528004b8baf033ab77fa6a5a919cd30ebc7936933134553014329292e644225ee7dc0fcaa6fcfdb87e59947955d2acc40e2778598fe763057c821c93f3f2525c81179a4d0cb32d28329cc7f1e245b455ca755c1a8789bb8813da3492c19ce4f6b68d74cb5352deaed4865e1d944e01a6a3b14531a7305e9e385ea681d54062c2c1489384bb6f0917775250471255f5dcdc253fff80becd97053d22e6e8d73f3b2272d0bf0d262f73bb5dccfd48622cdf180eaf4ca77304b943362c759f125a1f56b3c5665f406fa2da81038161073f446d50fb3e8ae46d30f94021c514e6ca52f0d7d4951e2f9e245e4fd966f31f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121953cf4f12153ed3974a70d218298b988", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -69741,167 +64279,472 @@ } ], "Tags": [ - "smep_namco.sys" - ] + "driver7-x86-withoutdbg.sys" + ], + "yara": true }, { - "Id": "275c80c5-a67c-4536-b29e-4e481242cb01", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "7ce8fb06-46eb-4f4f-90d5-5518a6561f15", + "Author": "Michael Haag", + "Created": "2023-05-22", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", - "Commands": "sc.exe create RTCore64.sys binPath=C:\\windows\\temp\\RTCore64.sys type=kernel && sc.exe start RTCore64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create gmer64.sys binPath=C:\\windows\\temp\\gmer64.sys type=kernel && sc.exe start gmer64.sys", + "Description": "Driver used by the GMER application. Which is an application that detects and removes rootkits", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + "https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951", + "http://www.gmer.net/" ], "Acknowledgement": { - "Person": [], - "Handle": "" + "Person": "hfiref0x", + "Handle": "hfiref0x" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "RTCore64.sys", - "MD5": "3ecd3ca61ffc54b0d93f8b19161b83da", - "SHA1": "4f376b1d1439477a426ef3c52e8c1c69c2cb5305", - "SHA256": "03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9", + "Filename": "gmer64.sys", + "MD5": "a822b9e6eedf69211013e192967bf523", + "SHA1": "83506de48bd0c50ea00c9e889fe980f56e6c6e1b", + "SHA256": "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "GMER", + "Description": "GMER Driver http://www.gmer.net", + "Product": "GMER", + "ProductVersion": "2, 0, 6983", + "FileVersion": "2, 0, 6983 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "gmer64.sys", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "7514f440c5b9e5c4a0498e4489b76d62", + "SHA1": "0bca6c35159282fd64615abc4d398399b061847b", + "SHA256": "3913d9754b78182aa25d38fbd7ea02502bdf1d81e6525ab4b5ffe5f543200478" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "gmer64.sys", + "Copyright": "Copyright (C) GMER 2003-2013", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "PsProcessType", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "strncmp", + "_snwprintf", + "PsLookupProcessByProcessId", "RtlInitUnicodeString", + "IoDeleteDevice", + "KeUnstackDetachProcess", + "KeDetachProcess", + "IoDriverObjectType", + "wcsrchr", + "ExAllocatePool", "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", + "KeBugCheck", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", + "ObReferenceObjectByHandle", + "KeAttachProcess", + "PsGetVersion", + "PsThreadType", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "ObReferenceObjectByName", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupThreadByThreadId", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "IoBuildSynchronousFsdRequest", + "_wcsnicmp", + "ZwReadFile", + "wcsncpy", + "KeInitializeEvent", + "ZwSetInformationFile", + "strncpy", + "IoGetDeviceObjectPointer", + "NtClose", + "KeWaitForSingleObject", + "ZwDeleteFile", + "RtlCompareUnicodeString", + "ObfReferenceObject", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwWriteFile", + "IofCallDriver", + "wcschr", + "MmUnmapLockedPages", + "_stricmp", + "_strnicmp", + "RtlVolumeDeviceToDosName", + "ZwMapViewOfSection", + "MmGetSystemRoutineAddress", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", + "ZwOpenThread", + "IoFreeMdl", + "KeDelayExecutionThread", + "MmMapLockedPagesSpecifyCache", + "ZwUnmapViewOfSection", + "IoGetCurrentProcess", + "MmProbeAndLockPages", + "ZwOpenProcess", + "MmUnlockPages", + "ZwQueryInformationProcess", + "ZwCreateSection", + "wcsncmp", + "ZwTerminateProcess", + "ZwQueryInformationThread", + "IoAllocateMdl", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySymbolicLinkObject", + "KeSetEvent", + "RtlEqualUnicodeString", + "ZwOpenSymbolicLinkObject", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoAllocateIrp", + "IoGetDeviceInterfaces", + "IoCreateNotificationEvent", + "ObQueryNameString", + "ZwWaitForSingleObject", + "ZwQueryDirectoryFile", + "KeResetEvent", + "KdDebuggerNotPresent", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeBugCheckEx", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=Katowice, L=Katowice, O=GMEREK Systemy Komputerowe Przemyslaw Gmerek, CN=GMEREK Systemy Komputerowe Przemyslaw Gmerek", + "ValidFrom": "2014-01-02 07:01:46", + "ValidTo": "2015-02-04 15:04:09", + "Signature": "ad49289aa50c6f87bd70af8712f5c8bf00f5e44e58d92f3e0429b2179e6368a89ba4d6a35a08a6bb271dbaa454a1ffeaa1e774eb5e3b564d08998c930453ce3db67186fe7797ebf4aeb2b3f693ff919ce7ffe24ad3715ed12a2838ffd6b3a43d79b6771dd89e5b076fae811e8aca865f6ed5475a5316ee5ab85888101e65671416a1afb6fee3ac3d70a45090331e481e2bbbbe8c48f0fe31e44cc172c45c563897e70cd1c7d5afb602735b7160cb4853b6ec4b61efee01be7408f6a00214bd9381b173531fd1c903839906b8eb104a1684084a30f9618774ef23ecfbc7b6f5c7e53ed59e4be74fe4e18ceec5cb4ea9561bf8827e8bce6d30299ec8d5d5df62d2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "1121c5bcad73319ee0131e328a2b814e164a", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] + } + ], + "Tags": [ + "gmer64.sys" + ], + "yara": true + }, + { + "Id": "0567c6c4-282f-406f-9369-7f876b899c25", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create procexp.sys binPath=C:\\windows\\temp\\procexp.Sys type=kernel && sc.exe start procexp.Sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research", + "https://malware.news/t/lazarus-group-attack-case-using-vulnerability-of-certificate-software-commonly-used-by-public-institutions-and-universities/67715", + "https://waawaa.github.io/en/Bypass-PPL-Using-Process-Explorer/", + "https://github.com/magicsword-io/LOLDrivers/issues/57", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/Yaxser/Backstab/blob/master/resources/PROCEXP.sys", + "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/", + "https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85.yara" }, { - "FileName": "RTCore64.sys", - "MD5": "925ee3f3227c3b63e141ba16bd83f024", - "SHA1": "57ea07ab767f11c81c6468b1f8a3d5f4618b800b", - "SHA256": "0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "procexp.Sys", + "MD5": "e6cb1728c50bd020e531d19a14904e1c", + "SHA1": "2dd916cb8a9973b5890829361c1f9c0d532ba5d6", + "SHA256": "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "fe54aac5dfae8729c48361d2ea4f7271", + "SHA1": "2a4e81a1d23e3b7d9c14b6fbc393ecfad5f34133", + "SHA256": "c5732937c3ab5e0fd244cc1b820eaa1fb7d97110c213cd6b9dadebafe3ea853d" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "16.32", + "Product": "Process Explorer", + "ProductVersion": "16.32", + "Copyright": "Copyright (C) Mark Russinovich 1996-2020", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -69909,93 +64752,95 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-03-04 19:12:18", + "ValidTo": "2021-03-03 19:12:18", + "Signature": "36f61260ed044bf89549c232aa8ee2004a952d0e542dc7388d42439d56f055eae824b2cf5be28cfae13b7c6064dc82e4ad88ddd542db32adc513e2b2b4c2a8e842cef37844682e569326e401f11243c4a2ad8b3b164909afdc57a9ee36d6b3e2a29785a8c1e60368581989af87b0d0e614102a64d39a621887b25fc02b846c65e0f2bfcd5385942c77aafae5cb3d7a89ea7fd71b65d6e33506286ac35ff7c3d1600eb51989271921b449a20ba70f383eb24c015a621af60f0593cc7cecaca55697f3a41c550aefa048fff0999175778613a8f902166e58bd46cb10e6c7a4e605073a7615d414476ee5cf4c51662cba47e7dc85324fd8fd13cbbcbe47a7287e29", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "330000009484c47568579aafe9000000000094", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "rtcore64.sys", - "MD5": "483abeee17e4e30a760ec8c0d6d31d6d", - "SHA1": "f56fec3f2012cd7fc4528626debc590909ed74b6", - "SHA256": "077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356", + "FileName": "procexp.Sys", + "MD5": "fea9319d67177ed6f36438d2bd9392fb", + "SHA1": "db6170ee2ee0a3292deceb2fc88ef26d938ebf2d", + "SHA256": "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1", "Authentihash": { - "MD5": "5860da7a094c5f2ff2787476c37b4b35", - "SHA1": "da1bd3ad4a8fe1e28c1de28a7bf66ad82da0dd29", - "SHA256": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb" + "MD5": "fbc316e1e634e967c5413a200cde7ad6", + "SHA1": "a1dd17b946ade947b621e9fec4fe7ad0835f0ac9", + "SHA256": "4533a11f4f190354b749f2842b57233e5e9e8b37fa4031bcb976118cff902101" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "16.42", + "Product": "Process Explorer", + "ProductVersion": "16.42", + "Copyright": "Copyright (C) Mark Russinovich 1996-2021", + "MachineType": "ARM64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "ZwUnmapViewOfSection", - "MmMapIoSpace", - "ZwClose", + "KfRaiseIrql", + "KfLowerIrql", + "strncpy", + "RtlInitUnicodeString", + "MmGetSystemRoutineAddress", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "PsGetVersion", "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateSymbolicLink", "IoCreateDevice", - "ZwOpenSection", - "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", + "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObCloseHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObOpenObjectByName", "__C_specific_handler", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "HalTranslateBusAddress" + "IoFileObjectType", + "PsProcessType", + "PsThreadType" ], "Signatures": [ { @@ -70003,90 +64848,93 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", - "ValidFrom": "2016-06-15 00:00:00", - "ValidTo": "2024-06-15 00:00:00", - "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:30", + "ValidTo": "2021-12-02 22:15:30", + "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "O=GlobalSign, OU=GlobalSign Root CA , R3, CN=GlobalSign", - "ValidFrom": "2015-06-04 17:47:53", - "ValidTo": "2025-06-04 17:47:53", - "Signature": "6002ac0e090db46a7d590cad66450a180f5ea7255c14f6d35acf9d5e3bc77afc005f6e402b2de1ce6f76ab3cabd9f945cf779052ea21973ad25d3e57ba73ec007577a2754574c76226b054bad5c9c9da6ced66f2ff8b17b27959ca805465da96ca11de2abbc3d43d37fce6fdcb92866eb9ad4d1b68e047d9b08634231cda1ddd6e54edcb0ee17ad54db2a1abceda712fa23e0804ac2a53d713d93c6e338ca7b7b935afa559df305fea3ee8777123f8f9e91edbe214036a8aef64c17be05d56e0e4f2c84ce0d7ef07d3d620fade651998a7c6712b5d94aee9c90b91578690ccde9fd43c1995043efd5c2ba4fc39958fa88787b25bca804fc31638f50eb0edd7caf6fc774477d84ac89d9fff301798d712d590dde53a66e0f12c974799b60f0e56da9b410dc34bd5f0689ccaa5865c866612f23b8304ff46ed2d64d456952b7e799d01831318d568bd91cedd86fb08a0ab0c4564c3d126345e56a26c4c690c8b63ca84187ac573abb352ae8ddce22b03677d862a126f684f6481752d85e5b8ec80059bab3969ee1f316a6a2afb35bd63aac5ee65d3d696a43e99931ebeee3b6c646caecd140afcd88c20a31cf8627fa4c07d1f2c7f3a50c0269396379c8fa51363b473d816ab27487eaafeeb0f487f29989e3b499190f08f3ebadc9f26819d736631a727b6e4a94d04e5ea5331c0fa934a879dfc4a61e063a2ac4f88f4c5781f65", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, serialNumber=22178368, ??=TW, C=TW, ST=New Taipei, L=New Taipei, ??=NO.69, LI,DE ST., ZHONGHE DIST., O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2019-09-16 08:28:21", - "ValidTo": "2022-09-16 08:28:21", - "Signature": "31d3e258a115d41cea97ae1122b5482d2df37785b800cd8b16ee0e42b12a04e5b75d4c3447e1ffb7da8be87e733164fd2ed0020ab3d1010bf21a78cda4d031c4a75cec091a5072b44e8946476eb7c04c69e2e46af012ce640075751baf523140e803c62108f3b9efff3024a0e27138ba6763d36ca957fb480006e9b824f677b980edb98903a116d529b318753b539854a15778dacc6e4db10e4f3c5748b399f7270b244fe83e59743dbe4576c110bde088b2224d91e0c32bc8e4e5c7a61516602b962d66b01a46ccd5814a71bf9e99aac9604179d90230caea6c1229ecd20d2638084d62ff053dcf29675a0a44de07b9e75d5c3f8aeb66900828b949ea9289a8", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "6a7bb9e55c0bbf1def6c739c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" + "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "c508d28487121828c3a1c2b57acb05be", - "SHA1": "7c43d43d95232e37aa09c5e2bcd3a7699d6b7479", - "SHA256": "0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3", + "FileName": "procexp.Sys", + "MD5": "eeb8e039f6d942538eb4b0252117899a", + "SHA1": "bebf97411946749b9050989d9c40352dbe8269ea", + "SHA256": "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "750ecd21c673a6fda9199887013d3751", + "SHA1": "82d3299c06b944895385fd2f3d9d18391273019d", + "SHA256": "8e38148ad4ed9946e8600b37f63996bf17c0101e3f50123b3b8513c895a4b521" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "12.00", + "Product": "Process Explorer", + "ProductVersion": "12.00", + "Copyright": "Copyright (C) M. Russinovich 1996-2010", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", + "ObQueryNameString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ZwQueryObject", + "KeDetachProcess", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "KeAttachProcess", + "ObfDereferenceObject", + "PsLookupProcessByProcessId", + "ZwClose", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwQuerySystemInformation", + "MmIsAddressValid", + "memset", + "ObOpenObjectByPointer", + "RtlUnicodeStringToAnsiString", + "NtClose", + "ZwOpenProcessToken", + "memcpy", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "IoCreateSymbolicLink", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "NtBuildNumber", + "KeTickCount", + "KeBugCheckEx", + "strncpy", + "ZwQueryInformationProcess", + "RtlFreeAnsiString", + "RtlUnwind", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { @@ -70094,92 +64942,95 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2010-03-04 00:00:00", + "ValidTo": "2013-04-18 23:59:59", + "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, - { - "FileName": "RTCore64.sys", - "MD5": "08c1bce6627764c9f8c79439555c5636", - "SHA1": "4d4535c111c7b568cb8a3bece27a97d738512a6b", - "SHA256": "1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb", + { + "FileName": "procexp.Sys", + "MD5": "c56a9ed0192c5a2b39691e54f2132a2f", + "SHA1": "9099482b26e9ba8e1d303418afc9111a3bffd6b3", + "SHA256": "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb", "Authentihash": { - "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", - "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", - "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" + "MD5": "eb6ceb9aa0eaedee2d112b167908e871", + "SHA1": "4d68ec346d13359525da958af0fada57bc9ff35a", + "SHA256": "7a4e4ee169fe0f1f079e5f5c1da38ea70fe717e728faf054deb180f9e37fe574" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "11.30", + "Product": "Process Explorer", + "ProductVersion": "11.30", + "Copyright": "Copyright (C) M. Russinovich 1996-2008", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", + "NtBuildNumber", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", - "IoCreateDevice", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCompleteRequest", + "MmIsAddressValid", "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "ObfDereferenceObject", + "ExGetPreviousMode", + "IoCreateDevice", + "MmGetSystemRoutineAddress", + "ObOpenObjectByPointer", + "ZwQueryObject", + "RtlUnicodeStringToAnsiString", + "SePrivilegeCheck", + "ZwQuerySystemInformation", + "ZwOpenProcessToken", + "SeReleaseSubjectContext", + "KeDetachProcess", + "ObQueryNameString", + "strncpy", + "ExAllocatePool", + "SeCaptureSubjectContext", + "NtClose", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "IoDeleteSymbolicLink", + "ZwDuplicateObject", + "ExFreePoolWithTag", + "RtlFreeAnsiString", + "KeAttachProcess", + "KeBugCheckEx", + "__C_specific_handler" ], "Signatures": [ { @@ -70187,89 +65038,123 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2007-03-05 00:00:00", + "ValidTo": "2010-04-19 23:59:59", + "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "2d91d45cd09dfc3f8e89da1c261fd1ac", - "SHA1": "634b1e9d0aafac1ec4373291cefb52c121e8d265", - "SHA256": "18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c", + "FileName": "procexp.Sys", + "MD5": "6ff59faea912903af0ba8e80e58612bc", + "SHA1": "736531c76b8d9c56e26561bf430e10ecabff0186", + "SHA256": "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "8b8a646469bdd1bab7b402ac83dba4a5", + "SHA1": "075998a905d4afda2e1727f6f31030c4d126dcc5", + "SHA256": "083828dd2e4afe22f5d27b56bd7f5a60e43aea7ec8f8cb0a138be84ee639a09c" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -70277,93 +65162,132 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:3BD4,4B80,69C3, CN=Microsoft Time,Stamp service", + "ValidFrom": "2018-08-23 20:20:24", + "ValidTo": "2019-11-23 20:20:24", + "Signature": "70b7312f4250cdf1d3def3c43951f5a88b8f263b88f82996cb1cdaa8c9fd2bc5cb16304482e1d4a3cd7c2680f316e8d04d560716707e31ee044018f77802b3e1620e9ddb7a9c4b7266af30fe4d6224225f47eaf7e9d4598e46e9069c9ecdd3c0500570cebcee298bec6254fcc5bf44c88b40b0b228839cf17e2c71689143f6558bcad70c395d627f74f7338012b15fd471a905d91b5a4b26aff62f1d0eef7131633d3b1423cd634e504b5bb9d8ad3ef506ef2ddd2d806c4df1b713395b2b17747e9e5afcaab83a1428b276c5ee6c4d9ec09ced00cc55888ce5ba6fec026cc4c502f7fe6ea6c8e101356f1b508e18b958d3b3bec3b629f1ff9c3ffedee98df4c4", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2010-04-14 00:00:00", - "ValidTo": "2012-04-15 23:59:59", - "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-04-18 18:42:23", + "ValidTo": "2020-03-27 18:42:23", + "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2018-09-20 17:42:01", + "ValidTo": "2021-05-09 23:28:13", + "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000387a14cce6619d8c51000200000038", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "bcd60bf152fdec05cd40562b466be252", - "SHA1": "6ce0094a9aacdc050ff568935014607b8f23ff00", - "SHA256": "3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c", + "FileName": "procexp.Sys", + "MD5": "8e78ab9b9709bafb11695a0a6eddeff9", + "SHA1": "2f9b0cd96d961e49d5d3b416028fd3a0e43d6a28", + "SHA256": "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc", "Authentihash": { - "MD5": "5860da7a094c5f2ff2787476c37b4b35", - "SHA1": "da1bd3ad4a8fe1e28c1de28a7bf66ad82da0dd29", - "SHA256": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb" + "MD5": "acacde5c8a3a37b4fa43d9b651df85ea", + "SHA1": "f14e20cea5fac19bca02f5b067d12a459a393467", + "SHA256": "c286dfac5ca413efeb1936e876688b6bd46d25dc64206f86efb4f52ad83d1889" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) M. Russinovich 1996-2011", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "ZwUnmapViewOfSection", - "MmMapIoSpace", + "ObfDereferenceObject", + "ObOpenObjectByPointer", + "ObReferenceObjectByHandle", + "__C_specific_handler", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "ObQueryNameString", + "ExFreePoolWithTag", + "strlen", + "strncpy", + "wcslen", + "ExAllocatePoolWithTag", + "ZwQueryObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", "ZwClose", + "ZwDuplicateObject", + "ZwOpenProcess", + "ObCloseHandle", + "IoFileObjectType", + "ZwQuerySystemInformation", + "MmIsAddressValid", + "PsThreadType", + "ZwQueryInformationProcess", + "PsProcessType", + "KeWaitForSingleObject", + "ZwOpenProcessToken", "IofCompleteRequest", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ObOpenObjectByName", "IoCreateSymbolicLink", + "MmGetSystemRoutineAddress", + "NtBuildNumber", "IoCreateDevice", - "ZwOpenSection", - "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -70371,92 +65295,124 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", - "ValidFrom": "2016-03-16 00:00:00", - "ValidTo": "2024-03-16 00:00:00", - "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2010-03-04 00:00:00", + "ValidTo": "2013-04-18 23:59:59", + "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=New Taipei, L=New Taipei, O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2019-10-21 14:23:20", - "ValidTo": "2020-09-27 12:07:15", - "Signature": "80eea00620eb4bfc1ad0ef7c9e79f1144fb3b03c826a99a76f7a6cab8262a09b0d976bf4d98c7a310ad80acbab76bbf5b068d5b1aaec1fcb55d5feef03a1f19a307788f4029b9bb26a12fe489d2f6b20b5b5bdeb3b8299143b3b30c1ca1736091fc6de585d63f8c095186e7cad6fecbba32d70e64b696458b8dd7f269e0ea199e7984bc3a49065314aba56cac457f0dff5cc71b2a1598306dfb31bb40fadaff604da5e7ee91581fe9868e524163eb47dce3dd54f6edb714a5a126d20e6d89b2567b6aceed6ef8f29938e95b22ee41d2a45229657e6c8bddbfd1d46320bd41d03b8b7b5da6763bbc0e82cdaea96ef23f81e221a3578e882ef3c38bfe790b92240", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2636eab537f6156b78af523a", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" + "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "69ac6165912cb263a656497cc70155e6", - "SHA1": "722aa0fa468b63c5d7ea308d77230ae3169d5f83", - "SHA256": "3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6", + "FileName": "procexp.Sys", + "MD5": "a91a1bc393971a662a3210dac8c17dfd", + "SHA1": "e4fcb363cfe9de0e32096fa5be94a41577a89bb0", + "SHA256": "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa", "Authentihash": { - "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", - "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", - "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" + "MD5": "455eb57840b64c8fe0d942ea5da23c6b", + "SHA1": "aa8756d00691d3d8959b68c3626ba896cc2709fb", + "SHA256": "1a902521c5f82ad9acac815229a00e6ed9137b8d49106b64147b088ff89d0f01" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "11.40", + "Product": "Process Explorer", + "ProductVersion": "11.40", + "Copyright": "Copyright (C) M. Russinovich 1996-2010", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", + "ObQueryNameString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ZwQueryObject", + "KeDetachProcess", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", + "KeAttachProcess", + "ObfDereferenceObject", + "PsLookupProcessByProcessId", "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwQuerySystemInformation", + "MmIsAddressValid", + "memset", + "ObOpenObjectByPointer", + "RtlUnicodeStringToAnsiString", + "NtClose", + "ZwOpenProcessToken", + "memcpy", "IofCompleteRequest", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "MmGetSystemRoutineAddress", + "NtBuildNumber", + "KeTickCount", + "KeBugCheckEx", + "strncpy", + "ZwQueryInformationProcess", + "RtlFreeAnsiString", + "RtlUnwind", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { @@ -70464,97 +65420,102 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2007-03-05 00:00:00", + "ValidTo": "2010-04-19 23:59:59", + "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "4eb4069c230a5dc40cd5d60d2cb3e0d0", - "SHA1": "cc3e5e45aca5b670035dfb008f0a88cecfd91cf7", - "SHA256": "40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1", + "FileName": "procexp.Sys", + "MD5": "e4a0bba88605d4c07b58a2cc3fac0fe9", + "SHA1": "ac31d15851c0af14d60cfce23f00c4b7887d3cb7", + "SHA256": "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7", "Authentihash": { - "MD5": "bcd9f192e2f9321ed549c722f30206e5", - "SHA1": "8498265d4ca81b83ec1454d9ec013d7a9c0c87bf", - "SHA256": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4" + "MD5": "24263d0e152884eb7d180070164830c8", + "SHA1": "929c28f99d550278415c7087b71511e44439a41c", + "SHA256": "b4f9272894f926d4f3b957fca673140a3a24dc896f1a49badaa1e04687b223cd" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) M. Russinovich 1996-2011", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "ZwUnmapViewOfSection", - "MmMapIoSpace", - "ZwClose", - "IoDeleteDevice", + "ObfDereferenceObject", + "ObOpenObjectByPointer", "ObReferenceObjectByHandle", - "IoCreateSymbolicLink", - "ZwOpenSection", - "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwMapViewOfSection", + "__C_specific_handler", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "ObQueryNameString", + "ExFreePoolWithTag", + "strlen", + "strncpy", + "wcslen", + "ExAllocatePoolWithTag", + "ZwQueryObject", + "KeDetachProcess", + "KeAttachProcess", + "PsLookupProcessByProcessId", + "ZwClose", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwQuerySystemInformation", + "MmIsAddressValid", + "ZwQueryInformationProcess", + "KeWaitForSingleObject", + "NtClose", + "ZwOpenProcessToken", "IofCompleteRequest", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", "MmGetSystemRoutineAddress", + "NtBuildNumber", "IoCreateDevice", - "ObOpenObjectByPointer", "ZwSetSecurityObject", "IoDeviceObjectType", "_snwprintf", "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "ExFreePoolWithTag", "RtlCreateSecurityDescriptor", "RtlSetDaclSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", @@ -70562,7 +65523,6 @@ "SeExports", "wcschr", "_wcsnicmp", - "ExAllocatePoolWithTag", "RtlLengthSid", "RtlAddAccessAllowedAce", "RtlGetSaclSecurityDescriptor", @@ -70574,10 +65534,7 @@ "ZwQueryValueKey", "ZwSetValueKey", "RtlFreeUnicodeString", - "__C_specific_handler", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "HalTranslateBusAddress" + "KeBugCheckEx" ], "Signatures": [ { @@ -70585,89 +65542,118 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", - "ValidFrom": "2016-03-16 00:00:00", - "ValidTo": "2024-03-16 00:00:00", - "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2010-03-04 00:00:00", + "ValidTo": "2013-04-18 23:59:59", + "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=New Taipei, L=New Taipei, O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2019-10-21 14:23:20", - "ValidTo": "2020-09-27 12:07:15", - "Signature": "80eea00620eb4bfc1ad0ef7c9e79f1144fb3b03c826a99a76f7a6cab8262a09b0d976bf4d98c7a310ad80acbab76bbf5b068d5b1aaec1fcb55d5feef03a1f19a307788f4029b9bb26a12fe489d2f6b20b5b5bdeb3b8299143b3b30c1ca1736091fc6de585d63f8c095186e7cad6fecbba32d70e64b696458b8dd7f269e0ea199e7984bc3a49065314aba56cac457f0dff5cc71b2a1598306dfb31bb40fadaff604da5e7ee91581fe9868e524163eb47dce3dd54f6edb714a5a126d20e6d89b2567b6aceed6ef8f29938e95b22ee41d2a45229657e6c8bddbfd1d46320bd41d03b8b7b5da6763bbc0e82cdaea96ef23f81e221a3578e882ef3c38bfe790b92240", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2636eab537f6156b78af523a", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" + "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "680dcb5c39c1ec40ac3897bb3e9f27b9", - "SHA1": "431550db5c160b56e801f220ceeb515dc16e68d2", - "SHA256": "4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae", + "FileName": "procexp.Sys", + "MD5": "880686bceaf66bfde3c80569eb1ebfa7", + "SHA1": "10b9ae9286837b3bf6a00771c7e81adbdea3cbfe", + "SHA256": "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "5d265a745ca048fb2ee0a59cc7ffc8aa", + "SHA1": "e5d5076fca6ed125d14d9f70fff802a1fa992ac6", + "SHA256": "17bdeeb4447f0758c3720991d3ed43a405efb49fd2cdbb37f7b5feb349693acb" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "12.00", + "Product": "Process Explorer", + "ProductVersion": "12.00", + "Copyright": "Copyright (C) M. Russinovich 1996-2010", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "NtBuildNumber", + "PsLookupProcessByProcessId", "RtlInitUnicodeString", + "IoDeleteDevice", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "ZwQueryObject", + "RtlUnicodeStringToAnsiString", + "ZwQuerySystemInformation", + "ZwOpenProcessToken", + "SeReleaseSubjectContext", + "KeDetachProcess", + "ObQueryNameString", + "strncpy", + "SeCaptureSubjectContext", + "NtClose", "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", + "ObReferenceObjectByHandle", + "ZwDuplicateObject", + "RtlFreeAnsiString", + "KeAttachProcess", + "ZwOpenProcess", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "ObOpenObjectByPointer", + "SePrivilegeCheck", + "KeBugCheckEx", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "__C_specific_handler" ], "Signatures": [ { @@ -70675,24 +65661,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2010-04-14 00:00:00", - "ValidTo": "2012-04-15 23:59:59", - "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2010-03-04 00:00:00", + "ValidTo": "2013-04-18 23:59:59", + "Signature": "699b1e86265a9879a822a8a6699a8c10445951bf2b4f573e73a1d61d4cb8279a8069fc69f009280908b49182f4701c7928c3c2b6d586365f50278ef35f08b6cdf8208a12e1ac531ef354a0ccd6e3e3f2f46cb624ad8e38a40143793950d6c4da6a9aeb3420d16f7edbf1e9394464e64dd68c3a227dc7e39217e3539b630ab82a9ffed252b8a89d32c2d373e53bbfc4d7110f58a7a8fb88fdb9d918251ad2a6e1315725007597a4492ee39b513e0dde05fe421fe4ef18cf7b86f5165ae71a6fe40948f0fa39e3a9d681be276f20295d2132e53043f5db8a1ed02ebbf7f32b574e95cb607aafac1ba41c77151ade1984532df7ac190fb57e17f730a197050c0e32", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -70712,7 +65684,7 @@ ], "Signer": [ { - "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", + "SerialNumber": "4112e632c7b18a029a3a1fac803ab89f", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -70720,229 +65692,232 @@ ] }, { - "FileName": "RTCore64.sys", - "MD5": "f8fe655b7d63dbdc53b0983a0d143028", - "SHA1": "d9c1913a6c76b883568910094dfa1d67aad80c84", - "SHA256": "53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e", + "FileName": "procexp.Sys", + "MD5": "ad03f225247b58a57584b40a4d1746d3", + "SHA1": "e525f54b762c10703c975132e8fc21b6cd88d39b", + "SHA256": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "9e4c2a2e8832f10ecdd2be70eb6bc300", + "SHA1": "2b15e90dc654ce779bd460787352639768cd8baa", + "SHA256": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "FileName": "RTCore64.sys", - "MD5": "880611326b768c4922e9da8a8effc582", - "SHA1": "96323381a98790b8ffac1654cb65e12dbbe6aff1", - "SHA256": "5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2", - "Authentihash": { - "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", - "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", - "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwMapViewOfSection", + "IoDeleteSymbolicLink", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", + "ObfDereferenceObject", "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", "IoCreateDevice", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", + "ValidFrom": "2013-04-06 00:00:00", + "ValidTo": "2016-05-05 23:59:59", + "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "515c75d77c64909690c18c08ef3fc310", - "SHA1": "7877bd7da617ec92a5c47f0da1f0abcf6484d905", - "SHA256": "5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3", + "FileName": "procexp.Sys", + "MD5": "90f8c1b76f786814d03ef4c51d4abb6d", + "SHA1": "d1c38145addfed1bcd1b400334ff5a5e2ef9a5c6", + "SHA256": "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "028b8d642c1c76b18b74f3e0f76b3522", + "SHA1": "1aa871802d7278272172d9d7faabf8c8292996a3", + "SHA256": "76adb3fa346058e95ba3fd549fd48a15adaf4920a3109391f52053ebf39e62cc" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) M. Russinovich 1996-2011", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", + "ObfDereferenceObject", + "ObOpenObjectByPointer", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "__C_specific_handler", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "ObQueryNameString", + "ExFreePoolWithTag", + "strlen", + "strncpy", + "wcslen", + "ExAllocatePoolWithTag", + "ZwQueryObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "ZwClose", + "ZwDuplicateObject", + "ZwOpenProcess", + "ObCloseHandle", + "IoFileObjectType", + "ZwQuerySystemInformation", + "MmIsAddressValid", + "PsThreadType", + "ZwQueryInformationProcess", + "PsProcessType", + "KeWaitForSingleObject", + "ZwOpenProcessToken", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ObOpenObjectByName", "IoCreateSymbolicLink", + "MmGetSystemRoutineAddress", + "NtBuildNumber", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -70950,90 +65925,123 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2010-04-14 00:00:00", - "ValidTo": "2012-04-15 23:59:59", - "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", + "ValidFrom": "2013-04-06 00:00:00", + "ValidTo": "2016-05-05 23:59:59", + "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "6fa271b6816affaef640808fc51ac8af", - "SHA1": "5291b17205accf847433388fe17553e96ad434ec", - "SHA256": "696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a", + "FileName": "procexp.Sys", + "MD5": "f9d04e99e4cab90973226a4555bc6d57", + "SHA1": "96ec8c16f6a54b48e9a7f0d0416a529f4bf9ac11", + "SHA256": "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "8e66ec7a60a2b67386516a2e9a236d6b", + "SHA1": "07dfb6fe9b3876c0e1b1cda010cb3cc24ff2ce25", + "SHA256": "6b3316496ab1e2d1ef02be966d9caa171674856e8fb8ea78d6a3bcfe8e2013c1" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -71041,90 +66049,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:BBEC,30CA,2DBE, CN=Microsoft Time,Stamp Service", + "ValidFrom": "2018-08-23 20:20:02", + "ValidTo": "2019-11-23 20:20:02", + "Signature": "18296d831c69501fcc0fba56af62fea612d3e1df8e88026af0152c003451479cc1ed1574a00da10660272dc5dd446a18c647b100a47b4c65d0ab4004131aebb3c988b6937214ee9dc7c2e381988b8fe0582c47fa97c21c9b0f11e198b8449015b171f00cb487241b0e339902adfd55f0adbc38b374e77f6daa6e5868b6197ba2122f927de072de2aa467f3175f948d3c29dacac8c697f26e08d840876c6c919bc522b59cf1fb5ee1b23bd9047b02b3a9edd5b1ad4b3be3bf7dec5a093e5732f75c5389eb28c6f95f1bd1c81381e96725eaf4df641c32aed1e77a8fdcdaa360c4b39c6257c5c14c57dc1a380e165cc2f3bfffc9c9ce9d36907e2c74cafdd5f722", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-06-08 17:24:26", + "ValidTo": "2019-05-29 17:24:26", + "Signature": "507e1dabe5c8a200d7b848d718478b9b2278f88da52f23c4c297c0694d76611430bff53bbe64c2bf85fa5ed551cef1d014dcf7f38109ebb5d8474c628715d4c10dd49f303cbe25aaca38d589b581c1e9786abfb23e79aa332cca8ddeeae9958623887375b40836c23f972646b8b8eac96f0b3dcbc88d56062c54a14d1e7f52ed4eb9d6e0e876fab6029355c1c7f791c63ce9ecfe5d78ffb5ba3ffb21fa78edca381c8717d1c23d01c3f0aa36cb01434f68c981c5924f04089d731c26846e466255679fab67bdfc16ab0debbc2d17f9458dcf4176ac6d63e1bb673a2d7daec55618183ae25d420dc2f7874c295fd7a4afef5cf609247c7c50f75aba8f0195fe03", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2012-06-04 21:05:46", + "ValidTo": "2020-06-04 21:15:46", + "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000317c61d46115ceba6a000100000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "d63c9c1a427a134461258b7b8742858f", - "SHA1": "ef0504dd90eb451f51d2c4f987fb7833c91c755b", - "SHA256": "6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293", + "FileName": "procexp.Sys", + "MD5": "659a59d7e26b7730361244e12201378e", + "SHA1": "c21510569fd84a5fe04508aa28e3cf9c8cc45b7a", + "SHA256": "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "3798eddcccab7da4682f64997533d27d", + "SHA1": "0d753c1d21c4e6c6eb74d3436eb4c5f376cc7364", + "SHA256": "a4859c5456d03f799de89d2f8cbb36b4518259a6c7c0bc909b1fd16f48363d5a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": " ", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": " ", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -71132,96 +66180,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF,4BBC,9335, CN=Microsoft Time,Stamp service", + "ValidFrom": "2018-08-23 20:20:28", + "ValidTo": "2019-11-23 20:20:28", + "Signature": "9d7642feb515917887e958cc8890ccc717f8b1b164f2248f2657c2dd3bc82767e8a80b860b39f6469c373f7db0e6bf50975f396197e28b8b47b1c36014316a5fecd78d4528fe00e0c5a92321319a4be66b2359c99f01a27514f95879324fc6c121d6958cade3c4e366f75ebd979c4ee701a63655ae846982f63439c44099f0a18de3b3d9ae023e8c5c49406c94c556a7dee459a92b543f395dde5cfe106e0540f7710430d130862c6693445d18efaac409f2cd7d319e21a12c5184e767993562b324ff9db371cce7a932d3be5ee3396cf1864a609bbe6ebcf8834cbb11c44729119a6a5abc5e3ef8947dcb0bc6b554217a3e39a079e4bd733dc46b77b8f39a3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-04-18 18:42:23", + "ValidTo": "2020-03-27 18:42:23", + "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2012-02-29 00:00:00", - "ValidTo": "2014-04-15 23:59:59", - "Signature": "d77d9dbdeea6d42d15335f0b16117963e49d39b89af081160a467824968e611f0947648a83375d1380acca6cbe1117f488b428bcab943b20dad29e72dd48e7d01b080b12c444727bba415a098799abd5e5673dd7eda91787920c3cc53aac068e0a3d1faef713c14f7ec6f68f69a33340b70e81083db2ce1daf45592063235d05232a1d3d8052fc3f102b2b71e1c46275eff3d4a2dc5ee0d5d727d180da205055a3709a32ad6bd11317b1f109e7c5eca18c8293c937ba6f76278bc306c10f0f1bc865cedcf2c2331e7a7f5c0bcfab91786b8ff848d8ef9c59937ddb94f6369884162148f882e7d0c4343538ad23aeb6ab3db0f6d125a8e2fe3889e40ed66bc66a", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2018-09-20 17:42:01", + "ValidTo": "2021-05-09 23:28:13", + "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "26d7f5563eb3e42a81f7c715fcd2799d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "33000000387a14cce6619d8c51000200000038", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "3a7c69293fcd5688cc398691093ec06a", - "SHA1": "aadebbcbde0e7edd35e29d98871289a75e744aad", - "SHA256": "7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd", + "FileName": "procexp.Sys", + "MD5": "da6f7407c4656a2dbaf16a407aff1a38", + "SHA1": "ed40c1f7da98634869b415530e250f4a665a8c48", + "SHA256": "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "4eae8421b149baa7d0ce15a86470cde2", + "SHA1": "af5ff77f2106b31a8e433c3689b6a65628c2dfce", + "SHA256": "19d579e5a08bcb524405bdcbd2ea7247548af9f23ce64582a5be5ae3f184ad23" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "16.41", + "Product": "Process Explorer", + "ProductVersion": "16.41", + "Copyright": "Copyright (C) Mark Russinovich 1996-2021", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -71229,109 +66311,120 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2008-04-16 00:00:00", - "ValidTo": "2010-04-16 23:59:59", - "Signature": "13a3b8caa6bd8d63308898b0c92b79574e5d122a3ecba9758ec450b7c8c848ee5bc486db6370a8dfeb4c96c2c25512f7a3e759cc57a4d92f1a44fba15ca0c1156d22c49251b4e6a01bb93e4a62522ee5af4286c759c01c66fa5ce4452a4f112d03560bfa9737a3d0f3008b3cc48f2042b4428643f1efb4b99a34d0545c9934f1a6f35819e469430b74ba475a2135660948131cf24c9b1fb84580a1fd63eb3218d282e4f7caf77f4adbecb51e4b8237937eda0b7fcc20fc2273bf38282ee69ae6730b21c5314bcdc3f2e3a1e6f6c3ccb2139800f69d3f2fadc235080214f1c9b11e6a8f2165a45e15cca3c3542c2bac7225208a84828456d2e93cfe8315b092a1", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:30", + "ValidTo": "2021-12-02 22:15:30", + "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "546ea040bf5075ce0a5c01d4c6ded19d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "d5e76d125d624f8025d534f49e3c4162", - "SHA1": "8a23735d9a143ad526bf73c6553e36e8a8d2e561", - "SHA256": "7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35", + "FileName": "procexp.Sys", + "MD5": "6b3abe55c4d39e305a11b4d1091dfaac", + "SHA1": "1c537fd17836283364349475c6138e6667cf1164", + "SHA256": "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "4b64921bd05ed4a30830f23facb43bde", + "SHA1": "3d9be989fbb447bbf7e4b081d9ee4d9b025476c3", + "SHA256": "e2e351efd57c89bc0c7b9d4d440113304d0b8a4c88cdf0126442171aa50634d4" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "11.40", + "Product": "Process Explorer", + "ProductVersion": "11.40", + "Copyright": "Copyright (C) M. Russinovich 1996-2010", + "MachineType": "IA64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "NtBuildNumber", + "PsLookupProcessByProcessId", "RtlInitUnicodeString", + "IoDeleteDevice", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "ZwQueryObject", + "RtlUnicodeStringToAnsiString", + "ZwQuerySystemInformation", + "ZwOpenProcessToken", + "SeReleaseSubjectContext", + "KeDetachProcess", + "ObQueryNameString", + "strncpy", + "SeCaptureSubjectContext", + "NtClose", "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", + "ObReferenceObjectByHandle", + "ZwDuplicateObject", + "RtlFreeAnsiString", + "KeRaiseIrql", + "KeAttachProcess", + "KeLowerIrql", + "ZwOpenProcess", + "ZwQueryInformationProcess", "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "ObOpenObjectByPointer", + "SePrivilegeCheck", + "KeTickCount", + "KeBugCheckEx", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "__C_specific_handler" ], "Signatures": [ { "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ - { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", "ValidFrom": "2004-07-16 00:00:00", @@ -71340,10 +66433,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2008-04-16 00:00:00", - "ValidTo": "2010-04-16 23:59:59", - "Signature": "13a3b8caa6bd8d63308898b0c92b79574e5d122a3ecba9758ec450b7c8c848ee5bc486db6370a8dfeb4c96c2c25512f7a3e759cc57a4d92f1a44fba15ca0c1156d22c49251b4e6a01bb93e4a62522ee5af4286c759c01c66fa5ce4452a4f112d03560bfa9737a3d0f3008b3cc48f2042b4428643f1efb4b99a34d0545c9934f1a6f35819e469430b74ba475a2135660948131cf24c9b1fb84580a1fd63eb3218d282e4f7caf77f4adbecb51e4b8237937eda0b7fcc20fc2273bf38282ee69ae6730b21c5314bcdc3f2e3a1e6f6c3ccb2139800f69d3f2fadc235080214f1c9b11e6a8f2165a45e15cca3c3542c2bac7225208a84828456d2e93cfe8315b092a1", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2007-03-05 00:00:00", + "ValidTo": "2010-04-19 23:59:59", + "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -71356,7 +66449,7 @@ ], "Signer": [ { - "SerialNumber": "546ea040bf5075ce0a5c01d4c6ded19d", + "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] @@ -71364,45 +66457,92 @@ ] }, { - "FileName": "rtcore64.sys", - "MD5": "ecdc79141b7002b246770d01606504f2", - "SHA1": "4d14d25b540bf8623d09c06107b8ca7bb7625c30", - "SHA256": "8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38", + "FileName": "procexp.Sys", + "MD5": "cec257dcac9e708cefb17f8984dd0a70", + "SHA1": "da361c56c18ea98e1c442aac7c322ff20f64486b", + "SHA256": "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "df8e20e6fb1d2a22135e155763bf9588", + "SHA1": "1915e95974b6f75f4793e81b85e148ebdaa35515", + "SHA256": "0c2d8e8487de5e7749f9899f6fefa6e7d40b394479449b5027a895392af23349" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -71410,90 +66550,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, OU=nCipher DSE ESN:148C,C4B9,2066, CN=Microsoft Time,Stamp Service", + "ValidFrom": "2016-09-07 17:58:56", + "ValidTo": "2018-09-07 17:58:56", + "Signature": "96812d8a1bf7a71c8efb5c46a525ff9d7e890e935f85a824261bfa37f7b0cb6040b77890b3e9081ff67fcbae65e3dff7049d8c2bb648f16dd4fc7abc9cac5e4d81eeb45e611dc0f06d12b2852ffe709d163a7776daf7966db190c536c2fe4ec7804ee097fed2f4fdfacdcf6cb9cf64afc68d427589d5921b4b0aa5782aee6a52c3d495ee32238dd3346eea41776c4b08a7e87318d88abe546095a20bc0b491bfffe85f3f24bfe7d46af54f2ee665d8858d6e050442314d4debd049c0aad3affced1c0292ee0bd015d69162c651a0411aa503fc5140b2daba2de3e6a18a7897a28d84b34498136392f6d486dbb95e9aac8ad98692642f4e7d42880a0458239a22", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2010-04-14 00:00:00", - "ValidTo": "2012-04-15 23:59:59", - "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2016-10-12 20:32:53", + "ValidTo": "2018-01-05 20:32:53", + "Signature": "9fcff5d0683abc4c8daea4cc93841a3b037f2512114b780e6d1d0baf20ca63f15baf12e15392d0952d7ad3d6e270182085d8dd2a78af8a585f557506c975546138a087c58dcac5b9e5879a21dcaf4f026b9a97dc57c5b8a7e85f57861dedf618421b036a4b332cd12a4f6e2aba0aa1ff5249e9d93d7669d13eba761d5dddd495b86ac46eac38f724f525060c90079045e305a8ee0ccb626e4cd6722decd56f824d6e36eca2016fcbccf5479e9df7b3b123f6d1aa429d73808cf59f65b75e7f2da16f7d5c81b05430dc587c008f3fbf5afc42c99cf40b7f2ea7b27a314c22cb33eb2ebadfe904b7b6ea40f57eee80cc058229a617e31dead3909aad73885d21e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2012-06-04 21:05:46", + "ValidTo": "2020-06-04 21:15:46", + "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000244d59538809906ea7000100000024", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "3aacaa62758fa6d178043d78ba89bebc", - "SHA1": "f77413ec3bd9ed3f31fc53a4c755dc4123e0068f", - "SHA256": "862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015", + "FileName": "procexp.Sys", + "MD5": "bf74d0706f5ab9c34067192260f4efb0", + "SHA1": "6b090c558b877b6abb0d1051610cadbc6335ecbb", + "SHA256": "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7", "Authentihash": { - "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", - "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", - "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" + "MD5": "c292f0024a454f42fba117b3505b12e9", + "SHA1": "d9ebe7ff8318eeece457fc72bec2b582d3350b61", + "SHA256": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -71501,90 +66681,137 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", + "ValidFrom": "2013-04-06 00:00:00", + "ValidTo": "2016-05-05 23:59:59", + "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "rtcore64.sys", - "MD5": "4e4b9bdcc6b8d97828ae1972d750a08d", - "SHA1": "82034032b30bbb78d634d6f52c7d7770a73b1b3c", - "SHA256": "9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def", + "FileName": "procexp.Sys", + "MD5": "92927c47d6ff139c9b19674c9d0088f6", + "SHA1": "a98734cd388f5b4b3caca5ce61cb03b05a8ad570", + "SHA256": "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb", "Authentihash": { - "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", - "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", - "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" + "MD5": "26f48296b5ef64120e55008690060a6e", + "SHA1": "8d59ed924e8c76b0ab8b7ee653510f43062eaa3e", + "SHA256": "cd1beb64cd67169d57ca4dbc602a94f74891962221bb49c09abf3339ce35bc90" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "16.42", + "Product": "Process Explorer", + "ProductVersion": "16.42", + "Copyright": "Copyright (C) Mark Russinovich 1996-2021", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -71592,90 +66819,123 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:30", + "ValidTo": "2021-12-02 22:15:30", + "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "821adf5ba68fd8cc7f4f1bc915fe47de", - "SHA1": "eb0021e29488c97a0e42a084a4fe5a0695eccb7b", - "SHA256": "aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b", + "FileName": "procexp.Sys", + "MD5": "2e219df70fccb79351f0452cba86623e", + "SHA1": "2740cd167a9ccb81c8e8719ce0d2ae31babc631c", + "SHA256": "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2", "Authentihash": { - "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", - "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", - "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" + "MD5": "0f461053add90ebe0bac9e8be9d9a8e5", + "SHA1": "5b27248685b909d5ae4c8ec77e2d3dcb02d6cc4b", + "SHA256": "cddd341f267a6094f7bd7d1b56427ebc029ccb348e7f0714d9301c2c67fdd5df" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "RtlInitUnicodeString", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "memcpy", + "memset", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "strncpy", + "KeStackAttachProcess", + "memmove", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlUnwind", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeTickCount", + "KeBugCheckEx", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { @@ -71683,90 +66943,106 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Test PCA", + "ValidFrom": "2010-05-10 07:00:00", + "ValidTo": "2020-12-29 07:00:00", + "Signature": "a5e89be29a34018c5eb99e6500101e7bde49d04c42f76ece04cacdaaac0de80f586b1ba7bbc841d892fe7477ab3c28f2a507ca45c4e65cfe487d0add256644c366d8f417666a7f11e622a8c31b09663524d9da9f092f3576291e00a4186ae9c857d0af477baa74d02fa3bbbb1f13e37dcd2855295be421278d806e2d597c72ff42aab3fef101b0bfd34d94e14a54f1394a541d08ee74119115dc5079db43cd1cad7ca84c57f843f68ef6f75e1d917e0ddbb1b6724be9a53df535c8cb77f59eb4", + "SignatureAlgorithmOID": "1.3.14.3.2.29" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "DC=com, DC=microsoft, DC=corp, DC=redmond, CN=MSIT Test CodeSign CA 2", + "ValidFrom": "2014-01-03 23:17:17", + "ValidTo": "2018-01-03 23:17:17", + "Signature": "600ff8df535a796bbfced445b646d9269fe514eabe10b53277af5085fa3e5e54e21e649f474d88898b7a3dc3256b7397224f7055466bc237465c153b87ee9529e08a3f0d2076719b25f9b3bb421b3ba628448696e986ee3a204078c0c2652735080ef7577a6b3e47a09174e5e863929dac616d67a63f6741a99f7ad7647a3ce18fb9541cb3b79b96ac18e68af065442cad6915e597b2758f33957345c682658eefc1da2f56580b15630e4e0dbeeadbe57bffb975fdbedcde81ed18bc34562ab05d52f9005126dd43a5a5ea46b0a6ec62d3a040c0f804650cabb2f8fd55e7cb7108172f71fee99a648a869fb1d73e9fc2700a6efad07bad0aa21be22e8ea8914e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "CN=Mark Russinovich", + "ValidFrom": "2015-06-30 15:50:49", + "ValidTo": "2016-06-29 15:50:49", + "Signature": "a5e48ed2bb14b9940826f88cb72b09bf1cd99dcf8f9816164bb14db8dc7805b2b1aa0e197e3dbc2ca73d591759a93077ea140b9d62d80e29b1d3bfdd9cbe8055064139c70256c5d4ca4f7a23671a00a94963ed2fccf1a618391343b96cabe8c075be2b6ffa0dc0f1ffc2d832185f3010fd555d1d8a7ec669dd872eb8856624f480a3ed5ad27ddcf485fe761ecea5f90754d956f07132ac9e68e78c84f875fe72790c6581a6e22d1d0ab22f637b87668d930f664299dbf1ca09d65647521fff791d3ca79fe2dc01c8d97d41a8332bc383eac81578243ebde8c9ff1f6a87bea0b1eeda190920d020e775b6216d04cb9dcbdcd299745e5fbcb91d919a7d41d61125", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "77005ec5ff32646dcbf76aac900003005ec5ff", + "Issuer": "DC=com, DC=microsoft, DC=corp, DC=redmond, CN=MSIT Test CodeSign CA 2" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "0d5774527af6e30905317839686b449d", - "SHA1": "75d0b9bdfa79e5d43ec8b4c0996f559075723de7", - "SHA256": "ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa", + "FileName": "procexp.Sys", + "MD5": "0ef05030abd55ba6b02faa2c0970f67f", + "SHA1": "f6d826d73bf819dbc9a058f2b55c88d6d4b634e3", + "SHA256": "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f", "Authentihash": { - "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", - "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", - "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" + "MD5": "82ece436a712985b767d42a178872ab3", + "SHA1": "e7bedb9528d3da5e7e161a14db260140a02facca", + "SHA256": "d28acafeb6a85294d2672fa894a2934599713aa9ce1b21184dc1ec34131af7bb" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "9.30", + "Product": "Process Explorer", + "ProductVersion": "9.30", + "Copyright": "Copyright (C) M. Russinovich 1996-2005", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", + "ObQueryNameString", "ZwClose", - "ZwMapViewOfSection", + "ZwDuplicateObject", + "ZwOpenProcess", + "KeDetachProcess", + "ObfDereferenceObject", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "KeAttachProcess", + "PsLookupProcessByProcessId", + "MmIsAddressValid", + "ObOpenObjectByPointer", + "ZwQueryInformationProcess", + "NtBuildNumber", + "RtlUnicodeStringToAnsiString", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", + "SeReleaseSubjectContext", + "SePrivilegeCheck", + "ExGetPreviousMode", + "SeCaptureSubjectContext", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "IoCreateSymbolicLink", "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ExAllocatePoolWithTag", + "RtlUnwind", + "strncpy", + "ZwOpenProcessToken", + "RtlFreeAnsiString", + "KfLowerIrql", + "KfRaiseIrql" ], "Signatures": [ { @@ -71774,181 +67050,219 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", - "ValidFrom": "2013-08-23 00:00:00", - "ValidTo": "2024-09-23 00:00:00", - "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2006-02-02 00:00:00", + "ValidTo": "2007-04-04 23:59:59", + "Signature": "5af17754974b15636dc46a7e5295ee11668ae831cec469f15925a66f796b3aa4f912b02278957d3faf1a4df6a88b6e4720c082286400fcf2ca9b56c64197ff5c13a01dd81af41255c57cd1acf1cd790b613446332e716235469f0b2fd62d02d3ebea5965dcb2c6bc7e389e09308a895ef339ff981c4f3c8f5c8d907df45d44eb385e787cfded041491e9d72532a9ef8c8ee1d3931583c078656d1ce3d0316d8806faa8921b4837f0b5f0af1a50b2a798904ebde9bb438b06e2558c97a56145614d7e32193dcc85482bbaf4cc632094946b45ff6c1fde47cc0808344ec175d3555b66ebedd451d88e6bbf3463faf9bf65a0595d37d9e2033ae65ab7e08e081078", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "75c1a798b875894335c78cddbf05cbff", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "18439fe2aaeddfd355ef88091cb6c15f", - "SHA1": "52d9bbe41eea0b60507c469f7810d80343c03c2b", - "SHA256": "b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47", + "FileName": "procexp.Sys", + "MD5": "b7ca4c32c844df9b61634052ae276387", + "SHA1": "6df6d5b30d04b9adb9d2c99de18ed108b011d52b", + "SHA256": "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c", "Authentihash": { - "MD5": "936e49d3eec0a2f433e9d0115a38a2b6", - "SHA1": "5717bf3e520accfff5ad9943e53a3b118fb67f2e", - "SHA256": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19" + "MD5": "1694c87131cee15e63d71936859506b8", + "SHA1": "5eb106f413ad1d8de4c04661a1c5162410164d50", + "SHA256": "120f7983011211e6740d7a3a4cd2354507866ef7d36a48e2e3a9bd5b52c21c8a" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "11.01", + "Product": "Process Explorer", + "ProductVersion": "11.01", + "Copyright": "Copyright (C) M. Russinovich 1996-2007", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "NtBuildNumber", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", "RtlInitUnicodeString", + "MmIsAddressValid", + "IoDeleteDevice", + "ObfDereferenceObject", + "ExGetPreviousMode", + "IoCreateDevice", + "MmGetSystemRoutineAddress", + "ObOpenObjectByPointer", + "ZwQueryObject", + "RtlUnicodeStringToAnsiString", + "SePrivilegeCheck", + "ZwQuerySystemInformation", + "ZwOpenProcessToken", + "SeReleaseSubjectContext", + "KeDetachProcess", + "ObQueryNameString", + "strncpy", + "ExAllocatePool", + "SeCaptureSubjectContext", + "NtClose", "ZwClose", - "ZwMapViewOfSection", + "IofCompleteRequest", "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", "IoDeleteSymbolicLink", - "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", - "IoDeleteDevice", - "HalTranslateBusAddress" + "ZwDuplicateObject", + "ExFreePoolWithTag", + "RtlFreeAnsiString", + "KeAttachProcess", + "KeBugCheckEx", + "__C_specific_handler" ], "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, ST=Texas, L=Austin, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=Sysinternals", + "ValidFrom": "2007-03-05 00:00:00", + "ValidTo": "2010-04-19 23:59:59", + "Signature": "a1ce9df2911dc8d72282d3c41cc94a5ec63e00dbdf60015908bc703678b1a68e25d1ec5780e425ffb68e3e1bb0ea62cc9ba43c0e262cfa5f6c552458696acb67422328df20215aa22e5e8d4417d8688fcb06c1de0fe431e6811596fb0dcbe8678fe69098653687b041ab4eefd3181964c0a5225fe0a1606ff4c12c3f57d7e620860dcd66a8b856438dfb87d10e50beea9e838964d2584811fa83287ef363e88e4fc5b8d09f2fb4feeb7fd7f2a77661cb75ed56a0d3b60fdeed43674757704753721df8c8801ee85e4818fafb012399b1d36a8e17b8e40cbaa0fd891b6d2e0515dbd4d743e42eea35a9b191bf26a850eff41a5aa6d95790329c8a21a88c11faba", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "7d2c89d309e57beef2d791bb8ed6a26f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "4b60ef388071e0baf299496e3d6590ae", - "SHA1": "cf9b4d606467108e4b845ecb8ede2f5865bd6c33", - "SHA256": "b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867", + "FileName": "procexp.Sys", + "MD5": "9beecfb3146f19400880da61476ef940", + "SHA1": "d5beca70469e0dcb099ba35979155e7c91876fd2", + "SHA256": "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "c292f0024a454f42fba117b3505b12e9", + "SHA1": "d9ebe7ff8318eeece457fc72bec2b582d3350b61", + "SHA256": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -71956,78 +67270,137 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", + "ValidFrom": "2013-04-06 00:00:00", + "ValidTo": "2016-05-05 23:59:59", + "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "aa9adcf64008e13d7e68b56fdd307ead", - "SHA1": "562368c390b0dadf2356b8b3c747357ecef2dfc8", - "SHA256": "bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63", + "FileName": "procexp.Sys", + "MD5": "b79475c4783efdd8122694c6b5669a79", + "SHA1": "d612165251d5f1dcfb1f1a762c88d956f49ce344", + "SHA256": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc", "Authentihash": { - "MD5": "538e5e595c61d2ea8defb7b047784734", - "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", - "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" + "MD5": "bee5a87f72b42f3bb5958ba541f4caff", + "SHA1": "9e0516a6ce73163e2ff5bf0740b57da46846228b", + "SHA256": "74716032cc2f63c67b9df0882c6794b4bf66147d943329db5f233a04c2fd9b12" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "16.32", + "Product": "Process Explorer", + "ProductVersion": "16.32", + "Copyright": "Copyright (C) Mark Russinovich 1996-2020", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", + "strncpy", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", - "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -72035,92 +67408,116 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-03-04 19:12:18", + "ValidTo": "2021-03-03 19:12:18", + "Signature": "36f61260ed044bf89549c232aa8ee2004a952d0e542dc7388d42439d56f055eae824b2cf5be28cfae13b7c6064dc82e4ad88ddd542db32adc513e2b2b4c2a8e842cef37844682e569326e401f11243c4a2ad8b3b164909afdc57a9ee36d6b3e2a29785a8c1e60368581989af87b0d0e614102a64d39a621887b25fc02b846c65e0f2bfcd5385942c77aafae5cb3d7a89ea7fd71b65d6e33506286ac35ff7c3d1600eb51989271921b449a20ba70f383eb24c015a621af60f0593cc7cecaca55697f3a41c550aefa048fff0999175778613a8f902166e58bd46cb10e6c7a4e605073a7615d414476ee5cf4c51662cba47e7dc85324fd8fd13cbbcbe47a7287e29", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "330000009484c47568579aafe9000000000094", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "6a094d8e4b00dd1d93eb494099e98478", - "SHA1": "fdf4a0af89f0c8276ad6d540c75beece380703ab", - "SHA256": "d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d", + "FileName": "procexp.Sys", + "MD5": "318e309e11199ec69d8928c46a4d901b", + "SHA1": "63bb17160115f16b3fca1f028b13033af4e468c6", + "SHA256": "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476", "Authentihash": { - "MD5": "538e5e595c61d2ea8defb7b047784734", - "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", - "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" + "MD5": "decbda17e27f012c72e5ff39c8c19089", + "SHA1": "ecdaa78f29e1f1a27d28b45a9de5f93af9f18f15", + "SHA256": "ee24071d9a0ef38dc98929cfb4d316f9fb010de107c110fad2403022cf1eebfc" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", + "strncpy", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", - "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -72128,90 +67525,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:BBEC,30CA,2DBE, CN=Microsoft Time,Stamp Service", + "ValidFrom": "2018-08-23 20:20:02", + "ValidTo": "2019-11-23 20:20:02", + "Signature": "18296d831c69501fcc0fba56af62fea612d3e1df8e88026af0152c003451479cc1ed1574a00da10660272dc5dd446a18c647b100a47b4c65d0ab4004131aebb3c988b6937214ee9dc7c2e381988b8fe0582c47fa97c21c9b0f11e198b8449015b171f00cb487241b0e339902adfd55f0adbc38b374e77f6daa6e5868b6197ba2122f927de072de2aa467f3175f948d3c29dacac8c697f26e08d840876c6c919bc522b59cf1fb5ee1b23bd9047b02b3a9edd5b1ad4b3be3bf7dec5a093e5732f75c5389eb28c6f95f1bd1c81381e96725eaf4df641c32aed1e77a8fdcdaa360c4b39c6257c5c14c57dc1a380e165cc2f3bfffc9c9ce9d36907e2c74cafdd5f722", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-06-08 17:24:26", + "ValidTo": "2019-05-29 17:24:26", + "Signature": "507e1dabe5c8a200d7b848d718478b9b2278f88da52f23c4c297c0694d76611430bff53bbe64c2bf85fa5ed551cef1d014dcf7f38109ebb5d8474c628715d4c10dd49f303cbe25aaca38d589b581c1e9786abfb23e79aa332cca8ddeeae9958623887375b40836c23f972646b8b8eac96f0b3dcbc88d56062c54a14d1e7f52ed4eb9d6e0e876fab6029355c1c7f791c63ce9ecfe5d78ffb5ba3ffb21fa78edca381c8717d1c23d01c3f0aa36cb01434f68c981c5924f04089d731c26846e466255679fab67bdfc16ab0debbc2d17f9458dcf4176ac6d63e1bb673a2d7daec55618183ae25d420dc2f7874c295fd7a4afef5cf609247c7c50f75aba8f0195fe03", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2012-06-04 21:05:46", + "ValidTo": "2020-06-04 21:15:46", + "Signature": "0ddf98999318a11f177ab1350fbf36a767f19aae9d2b6878f00df46be551e1a2006c7df64f549376a929c92d15cb1e84bfdedb53638c99f519ebc1e0c1316929f808feeb4098a1742a085e1db5f064b29e45d51ec082db948d6627c5c13d8cec31a94e2682c2e3a11d1f795957b5959e2bf15735f165ee532336fd7250472f564b110c033165e9d151e84cbb18166c479bf193ccad7afb4e0a5a7df5554673eebd9cc7e95616c5bdc1f4323698f67e624e5de547179ee8a2ef1a036f6b536790d8b798deb565279a2ef7d60698683e5725829050744c79f570a60ad5a2a42dca8663b4aa403a43ce41ed76053d509dbefe0af8be00a703439e7e30f82c43d04cd5e4e5ccfea8bc7e0d827c931a327b5f60db68d61592a9644fb73be812ed2e8191add55e535695cdeb5791e290e1a2c8a926252280385d048812e033225d8490263e4fdc36ab70425923a78d6aa13ac6f71d126f1110faf5cf3c3f18802621c55edac43561d9002b0cb0287ee37f2ac7159f7f09fee67f8701ed0f39d50e1b9dfeaf16116af301d0c01bde1439992300df9e47077d6293691cbdc4aaa6fcbac071fea8b8f3aec9034128334ac15358409b8b8371503d9fba3f2c884fc648b05b3908ed710ae26c7509ef1253d60fc19641209f4f88d0695992bcf2555e799086f929121acd378057c6d3c68b9b2b63378701a9ccba6e50c0c80c77cd0a53799e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000317c61d46115ceba6a000100000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "0fc2653b1c45f08ca0abd1eb7772e3c0", - "SHA1": "94144619920bd086028bb5647b1649a35438028c", - "SHA256": "df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6", + "FileName": "procexp.Sys", + "MD5": "c69c292e0b76b25a5fa0e16136770e11", + "SHA1": "05eff2001f595f9e2894c6b5eee756ae72379a6d", + "SHA256": "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "92c56a03fbcd375d9569e1cf60bf78cd", + "SHA1": "be428ed7b322ad13b2207294b934b0a67aa8345d", + "SHA256": "fa959c48c055ec149d434a5adeb9f9938d1c260a65ee8a4ea1d67bfbdceab83f" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { @@ -72219,90 +67656,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, OU=nCipher DSE ESN:B1B7,F67F,FEC2, CN=Microsoft Time,Stamp Service", + "ValidFrom": "2015-10-07 18:14:02", + "ValidTo": "2017-01-07 18:14:02", + "Signature": "01d47ac81233981cb030b0fbeeabdd39641bb136ee8863bea04f5ea087ad995f71743f3525cc1e89f20ba37b31e60e2b8e6838f8820ed9ba2201fef412b9831a62d323f9e0a752bc92dd2da8a110e7eb47ce16bd0b933a624a7554d44eaf30e718572ab6968e3234701ded6156b8ecdd53c36cac5ca802437198616ce6b84e707c80548ca7e638ea7acdc0ef56430f030e89c83a701d9ac7541d637b31f2e616a122db3a08ab044a93cc61e2fc4a31a61df406ad6f634bc04d9c1244e0a986c60bebf7f82b44cb769bc5f016f01cf32877adc0cd23e78494c23597207de815f1abe1217416477b62b0dacb176b10a8a9e0663e1f5ad41fec1fb51d2ddc6c8491", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation", + "ValidFrom": "2015-06-04 17:42:45", + "ValidTo": "2016-09-04 17:42:45", + "Signature": "a6a85391df3b01fe615d065aeb66f00cd8f7d984d300510e10d1a4d11728e78c33382bd843c6038b75eb3392f4a9e267fd02dba51d4e43455d1b49e3e04f16f07e8ff08811ca82ada4fba6a95ff59760c87bc4bf7c9b69ed1f82c1f1cd8e784b62f5d70d1cd75312d69652ef35bd198ea04093a10aa52d169cc2467408ebdbf4d8a549365412115503b37b16fb47fefb68fcc0455ce23f127933a2ef82c5de401907ee15c50a9b590541a9d0979e819e035bfc4ae31a2e05ac50472f8cfa79d81e20f805fb296b1814fa7204b70ba79a64ec115d4f45498d291a2dfbd0b609535f3494e016c4b9ea7335e857efe1eb16c318c706b33bcf6184e2b6448994a386", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA", + "ValidFrom": "2010-08-31 22:19:32", + "ValidTo": "2020-08-31 22:29:32", + "Signature": "59393e7f2646afeb6f40b132b56aeb0e2f6ea849f7eb5f75ed4c3b2dd743ad0bfecbe92d31a323cc7c509880215dac3d2f4cbaa2a8569ce370bbb8b4f879b54972f73eea417fcae10c1769cba59c202dfa0b50c456cd2de34ad2bc70e7a80da203a556e0b88a4b57f295429cf1f3efeee3861f343cb8569af05323852aa4821c93e294071df2e24ef88ca1cae813a5914ec81bd28f72952a716d9b1af81cf053d667cc22ff5c1dcda28cbd27b279635644a251cdf9e9a35856dd9b0245442f5ff4daaed482326efca49513e4eb69e7a9a22cbec82b100e658e99dbf5a2fa122609653894f17a1f4abbd1e156e8d07896185cc935165fdd931d498e2dbead34441cee10151a005ddd355b21ce98c709ee850e8c4f6d0e134e3d7c29489c72d1f36ccac1ec70a35792577d948da01b48035af7cfa3670a74a536ed2d2f17c8e6723712f46fb13c6782f952b28d3316651e0e8add10de64f46fce46d4d317e979c404b4d3fb2cdf1f8a9eac0afb132740ade4f9e1a97f46bb0760476560404eb042ec4eedb37679d80a34096d1c80311fe20e54dde5a1fbe54710ad6498ff50162e7cbf05217ae295412769c3938f95c98dd89b21ae0d5c9cf0a2ae8668830c6a2dbb766b001d96adf2167bf6168324b988cf6aa847312f9adce3713dd7007e6247d1ce88c9b818fa0e728dc1a33daf02406aff699b96e210a810b4375008d6c33d", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "330000010a2c79aed7797ba6ac00010000010a", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "d424f369f7e010249619f0ecbe5f3805", - "SHA1": "5e4b93591f905854fb870011464291c3508aff44", - "SHA256": "e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f", + "FileName": "procexp.Sys", + "MD5": "9982da703f13140997e137b1e745a2e3", + "SHA1": "511b06898770337609ee065547dbf14ce3de5a95", + "SHA256": "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "db32843b80c6e8c9173847c3faab2200", + "SHA1": "fffeec16afdeedd2bee22860f0942c846ba9ee1a", + "SHA256": "cee01c69cb0c06dd0d98ff05aeb2b0a34a4aa1a71d35a3033bf9c1a35b637c55" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -72310,90 +67787,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Ireland Operations Limited, OU=Thales TSS ESN:86DF,4BBC,9335, CN=Microsoft Time,Stamp service", + "ValidFrom": "2018-08-23 20:20:28", + "ValidTo": "2019-11-23 20:20:28", + "Signature": "9d7642feb515917887e958cc8890ccc717f8b1b164f2248f2657c2dd3bc82767e8a80b860b39f6469c373f7db0e6bf50975f396197e28b8b47b1c36014316a5fecd78d4528fe00e0c5a92321319a4be66b2359c99f01a27514f95879324fc6c121d6958cade3c4e366f75ebd979c4ee701a63655ae846982f63439c44099f0a18de3b3d9ae023e8c5c49406c94c556a7dee459a92b543f395dde5cfe106e0540f7710430d130862c6693445d18efaac409f2cd7d319e21a12c5184e767993562b324ff9db371cce7a932d3be5ee3396cf1864a609bbe6ebcf8834cbb11c44729119a6a5abc5e3ef8947dcb0bc6b554217a3e39a079e4bd733dc46b77b8f39a3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-04-18 18:42:23", + "ValidTo": "2020-03-27 18:42:23", + "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2018-09-20 17:42:01", + "ValidTo": "2021-05-09 23:28:13", + "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000387a14cce6619d8c51000200000038", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "9d884ecd3b6c3f2509851ea15ffefbef", - "SHA1": "e11f48631c6e0277e21a8bdf9be513651305f0d5", - "SHA256": "e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae", + "FileName": "procexp.Sys", + "MD5": "9b9d367cb53df0a2e0850760c840d016", + "SHA1": "631fdd1ef2d6f2d98e36f8fc7adbf90fbfb0a1e8", + "SHA256": "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478", "Authentihash": { - "MD5": "55466195f0b2f4afc4243b43a806e6d9", - "SHA1": "38b353d8480885de5dcf299deca99ce4f26a1d20", - "SHA256": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b" + "MD5": "dafa4bdbdbbd96532d03022cd6900fed", + "SHA1": "f2ff9b749f7c5f21043b42d97b8a386c702d4435", + "SHA256": "ab5324c992c7547020f85de3456516e0dba2c3c5aab10371723a96188354abaf" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "Process Explorer", + "Company": "Sysinternals - www.sysinternals.com", + "InternalName": "procexp.sys", + "OriginalFilename": "procexp.Sys", + "FileVersion": "15.00", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { @@ -72401,335 +67918,439 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft Operations Puerto Rico, OU=Thales TSS ESN:B8EC,30A4,7144, CN=Microsoft Time,Stamp Service", + "ValidFrom": "2018-08-23 20:19:30", + "ValidTo": "2019-11-23 20:19:30", + "Signature": "7be0d660424af8eac275a9459174b3ce3f76e30006b180babd8949b702315798d46cfdc5fb6e6f0b489316944aab7252418e255760c2550c6404f8feea766d14fcf7ab9529c10737079214ba8fc5f789160b14cd0fb3f5fb47e12f7e217f95ee8d0707856807dd90f5075de7a1ea44915a2f36eca695c9a525db6ddb6b0638dfa21612ae4ce571e75643ab00363b309586d9e1c5b1183101dda77c613ccb9cf66d7306384789f8f543a751abc6fcd074b494546cc38ee1fc9400c06be11db4b58b9d82fa1744af0155511f60fea641ad501ba321de896e25bde327ba58a437cc3115e1dd2f58ea9a1fbbaeeda1dc5b2fb69f9f5562d7577afdb8cde903074a76", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-04-18 18:42:23", + "ValidTo": "2020-03-27 18:42:23", + "Signature": "5844e21f86b9788f56cd1d77f3f69287bb20fca894e9fedbba22b6bc952403a6b4c2cd38d003bfdd0ceb0ddcc583331efcad8b4be9516204983e26aaa15594ebc7b5784a3999aa9096a0d877371281c61840e4e57a2f4e33bcb554e3b1c25bcc71215544be72d254435aa7f462028722def36cb7819d9d746296b42f1e2dc0c6176f722fdc51d3913e1afdd3052cc50e1dc3f8dac1aaec4fc9b739973db14c1f1f68b5516a406994297ba034347c781323447d7e6c87dd73db025cea27bba00321aa12287daee740fd07040f293ead6d5f61bc0304daeebc847d5f4da6e712d2868d64a710212080c97dd804c265b6a60b368cceab6e1a4c81ba8361233a0ab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2011-08-30 06:46:09", - "ValidTo": "2014-08-30 06:46:09", - "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA", + "ValidFrom": "2018-09-20 17:42:01", + "ValidTo": "2021-05-09 23:28:13", + "Signature": "db595516f66f18e1341f22519cd75bdebec9fe22cf0da8b0b3d16c1da9a402d786bc566b40ee0bbcf93519de693d54a7d10a23c02dbc67986c390faf808cbc4adb87290c6336e5faf85d8f8c233ef9922fb1843a48a325954aeac902617af61fee0538540f210e1e96e2d2fbd710c3d9dcdee31f05054f429bacbd15eea95a19817a77c5be146a41a7307858ced3207157603c07b83c83ca0f35f77a632f148aa6dc8e0f947a8aaf6ad8c8d7c4490526c7f4f6ad021edb776725fe7dfb894a56d92fd032d2197c0e4edb995316a84d28109a61707230317c47c98b01093a263ebe5bcc278ffd669fd49fe1f51ac913b6c3cf714b5fc34381ee4996d59981421916414f0a902e76bd3b0399e4851a6084716df77ce405fe55a53be6f3c95f067a3f46ef77f7ad48d211cac1b08ab7964cfa9e8fdd336d2a84750021c76bffdc3de28b8d81b65134c9bdf6379fedf06b028f3ec0b6f5a6bb72c6745953ef43d67808d0bf11b7fa1d0a74b18f5e3b21f2e940ade8d052a9e19e9eb3bffbe9f5e8439a09ee26abf6d3e9528a1ef984617b5c33cf0d8d6e9daac74135d14fc21e82668e5b9075d3235eb988eec5fcac9753af2e343e2a1c88a19dc94ec1f11ae245eef3a76beccb5bb13fa9f39d9b04ffd6342cbc040e29a161d212d5b6a50c10be6f6b9e681d4747ac7bd030d75c18d61ec0ad03e3cecfc668c49424c26fd4de1072", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Time,Stamp PCA", + "ValidFrom": "2007-04-03 12:53:09", + "ValidTo": "2021-04-03 13:03:09", + "Signature": "10978ac35c034436dde9b4ad77dbce79514d01b12e74715b6d0c13abcebe7b8fb82ed412a28c6d62b85702cb4e20135099dd7a40e257bbaf589a1ce11d0186acbb78f28bd0ec3b01eee2be8f0a05c88d48e2f05315dd4fab92e4e78d6ad580c1e694f2062f8503e9912a242270fbf6fce478992e0df707e270bc184e9d8e6b0a7295b8a1399c672dc5510eea625c3f16988b203fe2071a32f9cc314a76313d2b720bc8ea703dff850a13dfc20a618ef0d7b817eb4e8b7fc5352b5ea3bfebbc7d0b427bd4537221ee30cabb78655c5b01170a140ed2da1498f53cb96658b32d2fe7f98586cc5156e89d70946cac394cd4f679bfaa187a6229efa29b293406771a62c93d1e6d1f82f00bc72cbbcf43b3e5f9ec7db5e3a4a87435b84ec571231226760b3c528c715a464314bcb3b3b04d67c89f42ff807921809e153066e842125e1ac89e2221d043e92be9bbf448cc2cd4d832804c262a48245f5aea56efa6de999dca3a6fbd8127740611ee7621bf9b82c12754b6b16a3d89a17661b46ea113a6bfaa47f0126ffd8a326cb2fedf51c88c23c966bd9d1d871264023d2daf598fb8e421e5b5b0ca63b4785405d4412e50ac94b0a578abb3a096751ad992871375222f32a8086ea05b8c25bfa0ef84ca21d6eb1e4fc99aee49e0f701656f890b7dc869c8e66eeaa797ce3129ff0ec55b5cd84d1ba1d8fa2f9e3f2e55166bc913a3fd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000387a14cce6619d8c51000200000038", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility PCA" } ] } ] }, { - "FileName": "rtcore64.sys", - "MD5": "5b1e1a9dade81f1e80fdc0a2d3f9006e", - "SHA1": "9b8c7eda28bfad07ffe5f84a892299bc7e118442", - "SHA256": "f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc", + "Filename": "procexp152.sys", + "MD5": "ad03f225247b58a57584b40a4d1746d3", + "SHA1": "e525f54b762c10703c975132e8fc21b6cd88d39b", + "SHA256": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Sysinternals - www.sysinternals.com", + "Description": "Process Explorer", + "Product": "Process Explorer", + "ProductVersion": "15.00", + "FileVersion": "15.00", + "MachineType": "AMD64", + "OriginalFilename": "procexp.Sys", "Authentihash": { - "MD5": "a17d227444e090ff69e24fcb6d43162b", - "SHA1": "43d3a3c1f7b14cfcc051cae2534dbbbb4c7fc120", - "SHA256": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020" + "MD5": "9e4c2a2e8832f10ecdd2be70eb6bc300", + "SHA1": "2b15e90dc654ce779bd460787352639768cd8baa", + "SHA256": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "procexp.sys", + "Copyright": "Copyright (C) Mark Russinovich 1996-2014", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "strncpy", "RtlInitUnicodeString", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", - "MmIsAddressValid", - "ZwUnmapViewOfSection", "IoCreateSymbolicLink", - "IoCreateDevice", - "__C_specific_handler", "IoDeleteDevice", - "HalTranslateBusAddress" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "NtBuildNumber", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "OU=Timestamping CA, O=GlobalSign, CN=GlobalSign Timestamping CA", - "ValidFrom": "2009-03-18 11:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "5df6cb2b0d0140849f857a43706ae0c5e7aa0600d76713c9089131654f14a8a905dc389e6aa0300abd8dc78028ee4245ca94f3de5845a9803204f5595c6a70003927944df5b44634e81c5331b2b35416e9cc42abd5d959301cfb462725b88723b1e8758824831ec876377b01494548a4ede25dd27c9ca2dc2dba105a126265abae00c710343bcb72bd14240cdcc37627b4a7fee15829f20e169f91391d89a6e60f1c878ce258ac927e243eaaec14e73a33348bc63bac83ab0f14627aba1a2d4d4b1bc530f00b92797d3c78e0f8e6d215965999392b3061e8b8f8c0a1e9221411787dc4dc89bec0bb94e172aeebb540404fef171e585ed0a88996ac9228e9babf", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign NV, CN=GlobalSign Time Stamping Authority", - "ValidFrom": "2009-12-21 09:32:56", - "ValidTo": "2020-12-22 09:32:56", - "Signature": "bc89ecfee63655935c79d4117a86808f17b693b26d9b91a1561811c655eaf608edad9b9ef52b81c8bbdd607b1b47991e6d403e1d80c213d58e04052fdbe7ae529e688472a1e54a603cf89bd52f46d8c3b2b79353ac9b6c432424d1f1fce9562e3411581843eaefff34746ca0c06c7fad031969881e9560cabbbd0cbb76efc724b081c63831cf36ad0c38b89020849b2e8f28b99ff6ca9427cdac396157e0e3955a9c769230f5dea6973d721c2a6032a8334d8635338a5cf3a4fdf7062ce16b4b30f5cbd34362f841b9de7d20cb058c8e2cf65f35fd338d42896508362ca389f45a858bb0b97bdb6ccba1f8d20e1bbb977cd12779be9d7c3be6a75634d8c991a9", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", - "ValidFrom": "2010-04-14 00:00:00", - "ValidTo": "2012-04-15 23:59:59", - "Signature": "ba96817224593697c9135d803c5fc87767f2a7ed8fa0aa18eab4030a3daed18c55fb7eda8835d0488d18136c0db39d8edf3224790842cdf8580b35324631de717e9279d28d605285615341aeea10a73005d59cbe3138bebfa5003cbcf2971249423d820d6d252a18bf4dd124a1ac0c2f66015cbb23690e1b0fb9d5ce3f047663f1fb6735e54f09cfb6162da298bdc956490586cfdadee74a5766c187223e19112d22f59c7f3f325449afebc42689ec4c9399bd0d97397c37230804a4e5bc17e904008aa9c5972e2332302e57648006d057c9ed8c6384fb42d138971c86079b155c202733b837b3eef122c866ce3e6d8a8d9f1685e618cc2466d623d212b73df6", + "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", + "ValidFrom": "2013-04-06 00:00:00", + "ValidTo": "2016-05-05 23:59:59", + "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "79c32d7ddd2458cf2eabe5b1b5c5290f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "24061b0958874c1cb2a5a8e9d25482d4", - "SHA1": "282fca60f0c37eb6d76400bca24567945e43c6d8", - "SHA256": "f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496", + "Filename": "procexp.Sys", + "MD5": "97e3a44ec4ae58c8cc38eefc613e950e", + "SHA1": "bc47e15537fa7c32dfefd23168d7e1741f8477ed", + "SHA256": "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2012", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "Sysinternals - www.sysinternals.com", + "Description": "Process Explorer", + "Product": "Process Explorer", + "ProductVersion": "16.43", + "FileVersion": "16.43", + "MachineType": "AMD64", + "OriginalFilename": "procexp.Sys", "Authentihash": { - "MD5": "cfe667280acf69d4b5d0e2dbc76510e4", - "SHA1": "b3249bacda6e43aa2c46c2af802c9ee0b7e2fd7b", - "SHA256": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5" + "MD5": "0a7106a04e6e3b13eb105b013f76e031", + "SHA1": "0c74316dfb9c21b7ff2dc288c005f9474dc26589", + "SHA256": "c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "procexp.sys", + "Copyright": "Copyright (C) Mark Russinovich 1996-2021", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", + "strncpy", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:30", + "ValidTo": "2021-12-02 22:15:30", + "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RTCore64.sys", - "MD5": "70196d88c03f2ea557281b24dad85de5", - "SHA1": "55015f64783ddd148674a74d8137bcd6ccd6231d", - "SHA256": "f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298", - "Authentihash": { - "MD5": "538e5e595c61d2ea8defb7b047784734", - "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", - "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" - }, - "Description": "", + "Filename": "procexp.sys", + "MD5": "b79475c4783efdd8122694c6b5669a79", + "SHA1": "d612165251d5f1dcfb1f1a762c88d956f49ce344", + "SHA256": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc", + "Signature": "", + "Date": "", + "Publisher": "", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", - "Copyright": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "procexp1627.sys", + "MD5": "c06dda757b92e79540551efd00b99d4b", + "SHA1": "3296844d22c87dd5eba3aa378a8242b41d59db7a", + "SHA256": "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Sysinternals - www.sysinternals.com", + "Description": "Process Explorer", + "Product": "Process Explorer", + "ProductVersion": "16.27", + "FileVersion": "16.27", "MachineType": "AMD64", + "OriginalFilename": "procexp.Sys", + "Authentihash": { + "MD5": "f57e986673aee44bf51e7e6bb3ed0113", + "SHA1": "edc10781eb6d1e3bdf9d15cfebddbe1a1fb804d9", + "SHA256": "decba65bbf2232ac55a698539304cab211b45eef0ed17c05dd7995bef2b98fc6" + }, + "InternalName": "procexp.sys", + "Copyright": "Copyright (C) Mark Russinovich 1996-2019", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", - "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", + "strncpy", "RtlInitUnicodeString", - "IoDeleteSymbolicLink", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", "IofCompleteRequest", + "IoCreateSymbolicLink", "IoDeleteDevice", - "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "MmIsAddressValid", + "PsGetVersion", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "SePrivilegeCheck", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", + "ObQueryNameString", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcessToken", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "ObCloseHandle", + "ObOpenObjectByName", + "__C_specific_handler", + "IoFileObjectType", + "PsProcessType", + "PsThreadType", + "RtlFreeUnicodeString", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwOpenKey", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services", - "ValidFrom": "2004-01-01 00:00:00", - "ValidTo": "2028-12-31 23:59:59", - "Signature": "0856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing Root R46", - "ValidFrom": "2021-05-25 00:00:00", - "ValidTo": "2028-12-31 23:59:59", - "Signature": "12bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", - "ValidFrom": "2022-08-01 00:00:00", - "ValidTo": "2031-11-09 23:59:59", - "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36", - "ValidFrom": "2021-03-22 00:00:00", - "ValidTo": "2036-03-21 23:59:59", - "Signature": "06ff82e17763366e7ba115209b13ff04fe98754461c3569571d1913f85a1eb4040b1c8d6e072fd85ca64393cf98d4ba0da87ae9db600a306c50b600a2be70c7172010f465d39a593b32372041b0c2c7a9a7ef221ac2ca695a4bdf3e429a010b22a9a4fd0e731604754d21a6c6aa0412193ad05a8e3730e7ec3f29e16f3d87cb17f95d6299a51bebddd31aa5a9dd3df620a19f220cbd8e477b18ced809adb1ba559f43a135c59b583445ff7b01a7a7d65e1cfb0dc30be224c0592f8c55778d2e3d65273895284a2ba06b3d3258b38346d431b39a94e84e7c28a99f1f0268b65e5667b9c842e0d3d265a3c04c7bcd233b7ecf53c7a37e43fdfee3da93b54bc042cac4031c26cce4c9e89a7ab969870a0ac75b8747337213a6f1b9229cbad8acaa628be4e4ee9c0bed38d128b5e4a269b90f552676cfbea62a7cc07d9c4297fdddab7754370e2b837b130a08241d246a4ea94b312ee08eb853a819b3bb52fdd18d4a58dfd8e4929d1afb296cead37ce5f25ef98f2fa139db3d4d649e9cb6e305050647de9c16bea51147c02041d50b52faf18d461b1c78fde448f36badf376b11cc562c35fac5696cfc60e754db9e2a35941f77d3bf563c59d868ebdf1800347b4cdc7c5fccf605ebfa4a2bc104e1d8faeaa28ab66d834cbd4a14283f3982727eb74b26ad6adbf1d79ed82bd86570f995a1ad680c4e7f2fd528d9b0b96b8087d91c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=CA, ST=Ontario, O=Cold Air Systems Inc., CN=Cold Air Systems Inc.", - "ValidFrom": "2022-03-21 00:00:00", - "ValidTo": "2023-03-21 23:59:59", - "Signature": "899cc58baab9d8082af52a5a8c62d594e974a7f2d203905cb6165dc431bd5dae5c462a5bc84d32dec948286995c0c74c3450add6b4aec9b1162a19bccfb775f1c2a0bc54e1b252788dc528687347e316960caa524fa1b042cdf1a7dd147211a11de99d3513096b90923e8e24d2fb87da2beed19a91edbaca4d49efbd2d7af5a7f9a3a80b60de35850b969c22edfe268c5b76db79a0841da78b309b3258ca7ae2167876ccb1184c58f8af265e493345d86b419632c7dc2ebe9339216fb6664079c76aa9062603514b8a523084563b215b9aec378627dc7b64682097f3f8df7b4abb4bcd560331f64fbfd2a03074fd34cb09e8e8e335b5852acb05e6e96fa89138510b70bac8cf13ae8ab08640704fe55c1df075e0e7ce96592919126e452cc66b4e7ffce753bdf3ded2ca163030f8848d852097859344bb9cd6ee0319f4ad0deae33ddafaaedfd0c68d8d372a0fe1d8947b785547eab4c58f96846ad26a2ce2cf26deb5961906ee7ad1eec9cc64debbb5b1f8dd5bf1a036053f4dbfe425b57113", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", - "ValidFrom": "2022-03-23 00:00:00", - "ValidTo": "2037-03-22 23:59:59", - "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-05-02 20:49:42", + "ValidTo": "2020-05-02 20:49:42", + "Signature": "9c38927cf34cadf6121bbacca605cb2423a311565e3a71c4449c2cb81936d3ed3aa79d7a0914e19ab121d788f1803cdf9f023a352823ad4175f5389c193fb1efba47e33ab8ff227e68742a875f3932dfa7bc39950353653e664de0049ba8f09914e5dd7d78dff13d50096d20de210e49c3ea01713741c88ed65805d4eb08ded809a5c70a116c7648c0c55951004b1d249575bed351fbee3361cf822e02b437c702c7948496eb784dbf6102839ceb3e1e26f344a6aa2a9b1b0b7c6f56f3c145cbecd9a9661adc7446b5c368f782f5fd50a5a244618ae30b3dc4616c59992a28192174906653bc878dec57075ce37a4e8ceeabd2b8eeff742443fee80af5ee6482", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", - "ValidFrom": "2022-09-21 00:00:00", - "ValidTo": "2033-11-21 23:59:59", - "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0096c2ac9b7a12bd9588243110dc6b0519", - "Issuer": "C=GB, O=Sectigo Limited, CN=Sectigo Public Code Signing CA R36" + "SerialNumber": "3300000082c88ba15b1c3ef710000000000082", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } @@ -72737,18 +68358,19 @@ } ], "Tags": [ - "RTCore64.sys" - ] + "procexp.Sys" + ], + "yara": true }, { - "Id": "3277cecc-f4b4-4a00-be01-9da83e013bcd", + "Id": "a22104a8-126d-449f-ba3e-28678c60c587", "Author": "Michael Haag", "Created": "2023-02-28", "MitreID": "T1068", "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create wantd_5.sys binPath=C:\\windows\\temp\\wantd_5.sys type=kernel && sc.exe start wantd_5.sys", + "Command": "sc.exe create wantd_3.sys binPath=C:\\windows\\temp\\wantd_3.sys type=kernel && sc.exe start wantd_3.sys", "Description": "Driver used in the Daxin malware campaign.", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -72763,170 +68385,167 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "wantd_5.sys", - "MD5": "6d131a7462e568213b44ef69156f10a5", - "SHA1": "25bf4e30a94df9b8f8ab900d1a43fd056d285c9d", - "SHA256": "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3", - "Signature": "The digital signature of the object did not verify.", - "Date": "8:23 PM 2/28/2022", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Filename": "wantd_3.sys", + "MD5": "fb7c61ef427f9b2fdff3574ee6b1819b", + "SHA1": "1f25f54e9b289f76604e81e98483309612c5a471", + "SHA256": "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1", + "Signature": "Unsigned", + "Date": "7:52 AM 4/30/2014", + "Publisher": "n/a", "Company": "Microsoft Corporation", "Description": "WAN Transport Driver", "Product": "Microsoft Windows Operating System", - "ProductVersion": "6.1.7600.1172", - "FileVersion": "6.1.7600.1172", - "MachineType": "AMD64", + "ProductVersion": "5.2.3790.938", + "FileVersion": "5.2.3790.938", + "MachineType": "I386", "OriginalFilename": "wantd.sys", "Authentihash": { - "MD5": "7c35b7a9bf59a63b84f252906732edde", - "SHA1": "ea0d2851b890d39d85bfb0dd1404c87f73aed47f", - "SHA256": "448a507774886c1745beaa86cd0867d93f142f5d2b58d452c5a8250d93359779" + "MD5": "cbb18883d7893156620f084ff40b2fbf", + "SHA1": "df59532dbae676b3fb2653a1bbd9cd5f1cd3ba78", + "SHA256": "a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7" }, "InternalName": "wantd.sys", "Copyright": "Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", + "HAL.dll", "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IofCompleteRequest", + "KeResetEvent", + "InterlockedIncrement", + "KeSetEvent", + "InterlockedDecrement", + "RtlUnicodeStringToInteger", + "RtlInitUnicodeString", + "KeInitializeEvent", "wcsncmp", + "wcscat", + "wcslen", + "wcscpy", + "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "_strnicmp", - "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", + "KeInsertQueueApc", + "KeInitializeApc", + "KeDetachProcess", + "KeAttachProcess", + "PsLookupThreadByThreadId", + "ZwAllocateVirtualMemory", + "RtlCompareUnicodeString", "PsLookupProcessByProcessId", - "NtQuerySystemInformation", + "ZwFreeVirtualMemory", "_wcsnicmp", - "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", - "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "atoi", - "_snprintf", "ZwQuerySystemInformation", - "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", + "ZwQueryInformationProcess", "RtlImageDirectoryEntryToData", - "KeDetachProcess", + "_stricmp", + "NtQuerySystemInformation", "ZwOpenFile", - "ZwCreateFile", - "PsCreateSystemThread", + "MmGetSystemRoutineAddress", "ZwQueryValueKey", - "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", - "ZwQueryInformationProcess", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "IoCreateDevice", + "ZwOpenKey", "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "PsLookupThreadByThreadId", + "ZwOpenProcess", + "IoCreateFile", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", "RtlLengthSid", "RtlCreateSecurityDescriptor", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", + "NtWriteFile", + "NtReadFile", + "KeWaitForMultipleObjects", + "NtFsControlFile", + "ZwWaitForSingleObject", + "RtlLengthRequiredSid", + "IoCreateSymbolicLink", + "DbgPrint", + "IoCreateDevice", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "sprintf", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "vsprintf", "ZwDeviceIoControlFile", - "IofCompleteRequest", - "ZwClose", "MmMapLockedPagesSpecifyCache", + "IoFreeMdl", + "KeWaitForSingleObject", + "ObfDereferenceObject", "KeDelayExecutionThread", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "ZwWaitForSingleObject", - "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "PsThreadType", + "ObReferenceObjectByHandle", + "ZwClose", + "KeQueryTimeIncrement", + "KeTickCount", + "KeInitializeSpinLock", + "ExAllocatePoolWithTag", + "PsGetVersion", + "ExFreePool", + "KfReleaseSpinLock", + "KfAcquireSpinLock", + "NdisAllocatePacketPool", + "NdisAllocateBufferPool", + "NdisRegisterProtocol", + "NdisDeregisterProtocol", + "NdisUnchainBufferAtFront", + "NdisAllocatePacket", + "NdisAllocateMemory", + "NdisFreePacket", + "NdisAllocateBuffer", "NdisFreeMemory", - "NdisMIndicateStatus", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "NdisFreeBufferPool", + "NdisCopyFromPacketToPacket", + "NdisFreePacketPool" ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "387c9476e28320264594846317d46540", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] + "Signatures": {} } ], "Tags": [ - "wantd_5.sys" - ] + "wantd_3.sys" + ], + "yara": true }, { - "Id": "19003e00-d42d-4cbe-91f3-756451bdd7da", - "Author": "Michael Haag, Guus Verbeek", + "Id": "3fb743b8-d3ed-4873-9c95-e212720dde21", + "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create AsrSetupDrv103.sys binPath=C:\\windows\\temp\\AsrSetupDrv103.sys type=kernel && sc.exe start AsrSetupDrv103.sys", + "Command": "sc.exe create Lurker.sys binPath=C:\\windows\\temp\\Lurker.sys type=kernel && sc.exe start Lurker.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -72943,50 +68562,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "AsrSetupDrv103.sys", - "SHA1": "0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "SHA1": "461882bd59887617cadc1c7b2b22d0a45458c070", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "SHA1": "a7948a4e9a3a1a9ed0e4e41350e422464d8313cd", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "SHA1": "f3cce7e79ab5bd055f311bb3ac44a838779270b6", + "Filename": "Lurker.sys", + "SHA256": "0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670", "Signature": [], "Date": "", "Publisher": "", @@ -72997,32 +68574,46 @@ "FileVersion": "", "MachineType": "", "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "MD5": "", - "SHA1": "", - "SHA256": "399EFFE75D32BDAB6FA0A6BFFE02DBF0A59219D940B654837C3BE1C0BD02E9AA", - "Signature": [ - "" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, + } + ], + "Tags": [ + "Lurker.sys" + ], + "yara": false + }, + { + "Id": "7c83cb1a-a5ab-4ea0-aa69-0e9a1d09a82f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create GVCIDrv64.sys binPath=C:\\windows\\temp\\GVCIDrv64.sys type=kernel && sc.exe start GVCIDrv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "AsrSetupDrv103.sys", - "MD5": "", - "SHA1": "", - "SHA256": "27CD05527FEB020084A4A76579C125458571DA8843CDFC3733211760A11DA970", + "Filename": "GVCIDrv64.sys", + "MD5": "8b287636041792f640f92e77e560725e", + "SHA1": "e92817a8744ebc4e4fa5383cdce2b2977f01ecd4", + "SHA256": "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f", "Signature": [ - "" + "GIGA-BYTE TECHNOLOGY CO., LTD.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" ], "Date": "", "Publisher": "", @@ -73031,59 +68622,106 @@ "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "MD5": "", - "SHA1": "", - "SHA256": "7AAF2AA194B936E48BC90F01EE854768C8383C0BE50CFB41B346666AEC0CF853", - "Signature": [ - "" + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "263d00295d36d976b90f44aadc1faa90", + "SHA1": "4eae38e9dc262eb7b6ede4b3d3f4ad068933845e", + "SHA256": "2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - }, - { - "Filename": "AsrSetupDrv103.sys", - "MD5": "", - "SHA1": "", - "SHA256": "727E8BA66A8FF07BDC778EACB463B65F2D7167A6616CA2F259EA32571CACF8AF", - "Signature": [ - "" + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "IoCreateSymbolicLink", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "IoCreateDevice", + "IofCompleteRequest", + "RtlCopyUnicodeString", + "DbgPrint", + "ZwClose", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=NEW TAIPEI, O=GIGA,BYTE TECHNOLOGY CO., LTD., CN=GIGA,BYTE TECHNOLOGY CO., LTD.", + "ValidFrom": "2016-07-21 00:00:00", + "ValidTo": "2019-09-19 23:59:59", + "Signature": "088e59029abef549a30601c39db2cb687032de13f40c63bd0d88dbe858d6ddddbdc235044f1f31ddf3f6c960583264c9b7306dadb38eb64160a40e804bfee6deac624b7283eba48591daa22ca7523b1518ce792115fbbc4d9c312d824dd0c4566aa985e8a60cb486447fbba0f2c1de3eff0d98cbdeef89653f045203fda3b6a421d08ed13e45616e7c196ed56284b68d16e24e62ba8222fa6b15c7b586132dd3777b42908d930ab082f549516d886449ae87c20bb0c8474777de6c91917d8f173468f72ef3f89898fed2d861c31a8ea2659eabc3cc023e2008fca26f4c1c7d05594faecb6e437d61c11e947f6fdb6cc0db9cdfd6546d5212c94ed8a37fb723e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2ad22e071f61cafe7884bfa43a31b21b", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] } ], "Tags": [ - "AsrSetupDrv103.sys" - ] + "GVCIDrv64.sys" + ], + "yara": false }, { - "Id": "1068f5cc-65dd-4fd0-b3d8-1d982b37405f", + "Id": "e71f0866-e317-44d4-a456-d6f0c555aa73", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "FALSE", "Commands": { - "Command": "sc.exe create WinIO32A.sys binPath=C:\\windows\\temp\\WinIO32A.sys type=kernel && sc.exe start WinIO32A.sys", + "Command": "sc.exe create nt6.sys binPath=C:\\windows\\temp \\n \\n \\n t6.sys type=kernel && sc.exe start nt6.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -73100,8 +68738,8 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "WinIO32A.sys", - "SHA1": "01779ee53f999464465ed690d823d160f73f10e7", + "Filename": "nt6.sys", + "SHA256": "15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229", "Signature": [], "Date": "", "Publisher": "", @@ -73115,17 +68753,18 @@ } ], "Tags": [ - "WinIO32A.sys" - ] + "nt6.sys" + ], + "yara": false }, { - "Id": "52ded752-2708-499e-8f37-98e4a9adc23c", + "Id": "90afa27c-0f67-46a6-b4a9-809f55157c71", "Author": "Nasreddine Bencherchali", "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create GLCKIO2.sys binPath=C:\\windows\\temp\\GLCKIO2.sys type=kernel && sc.exe start GLCKIO2.sys", + "Commands": "sc.exe create nscm.sys binPath=C:\\windows\\temp\\nscm.sys type=kernel && sc.exe start nscm.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -73137,48 +68776,286 @@ "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "GLCKIO2.sys", - "MD5": "dedd07993780d973c22c93e77ab69fa3", - "SHA1": "83b5e60943a92050fccb8acef7aa464c8f81d38e", - "SHA256": "e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8", + "FileName": "nscm.sys", + "MD5": "ba2c0fa201c74621cddd8638497b3c70", + "SHA1": "8f540936f2484d020e270e41529624407b7e107e", + "SHA256": "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7", + "Authentihash": { + "MD5": "3a5b83215c9ea17f8d3ad3812c30a340", + "SHA1": "533e0690528ff3f0d59edeed9dd53b4f37c0a110", + "SHA256": "1622ac0c618a86be17e0f97daa061f9aaa0e721dc0fd30d76bbc5c958e9a9d92" + }, + "Description": "Novell XTier Session Manager", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" + ], + "ImportedFunctions": [ + "IoCreateDevice", + "SeUnregisterLogonSessionTerminatedRoutine", + "KeInitializeMutex", + "IoDeleteDevice", + "SeRegisterLogonSessionTerminatedRoutine", + "ZwOpenProcessTokenEx", + "KeReleaseMutex", + "ZwClose", + "SeMarkLogonSessionForTerminationNotification", + "ZwQueryInformationToken", + "ZwOpenThreadTokenEx", + "KeBugCheckEx", + "KeWaitForSingleObject", + "IoGetCurrentProcess", + "DbgPrint", + "NicmCreateInstance", + "NicmDeregisterClassFactory" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "nscm.sys", + "MD5": "4c76554d9a72653c6156ca0024d21a8e", + "SHA1": "6d3c760251d6e6ea7ff4f4fcac14876fac829cf9", + "SHA256": "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0", + "Authentihash": { + "MD5": "b546d6b223a9e1a42f8359dbf9d9737c", + "SHA1": "41f6704252efa14de0d72eeaf7475886ba7f3bdc", + "SHA256": "92ca1aec3afc90b44861c2e0be084a3db38d22d52f35e1697643d6477151392f" + }, + "Description": "Novell XTier Session Manager", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" + ], + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeInitializeMutex", + "IoQueueWorkItemEx", + "IoDeleteDevice", + "IoFreeWorkItem", + "RtlEqualUnicodeString", + "ZwOpenProcessTokenEx", + "IoAllocateWorkItem", + "ZwClose", + "ZwOpenProcess", + "DbgPrint", + "PsGetCurrentProcessId", + "IoCreateDevice", + "ZwQueryInformationToken", + "PsSetCreateProcessNotifyRoutine", + "SeRegisterLogonSessionTerminatedRoutine", + "SeUnregisterLogonSessionTerminatedRoutine", + "ZwOpenThreadTokenEx", + "IoGetCurrentProcess", + "SeMarkLogonSessionForTerminationNotification", + "KeBugCheckEx", + "KeWaitForSingleObject", + "ZwQueryInformationProcess", + "KeReleaseMutex", + "NicmCreateInstance", + "NicmDeregisterClassFactory" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher", + "ValidFrom": "2022-01-27 19:31:19", + "ValidTo": "2023-01-26 19:31:19", + "Signature": "941777115fcaf24c60c4a8c891758c491887aa5e9f0902a704191e75dd6f99be3d14a24aa35b1f2a1c1c42dde08da3fa75a73edbf7b5ae0fe94b3716e43b838ff30149e19c51b8b87cc53377ae08bfc0f54c7fafa398db43e839de108493510bc34d0fe998a44fcd0a11b0dc0c7315421dac79ab09ca47f847f9fa88e15d57a564f7b074664409c0ce01c697b2dcfd31676fc908fbc6bb928f82170f0b5a54f52f4327797278b78188b87e37b192b493d00eaf661e30f12b9e67fbd1df9cc5843e6a1c68b45d4f62423450cdc990fab2367d7f57719cb8272f59d4f300284a36d88adfc976cb08c6b0da33d5e988be0e1a3cef2a9669b5227a5b8d027f804908", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", + "ValidFrom": "2011-10-19 18:41:42", + "ValidTo": "2026-10-19 18:51:42", + "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "330000036ce57eeb5d1cc2be1700000000036c", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" + } + ] + } + ] + }, + { + "FileName": "nscm.sys", + "MD5": "5f4a232d92480a1bebbe025ef64dc760", + "SHA1": "0cb14c1049c0e81c8655ab7ee7d698c11758ea06", + "SHA256": "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c", "Authentihash": { - "MD5": "9266ad818c7d32f3f6b759cbd20f742a", - "SHA1": "e78779533d76b402eab613557170ccbf5d951883", - "SHA256": "47489362609fa9bd398deec955d5600780bb3788eb29a282bcc5245905713eb0" + "MD5": "5d62cae57be434a4d56924574498c4f2", + "SHA1": "1a99d3141d75a3ef1998944b2d107089ce3ef6e4", + "SHA256": "a363deaf1790e9c0610e07a7203749aab8b60f5ededc944abc0ef3010f5e2105" }, - "Description": "", - "Company": "", + "Description": "XTier Security Context Manager", + "Company": "Micro Focus", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.12.0", + "Product": "Micro Focus XTier", + "ProductVersion": "3.1.12", + "Copyright": "(C) Copyright 2000-2017, Micro Focus. All Rights Reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeInitializeMutex", + "PsLookupProcessByProcessId", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "MmGetSystemRoutineAddress", - "ObfDereferenceObject", + "RtlEqualUnicodeString", + "ZwOpenProcessTokenEx", + "_vsnwprintf", "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", + "ZwOpenProcess", + "ZwQueryInformationProcess", + "DbgPrint", + "IoCreateDevice", + "ZwQueryInformationToken", + "RtlDeleteRegistryValue", + "PsSetCreateProcessNotifyRoutine", + "SeRegisterLogonSessionTerminatedRoutine", + "SeUnregisterLogonSessionTerminatedRoutine", + "ZwOpenThreadTokenEx", + "IoGetCurrentProcess", + "SeMarkLogonSessionForTerminationNotification", + "PsGetCurrentProcessId", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "KeWaitForSingleObject", + "ObfDereferenceObject", + "KeReleaseMutex", + "NicmCreateInstance", + "NicmDeregisterClassFactory" ], "Signatures": [ { @@ -73186,301 +69063,106 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", - "ValidFrom": "2019-04-01 00:00:00", - "ValidTo": "2022-01-11 12:00:00", - "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2021-09-09 19:15:59", + "ValidTo": "2022-09-01 19:15:59", + "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "330000004de597a775e3157f7b00000000004d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - } - ], - "Tags": [ - "GLCKIO2.sys" - ] - }, - { - "Id": "e71f0866-e317-44d4-a456-d6f0c555aa73", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create nt6.sys binPath=C:\\windows\\temp \\n \\n \\n t6.sys type=kernel && sc.exe start nt6.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "nt6.sys", - "SHA256": "15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "nt6.sys" - ] - }, - { - "Id": "ca768fc5-9b5c-4ced-90ab-fd6be9a70199", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create amp.sys binPath=C:\\windows\\temp\\amp.sys type=kernel && sc.exe start amp.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", - "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "amp.sys", - "MD5": "c533d6d64b474ffc3169a0e0fc0a701a", - "SHA1": "3f223581409492172a1e875f130f3485b90fbe5f", - "SHA256": "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "CYREN Inc.", - "Description": "AMP Minifilter", - "Product": "CYREN AMP 5", - "ProductVersion": "5.4.11.1", - "FileVersion": "5.4.11.1", - "MachineType": "AMD64", - "OriginalFilename": "amp.sys", + "FileName": "nscm.sys", + "MD5": "f56f30ac68c35dd4680054cdfd8f3f00", + "SHA1": "fce3a95b222c810c56e7ed5a3d7fb059eb693682", + "SHA256": "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c", "Authentihash": { - "MD5": "74ee74d20c3afc42d7722a88aacf3671", - "SHA1": "87a84133f5e4c12d2d4a42fcc3be84b43a6202b5", - "SHA256": "a37371c4e62f106e7da03fd5bdd6f12ecdf7fcaf1195dbf9fb7ef6eb456a7506" + "MD5": "3050ced748b80cc81892435fd0868bfc", + "SHA1": "579e23f2b6ce2221ba435abc20801e98ab91a360", + "SHA256": "34f36a59ecf6174eeac15994e54c41fe1e3e3b1eee8ed4c399ec8c63212373d7" }, - "InternalName": "AMP", - "Copyright": "Copyright © 1999 - 2014. CYREN Inc. All rights reserved.", + "Description": "Novell XTier Session Manager", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2011, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ObQueryNameString", - "RtlIntegerToUnicodeString", - "IoGetCurrentProcess", - "_strnicmp", - "MmIsAddressValid", - "_strupr", - "MmGetSystemRoutineAddress", - "PsGetVersion", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "KeEnterCriticalRegion", - "ExAcquireResourceSharedLite", - "ExReleaseResourceForThreadLite", - "KeLeaveCriticalRegion", - "ExAcquireResourceExclusiveLite", - "wcschr", - "wcsrchr", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "ExUuidCreate", - "ObReferenceObjectByHandle", - "_wcsupr", - "wcsncmp", - "IoGetTopLevelIrp", - "IoSetTopLevelIrp", - "IoGetStackLimits", - "ObfReferenceObject", - "ZwOpenDirectoryObject", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "RtlFreeUnicodeString", - "KeSetEvent", - "RtlTimeToTimeFields", - "swprintf", - "_wcsicmp", - "ExSystemTimeToLocalTime", - "KeWaitForMultipleObjects", - "KeResetEvent", - "PsTerminateSystemThread", - "PsGetCurrentProcessId", - "wcsncpy", - "PsCreateSystemThread", - "PsGetCurrentThreadId", - "ZwOpenProcess", - "ZwQueryInformationProcess", - "IoAllocateErrorLogEntry", - "IoWriteErrorLogEntry", - "IoAllocateWorkItem", - "IoQueueWorkItem", - "IoFreeWorkItem", - "ExReleaseResourceLite", - "ZwCreateKey", - "ZwSetValueKey", - "ZwQueryValueKey", - "RtlInitAnsiString", - "RtlAnsiStringToUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlCopyUnicodeString", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "KeWaitForSingleObject", - "IofCallDriver", - "KeInitializeEvent", - "RtlCompareString", - "RtlInitString", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "IofCompleteRequest", - "IoIs32bitProcess", - "ZwLoadDriver", - "ZwUnloadDriver", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", "IoCreateDevice", + "SeUnregisterLogonSessionTerminatedRoutine", + "KeInitializeMutex", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "SeRegisterLogonSessionTerminatedRoutine", + "SeMarkLogonSessionForTerminationNotification", + "KeReleaseMutex", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "IoGetCurrentProcess", "ZwClose", - "ExAllocatePool", - "ZwCreateFile", - "ExFreePool", - "RtlUnicodeStringToInteger", - "strncmp", - "_wcsnicmp", - "strchr", - "KeReleaseSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "ExInitializeNPagedLookasideList", - "ExpInterlockedPushEntrySList", - "ExpInterlockedPopEntrySList", - "ExDeletePagedLookasideList", - "ExQueryDepthSList", - "ExInitializePagedLookasideList", - "ExDeleteNPagedLookasideList", - "__C_specific_handler", - "_local_unwind", - "FltGetVolumeFromInstance", - "FltSetCallbackDataDirty", - "FltGetFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetVolumeProperties", - "FltStartFiltering", - "FltRegisterFilter", - "FltGetRoutineAddress", - "FltGetDiskDeviceObject", - "FltUnregisterFilter", - "FltGetTunneledName", - "FltGetDestinationFileNameInformation", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltCancelFileOpen", - "FltCreateFile", - "FltObjectReference", - "FltReleaseContext", - "FltSetInstanceContext", - "FltAllocateContext", - "FltGetInstanceContext", - "FltEnumerateInstances", - "FltGetVolumeFromName", - "FltObjectDereference", - "FltGetFileNameInformationUnsafe", - "FltQueryInformationFile", - "FltClose", - "FltFlushBuffers" + "KeBugCheckEx", + "KeWaitForSingleObject", + "ZwQueryInformationToken", + "DbgPrint", + "NicmCreateInstance", + "NicmDeregisterClassFactory" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2010-04-03 00:00:00", + "ValidTo": "2013-04-26 23:59:59", + "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -73489,470 +69171,168 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Virginia, L=McLean, O=Commtouch, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R&D, CN=Commtouch, Inc.", - "ValidFrom": "2013-11-19 00:00:00", - "ValidTo": "2017-01-16 23:59:59", - "Signature": "58cd58fb0b58e291fe4896a360334f4ad8fdf84720dc356ce98f8f3e45dc0447c7223f75d55c2444202d455e7d282da1d189794fd4e2f499c7c55d98f0aecb3d0ef9b6dd1dff2f125e9d39ce95fb542c8f02d275176fc6da9a493427d018083d5852c13bf8b2908041af46b113f403bb93d6006ea0a0ff2ae7d648ed4280ed1cb4999203fc94832725928af6cb715395bd69bb6ce888efb9a658a15cf88b68de26957f49bb3cdbdb8f6d88cc91ac2c14f0500815e41f977b9cf55a173961bc8c02343b76a91a8e9dd3224329a3bb70d694ca497460aa6360d1f156f5d9fad8d54e846f171c1b5a30b713ba17296ffc75fdbc4b7f13efe4cdabae8769ce0e5609", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "560e308d590a10d941619020e45e2c2b", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "amp.sys" - ] - }, - { - "Id": "49920621-75d5-40fc-98b0-44f8fa486dcc", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create zam64.sys binPath=C:\\windows\\temp\\zam64.sys type=kernel && sc.exe start zam64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "zam64.sys", - "MD5": "21e13f2cb269defeae5e1d09887d47bb", - "SHA1": "16d7ecf09fc98798a6170e4cef2745e0bee3f5c7", - "SHA256": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91", - "Signature": [ - "Zemana Ltd.", - "DigiCert High Assurance Code Signing CA-1", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "Zemana Ltd.", - "Description": "ZAM", - "Product": "ZAM", - "ProductVersion": "2.21.63", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "nscm.sys", + "MD5": "a1547e8b2ca0516d0d9191a55b8536c0", + "SHA1": "7cd4aea9c1f82111bf7f9d4934be95e9bb6f8ae0", + "SHA256": "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2", "Authentihash": { - "MD5": "3f2771b22553380efcee72a27dc4d96c", - "SHA1": "0d15b7de0f1129b540f48d7a3cba2c6bf5d44112", - "SHA256": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f" + "MD5": "7e245f8b1d1bddfd217d1cd060b91657", + "SHA1": "8c89db8dd4d7947cb5eb13c7a12907564576cb91", + "SHA256": "00dfeab446afecac7b44b0b1680d5ca7d421eda243e16db8c08706bb593a8391" }, + "Description": "Novell XTier Session Manager", + "Company": "Novell, Inc.", "InternalName": "", - "Copyright": "Zemana Ltd. All rights reserved.", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", - "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ObQueryNameString", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "PsLookupProcessByProcessId", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "RtlUpcaseUnicodeString", - "RtlUpperString", + "SeUnregisterLogonSessionTerminatedRoutine", + "SeRegisterLogonSessionTerminatedRoutine", + "KeInitializeMutex", + "IoCreateDevice", "ZwClose", - "ZwCreateFile", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", + "KeWaitForSingleObject", + "ZwOpenProcessTokenEx", + "ZwOpenThreadTokenEx", + "IoGetCurrentProcess", + "SeMarkLogonSessionForTerminationNotification", + "KeTickCount", "DbgPrint", - "RtlCopyUnicodeString", - "RtlInitUnicodeString", - "wcsstr", - "ZwQuerySystemInformation", - "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "ZwQueryInformationToken", + "KeReleaseMutex", + "NicmCreateInstance", + "NicmDeregisterClassFactory" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "zam64.sys" - ] - }, - { - "Id": "5938df1d-9513-449f-8252-c442ddca0c2a", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create VBoxUSB.sys binPath=C:\\windows\\temp\\VBoxUSB.Sys type=kernel && sc.exe start VBoxUSB.Sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "VBoxUSB.Sys", - "MD5": "65b979bcab915c3922578fe77953d789", - "SHA1": "6a2912c8e2aa4373852585bc1134b83c637bc9fd", - "SHA256": "6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8", + "FileName": "nscm.sys", + "MD5": "bd5d4d07ae09e9f418d6b4ac6d9f2ed5", + "SHA1": "d61acd857242185a56e101642d15b9b5f0558c26", + "SHA256": "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f", "Authentihash": { - "MD5": "5e120bab075f0c78a1023bec63fb5ec6", - "SHA1": "36b030a7f80da09b8b80cdab325489d5a6d9698a", - "SHA256": "dd09931d050a354b34731621191795483930bb5f00aa6fba5bb849ea2c89224c" + "MD5": "32265ccdfe3d7f66269cbee0d5555e5b", + "SHA1": "72e5f5f6f266410d827fef10dc82c7ec8541e036", + "SHA256": "253ed7f5c7115e957dfdb1f5c6c51592b491a70b27787903c8fd848e45b9cf22" }, - "Description": "", - "Company": "", + "Description": "Novell XTier Session Manager", + "Company": "Novell, Inc.", "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "OriginalFilename": "nscm.sys", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "nicm.sys" ], "ExportedFunctions": [ - "AssertMsg1", - "RTAssertDoBreakpoint", - "RTErrConvertFromNtStatus", - "RTLogDefaultInstance", - "RTLogLogger", - "RTLogLoggerEx", - "RTLogLoggerExV", - "RTLogPrintf", - "RTLogPrintfV", - "RTLogRelDefaultInstance", - "RTLogSetDefaultInstanceThread", - "RTMemAlloc", - "RTMemAllocZ", - "RTMemContAlloc", - "RTMemContFree", - "RTMemExecAlloc", - "RTMemExecFree", - "RTMemFree", - "RTMemRealloc", - "RTMemTmpAlloc", - "RTMemTmpAllocZ", - "RTMemTmpFree", - "RTMpCpuId", - "RTMpCpuIdFromSetIndex", - "RTMpCpuIdToSetIndex", - "RTMpDoesCpuExist", - "RTMpGetCount", - "RTMpGetMaxCpuId", - "RTMpGetOnlineCount", - "RTMpGetOnlineSet", - "RTMpGetSet", - "RTMpIsCpuOnline", - "RTMpOnAll", - "RTMpOnOthers", - "RTMpOnSpecific", - "RTProcSelf", - "RTR0MemObjAddress", - "RTR0MemObjAddressR3", - "RTR0MemObjAllocCont", - "RTR0MemObjAllocLow", - "RTR0MemObjAllocPage", - "RTR0MemObjAllocPhys", - "RTR0MemObjAllocPhysNC", - "RTR0MemObjEnterPhys", - "RTR0MemObjFree", - "RTR0MemObjGetPagePhysAddr", - "RTR0MemObjIsMapping", - "RTR0MemObjLockKernel", - "RTR0MemObjLockUser", - "RTR0MemObjMapKernel", - "RTR0MemObjMapUser", - "RTR0MemObjReserveKernel", - "RTR0MemObjReserveUser", - "RTR0MemObjSize", - "RTR0ProcHandleSelf", - "RTSemEventCreate", - "RTSemEventDestroy", - "RTSemEventMultiCreate", - "RTSemEventMultiDestroy", - "RTSemEventMultiReset", - "RTSemEventMultiSignal", - "RTSemEventMultiWait", - "RTSemEventMultiWaitNoResume", - "RTSemEventSignal", - "RTSemEventWait", - "RTSemEventWaitNoResume", - "RTSemFastMutexCreate", - "RTSemFastMutexDestroy", - "RTSemFastMutexRelease", - "RTSemFastMutexRequest", - "RTSpinlockAcquire", - "RTSpinlockAcquireNoInts", - "RTSpinlockCreate", - "RTSpinlockDestroy", - "RTSpinlockRelease", - "RTSpinlockReleaseNoInts", - "RTThreadNativeSelf", - "RTThreadSleep", - "RTThreadYield", - "SUPR0ContAlloc", - "SUPR0ContFree", - "SUPR0GipMap", - "SUPR0GipUnmap", - "SUPR0LockMem", - "SUPR0LowAlloc", - "SUPR0LowFree", - "SUPR0MemAlloc", - "SUPR0MemFree", - "SUPR0MemGetPhys", - "SUPR0ObjAddRef", - "SUPR0ObjRegister", - "SUPR0ObjRelease", - "SUPR0ObjVerifyAccess", - "SUPR0PageAlloc", - "SUPR0PageFree", - "SUPR0UnlockMem" + "DllGetClassObject", + "XTCOM_Table" ], "ImportedFunctions": [ - "IofCompleteRequest", - "DbgPrint", - "IoIs32bitProcess", - "MmFreeContiguousMemory", - "IoFreeMdl", - "MmGetSystemRoutineAddress", - "RtlInitUnicodeString", - "KeCancelTimer", - "KeInsertQueueDpc", - "__C_specific_handler", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "KeSetTimerEx", - "ExSetTimerResolution", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeInitializeMutex", + "IoQueueWorkItemEx", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "KeSetTargetProcessorDpc", - "KeSetImportanceDpc", - "KeInitializeDpc", - "KeInitializeTimerEx", - "MmGetPhysicalAddress", - "KeQueryActiveProcessors", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "IoCreateSymbolicLink", - "IoCreateDevice", - "memchr", - "strncmp", + "IoFreeWorkItem", + "RtlEqualUnicodeString", + "ZwOpenProcessTokenEx", + "IoAllocateWorkItem", + "ZwClose", + "ZwOpenProcess", + "DbgPrint", "PsGetCurrentProcessId", + "IoCreateDevice", + "ZwQueryInformationToken", + "PsSetCreateProcessNotifyRoutine", + "SeRegisterLogonSessionTerminatedRoutine", + "SeUnregisterLogonSessionTerminatedRoutine", + "ZwOpenThreadTokenEx", "IoGetCurrentProcess", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "ZwYieldExecution", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeInitializeEvent", - "KeSetEvent", - "KeResetEvent", + "SeMarkLogonSessionForTerminationNotification", + "KeBugCheckEx", "KeWaitForSingleObject", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "MmUnmapIoSpace", - "MmUnlockPages", - "MmFreePagesFromMdl", - "MmUnsecureVirtualMemory", - "MmProtectMdlSystemAddress", - "MmAllocatePagesForMdl", - "MmSecureVirtualMemory", - "MmProbeAndLockPages", - "MmMapIoSpace" + "ZwQueryInformationProcess", + "KeReleaseMutex", + "NicmCreateInstance", + "NicmDeregisterClassFactory" ], "Signatures": [ { @@ -73960,24 +69340,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows", - "ValidFrom": "2021-09-02 18:23:41", - "ValidTo": "2022-09-01 18:23:41", - "Signature": "699045742c403812de1bdf9ea2be22132e82a7c006ab278e0c9f460bd435386348031a6b5cbdf450ae5a243331dcb2cc7eace8371cf71ec35a6f663147bd211ea357614e6a611eeacca6486a778d4cd788106ade12d6625574e7a89ecab4eb0bb99295c498dd5f565680a2d26bf2545e727c4204023c48d8021b608fd901c6fefd16ce0c3a669fb0ce758dc671f2cdd7434c163f9de9453e5523d94a78205c828a4615e50330d9f52a8a77f7683d2b61ff1324382d40d31001c518b56b286fbb8c754f6940590c2071385ed0a9387b529c06bf71fff89c74634550fc331b389d558696ace05787144e5af53d20a75a84981bf8380ddac3743f407d8ff27c089e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", + "ValidFrom": "2021-09-02 18:32:59", + "ValidTo": "2022-09-01 18:32:59", + "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011", - "ValidFrom": "2011-10-19 18:41:42", - "ValidTo": "2026-10-19 18:51:42", - "Signature": "14fc7c7151a579c26eb2ef393ebc3c520f6e2b3f101373fea868d048a6344d8a960526ee3146906179d6ff382e456bf4c0e528b8da1d8f8adb09d71ac74c0a36666a8cec1bd70490a81817a49bb9e240323676c4c15ac6bfe404c0ea16d3acc368ef62acdd546c503058a6eb7cfe94a74e8ef4ec7c867357c2522173345af3a38a56c804da0709edf88be3cef47e8eaef0f60b8a08fb3fc91d727f53b8ebbe63e0e33d3165b081e5f2accd16a49f3da8b19bc242d090845f541dff89eaba1d47906fb0734e419f409f5fe5a12ab21191738a2128f0cede73395f3eab5c60ecdf0310a8d309e9f4f69685b67f51886647198da2b0123d812a680577bb914c627bb6c107c7ba7a8734030e4b627a99e9cafcce4a37c92da4577c1cfe3ddcb80f5afad6c4b30285023aeab3d96ee4692137de81d1f675190567d393575e291b39c8ee2de1cde445735bd0d2ce7aab1619824658d05e9d81b367af6c35f2bce53f24e235a20a7506f6185699d4782cd1051bebd088019daa10f105dfba7e2c63b7069b2321c4f9786ce2581706362b911203cca4d9f22dbaf9949d40ed1845f1ce8a5c6b3eab03d370182a0a6ae05f47d1d5630a32f2afd7361f2a705ae5425908714b57ba7e8381f0213cf41cc1c5b990930e88459386e9b12099be98cbc595a45d62d6a0630820bd7510777d3df345b99f979fcb57806f33a904cf77a4621c597e", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", + "ValidFrom": "2011-07-08 20:59:09", + "ValidTo": "2026-07-08 21:09:09", + "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "330000033c89c66a7b45bb1fbd00000000033c", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011" + "SerialNumber": "33000002528b33aaf895f339db000000000252", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" } ] } @@ -73985,18 +69365,235 @@ } ], "Tags": [ - "VBoxUSB.Sys" - ] + "nscm.sys" + ], + "yara": true + }, + { + "Id": "920e3326-e5dc-446a-9993-6ec05266e0e0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create ASIO32.sys binPath=C:\\windows\\temp\\ASIO32.sys type=kernel && sc.exe start ASIO32.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "ASIO32.sys", + "SHA1": "d569d4bab86e70efbcdfdac9d822139d6f477b7c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ASIO32.sys", + "SHA1": "80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ASIO32.sys", + "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ASIO32.sys", + "SHA1": "1acc7a486b52c5ee6619dbdc3b4210b5f48b936f", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ASIO32.sys", + "SHA1": "55ab7e27412eca433d76513edc7e6e03bcdd7eda", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "ASIO32.sys", + "SHA1": "1e7c241b9a9ea79061b50fb19b3d141dee175c27", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "ASIO32.sys" + ], + "yara": false }, { - "Id": "0258df5c-c3c1-4ed5-ba8f-846d91526ffe", + "Id": "be4843ef-a2a8-4a0d-91c6-42e165800bb0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create TestBone.sys binPath=C:\\windows\\temp\\TestBone.sys type=kernel && sc.exe start TestBone.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "TestBone.sys", + "SHA256": "0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "TestBone.sys" + ], + "yara": false + }, + { + "Id": "1ed9d02f-17cf-43dd-9645-a54452468a5e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WinIo64C.sys binPath=C:\\windows\\temp\\WinIo64C.sys type=kernel && sc.exe start WinIo64C.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WinIo64C.sys", + "SHA1": "b242b0332b9c9e8e17ec27ef10d75503d20d97b6", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "WinIo64C.sys", + "SHA1": "a65fabaf64aa1934314aae23f25cdf215cbaa4b6", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIo64C.sys" + ], + "yara": false + }, + { + "Id": "7bb5ff05-25f8-410d-ae99-c8e8f082d24f", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create AsrDrv10.sys binPath=C:\\windows\\temp\\AsrDrv10.sys type=kernel && sc.exe start AsrDrv10.sys", + "Command": "sc.exe create WinRing0.sys binPath=C:\\windows\\temp\\WinRing0.sys type=kernel && sc.exe start WinRing0.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -74010,62 +69607,81 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "AsrDrv10.sys", - "MD5": "9b91a44a488e4d539f2e55476b216024", - "SHA1": "72966ca845759d239d09da0de7eebe3abe86fee3", - "SHA256": "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c", + "Filename": "WinRing0.sys", + "MD5": "828bb9cb1dd449cd65a29b18ec46055f", + "SHA1": "558aad879b6a47d94a968f39d0a4e3a3aaef1ef1", + "SHA256": "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8", "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "TOSHIBA AMERICA INFORMATION SYSTEMS, INC.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "ASRock Incorporation", - "Description": "ASRock IO Driver", - "Product": "ASRock IO Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", + "Publisher": "", + "Company": "OpenLibSys.org", + "Description": "WinRing0", + "Product": "WinRing0", + "ProductVersion": "1.0.1.2", + "FileVersion": "1.0.1.2", "MachineType": "AMD64", - "OriginalFilename": "AsrDrv.sys", + "OriginalFilename": "WinRing0.sys", "Authentihash": { - "MD5": "e3a0cecf1427722f291347941edc9b81", - "SHA1": "2e6d61fa32e12fe4abf7b7d87aa6824f5f528000", - "SHA256": "c767a5895119154467ac3fce8e82c20e6538a4e54f6c109001c61f8abd58f9f8" + "MD5": "650fa4b522e8d06d0cdfa4bf278e85f1", + "SHA1": "dfe2533a4398d67dfc722eb8d9f8ffa3a823a721", + "SHA256": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3" }, - "InternalName": "AsrDrv.sys", - "Copyright": "Copyright (C) 2012 ASRock Incorporation", + "InternalName": "WinRing0.sys", + "Copyright": "Copyright (C) 2007 OpenLibSys.org. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlQueryRegistryValues", "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", - "IoCreateSymbolicLink", + "IoDeleteDevice", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -74073,10 +69689,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -74087,186 +69703,175 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, ST=California, L=Irvine, O=TOSHIBA AMERICA INFORMATION SYSTEMS, INC., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=TOSHIBA AMERICA INFORMATION SYSTEMS, INC.", + "ValidFrom": "2006-11-30 00:00:00", + "ValidTo": "2010-01-29 23:59:59", + "Signature": "35f3925f76c3466b8c0daadad42eb075428bf02b75db96deb7707f1c83e412baede827abc43aa2ec558328ebdd68366e3b218e534ac5e9d1df82072d5256a2cd701f2bd3548a3c18cf5264763f06886720342754f9279d80d673e9f2b2637e470ad966c0fefcc280b24786dd8fbe2f36c5e4d64376fd5d92a86d27312afdf6f6694c2954a180da2d67eeda7f61f86118b7fec7d4ac4492896c151497239031ebfaa871f762f67eed10288530df1949b56799160071956db962d3bec37a6cdcbdae597a2c2299a6c07beb4746824bc4db989f9debabf682f36ed8597e3a1123267e0cb8ec2337daf0b0b5c03d6ac0167cca5ee4ff0c9cef4b0215801bd32c9cdb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "450d3382b4c87b8d7220cff8951f1aa2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "Filename": "WinRing0.sys", + "MD5": "12cecc3c14160f32b21279c1a36b8338", + "SHA1": "7fb52290883a6b69a96d480f2867643396727e83", + "SHA256": "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84", + "Signature": [ + "Noriyuki MIYAZAKI", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "OpenLibSys.org", + "Description": "WinRing0", + "Product": "WinRing0", + "ProductVersion": "1.0.1.2", + "FileVersion": "1.0.1.2", + "MachineType": "AMD64", + "OriginalFilename": "WinRing0.sys", + "Authentihash": { + "MD5": "650fa4b522e8d06d0cdfa4bf278e85f1", + "SHA1": "dfe2533a4398d67dfc722eb8d9f8ffa3a823a721", + "SHA256": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3" + }, + "InternalName": "WinRing0.sys", + "Copyright": "Copyright (C) 2007 OpenLibSys.org. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", + "ValidFrom": "2007-09-24 10:50:55", + "ValidTo": "2008-09-24 10:50:55", + "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", + "ValidFrom": "2003-12-16 13:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", + "ValidFrom": "2007-02-05 09:00:00", + "ValidTo": "2014-01-27 09:00:00", + "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "01000000000115372421a8", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] - } - ], - "Tags": [ - "AsrDrv10.sys" - ] - }, - { - "Id": "3ab0d182-6365-47a7-89f4-34121e889503", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create HwOs2Ec10x64.sys binPath=C:\\windows\\temp\\HwOs2Ec10x64.sys type=kernel && sc.exe start HwOs2Ec10x64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "HwOs2Ec10x64.sys", - "MD5": "37086ae5244442ba552803984a11d6cb", - "SHA1": "dc0e97adb756c0f30b41840a59b85218cbdd198f", - "SHA256": "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc", + "Filename": "WinRing0.sys", + "MD5": "27bcbeec8a466178a6057b64bef66512", + "SHA1": "012db3a80faf1f7f727b538cbe5d94064e7159de", + "SHA256": "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062", "Signature": [ - "Huawei Technologies Co., Ltd.", - "Symantec Class 3 Extended Validation Code Signing CA - G2", + "EVGA", + "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Huawei", - "Description": "HwOs2Ec", - "Product": "Huawei MateBook", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", + "Company": "OpenLibSys.org", + "Description": "WinRing0", + "Product": "WinRing0", + "ProductVersion": "1.2.0.5", + "FileVersion": "1.2.0.5", "MachineType": "AMD64", - "OriginalFilename": "HwOs2Ec.sys", + "OriginalFilename": "WinRing0.sys", "Authentihash": { - "MD5": "20be6af18d3b97968b2a8d5a9513caaa", - "SHA1": "b6a4ef3babbd79479723b8586ea0e8c7a33d1661", - "SHA256": "ab494aba56e9ea7b6055ac437f6b678e7239b0fda54bf28019480565a098a6e3" + "MD5": "c4355451eccb590e5e6d817760d2d2ef", + "SHA1": "7aed8186977fcf7ee219da493baecdb95ec8040d", + "SHA256": "9305f0834e67aa16fb252bd30927e5f835639ef4b868f20d232260edffefd6f0" }, - "InternalName": "HwOs2Ec", - "Copyright": "Copyright (C) 2016", + "InternalName": "WinRing0.sys", + "Copyright": "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "InitSafeBootMode", - "memcpy_s", - "_wcsnicmp", - "RtlInitUnicodeString", - "RtlEqualUnicodeString", - "RtlCopyUnicodeString", - "RtlAppendUnicodeToString", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "ExAllocatePool", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExInitializeResourceLite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "ExDeleteResourceLite", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ObRegisterCallbacks", - "ObUnRegisterCallbacks", - "ZwClose", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenProcess", - "ZwQuerySystemInformation", - "ZwQueryInformationProcess", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "KeInitializeApc", - "ZwOpenThread", - "IofCompleteRequest", - "PsGetProcessPeb", - "RtlImageDirectoryEntryToData", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "__C_specific_handler", - "PsProcessType", - "PsThreadType", - "KeLowerIrql", - "KfRaiseIrql", - "MmBuildMdlForNonPagedPool", - "MmMapIoSpace", "MmUnmapIoSpace", - "MmMapIoSpaceEx", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "PsGetThreadId", - "PsGetThreadProcessId", - "MmGetSystemRoutineAddress", - "RtlGetVersion", - "ZwTerminateProcess", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForMultipleObjects", - "KeWaitForSingleObject", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "RtlCompareUnicodeStrings", - "wcscpy_s", - "RtlCompareUnicodeString", - "RtlAppendUnicodeStringToString", - "ZwCreateFile", - "ZwOpenKey", - "ZwQueryValueKey", - "ObOpenObjectByPointer", - "ObQueryNameString", - "IoFileObjectType", - "KeInsertQueueApc", - "DbgPrint", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], "Signatures": [ @@ -74274,13 +69879,6 @@ "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=MSFT, CN=Microsoft Authenticode(tm) Root Authority", - "ValidFrom": "1995-01-01 08:00:01", - "ValidTo": "1999-12-31 23:59:59", - "Signature": "2dc9e2f6129e5d5667fafa4b9a7edc29565c80140228856e26f3cd58da5080c5f819b3a67ce29d6b5f3b8f2274e61804fc4740d87a3f3066f012a4d1eb1de7b6f498ab5322865158ee230976e41d455c4bff4ce302500113cc41a45297d486d5c4fe8383657deabea2683bc1b12998bfa2a5fc9dd384ee701750f30bfa3cefa9278b91b448c845a0e101424b4476041cc219a28e6b2098c4dd02acb4d2a20e8d5db9368e4a1b5d6c1ae2cb007f10f4b295efe3e8ffa17358a9752ca2499585feccda448ac21244d244c8a5a21fa95a8e56c2c37bcf4260dc821ffbce74067ed6f1ac196a4f745cc51566316cc16271910f595b7d2a821adfb1b4d81d37de0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", "ValidFrom": "2012-12-21 00:00:00", @@ -74288,13 +69886,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Corporation, CN=Microsoft Root Authority", - "ValidFrom": "1997-01-10 07:00:00", - "ValidTo": "2020-12-31 07:00:00", - "Signature": "95e80bc08df3971835edb80124d87711f35c60329f9e0bcb3e0591888fc93ae621f2f057932cb5a047c862effcd7cc3b3b5aa9365469fe246d3fc9ccaade057cdd318d3d9f10706abbfe124f1869c0fcd043e3115a204fea627bafaa19c82b37252dbe65a1128a250f63a3f7541cf921c9d615f352ac6e433207fd8217f8e5676c0d51f6bdf152c7bde7c430fc203109881d95291a4dd51d02a5f180e003b45bf4b1ddc857ee6549c75254b6b4032812ff90d6f0088f7eb897c5ab372ce47ae4a877e376a000d06a3fc1d2368ae04112a8356a1b6adb35e1d41c04e4a84504c85a33386e4d1c0d62b70aa28cd3d5543f46cd1c55a670db123a8793759fa7d2a0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -74303,24 +69894,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=CN, ??=Guangdong, ??=Shenzhen, ??=Private Organization, serialNumber=914403001922038216, C=CN, ST=guangdong, L=shenzhen, O=Huawei Technologies Co., Ltd., CN=Huawei Technologies Co., Ltd.", - "ValidFrom": "2017-12-14 00:00:00", - "ValidTo": "2019-12-14 23:59:59", - "Signature": "26d8d72aafae208ca75f86e2d634f131cd47c9531f57dd9d0506dd5f6e51df6baea828f02aa0ae534538921a9bc01af8ed084a8a06a5aa16e5def159a2ea17d84a134aa94467d2016797a2f8e49eb90d1de2e4213b6abd8147b4916f95c7b6c7b9c351cc969c00220c188e6a63806623eabd8fe9780141953a49197cfc1fbf5e39ea1c8f3afc3d792a46786202a7a02b9add0f36ed5125015fab8aded58cc2796b3c2d946b09084fe1547718ba315c53bdeb1d1330306113c6aa141494e11cf0ed3193dace62aef90bb5d6cb65aed548c00983eed016729498079e9ac5931bd33607aa1ee3156967b51963557d977fad2c755e34eb26fc4a249f5d24490d8884", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "DC=com, DC=microsoft, CN=Microsoft Root Certificate Authority", - "ValidFrom": "2001-05-09 23:19:22", - "ValidTo": "2021-05-09 23:28:13", - "Signature": "c5114d033a60dd5d5211778fb2bb36c8b205bfb4b7a8d8209d5c1303b61c22fa061335b6c863d49a476f2657d255f104b1265fd6a95068a0bcd2b86eccc3e9acdf19cd78ac5974ac663436c41b3e6c384c330e30120da326fe515300ffaf5a4e840d0f1fe46d052e4e854b8d6c336f54d264abbf50af7d7a39a037ed63030ffc1306ce1636d4543b951b51623ae54d17d40539929a27a85baabdecbbbee3208960716c56b3a513d06d0e237e9503ed683df2d863b86b4db6e830b5e1ca944bf7a2aa5d9930b23da7c2516c28200124272b4b00b79d116b70beb21082bc0c9b68d08d3b2487aa9928729d335f5990bdf5de939e3a625a3439e288551db906b0c1896b2dd769c319123684d0c9a0daff2f6978b2e57adaebd70cc0f7bd6317b8391338a2365b7bf285566a1d6462c138e2aabf5166a294f5129c6622106bf2b730922df229f03d3b144368a2f19c2937cbce3820256d7c67f37e24122403088147eca59e97f518d7cfbbd5ef7696effdcedb569d95a042f99758e1d73122d35f59e63e6e2200ea4384b625dbd9f3085668c0646b1d7cecb693a262576e2ed8e7588fc4314926ddde293587f53071705b143c69bd89127deb2ea3fed87f9e825a520a2bc1432bd930889fc810fb898de6a18575337e6c9edb7313646269a52f7dca966d9ff8044d30923d6e211421c93de0c3fd8a6b9d4afdd1a19d9943773fb0da", + "Subject": "C=US, ST=California, L=Brea, O=EVGA, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=EVGA", + "ValidFrom": "2012-02-29 00:00:00", + "ValidTo": "2014-04-15 23:59:59", + "Signature": "d77d9dbdeea6d42d15335f0b16117963e49d39b89af081160a467824968e611f0947648a83375d1380acca6cbe1117f488b428bcab943b20dad29e72dd48e7d01b080b12c444727bba415a098799abd5e5673dd7eda91787920c3cc53aac068e0a3d1faef713c14f7ec6f68f69a33340b70e81083db2ce1daf45592063235d05232a1d3d8052fc3f102b2b71e1c46275eff3d4a2dc5ee0d5d727d180da205055a3709a32ad6bd11317b1f109e7c5eca18c8293c937ba6f76278bc306c10f0f1bc865cedcf2c2331e7a7f5c0bcfab91786b8ff848d8ef9c59937ddb94f6369884162148f882e7d0c4343538ad23aeb6ab3db0f6d125a8e2fe3889e40ed66bc66a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -74331,17 +69908,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root", - "ValidFrom": "2005-11-01 13:46:46", - "ValidTo": "2025-11-01 13:54:03", - "Signature": "6142e8eb18c871dc4619696dea0ecd3867ac3ea707f64d163c9e57fbb8b8a7c78709e66357d03d469050f50599c9ca743afb01ad7a4d6aab84e0405357c89cd5043682b8b71ec68799c2d8c7209ec6f23e55f98f744451dd2bb6d014ddc6ded2c5ff85af17b9a075dac60de24576961acb3e53fbe9345b3203236cbfd87e9a3d850fc8153b9d00564fafddb1251ca0cc29661b47ce7b67ef64ef484792de9d145069b85f82a9f2ad932b53efab623237eabf040b46eb1984a6aa49a06dc1ab2d83416ab4d6437bd23b7a0cd26dd00d20dc5bc229a7f8822422160135d81ad64422dc476756a6682effc9669ffb7fb464c61e6776e0312e3ad9730d6799c8f5611e5dc1a7b88f311f38dfe3b3874c4db3c4f6605cacac0da02c02b9eff0a35d27bd967d0dd0d44006d1a4d6cb6eb3d536fe48c8f23826563a206aa4c30048e71829e7aba3ab7c07a47fa56b4aba023f86975db96e5924e07c8fedefc3cfaaaf15513fdff728785deb4d1f5d34089b343b2aa1c891097d53c1ff7d801fe06b28d4b9dd587421b89f2dbd153a4e454a5cc3ac7c07b2d02115b8cf69da14e42c24fb66e5019e1a66b4c4ad4d2bad6062e4e48fea370dcad836dc7fdb207a33c04ad61f2de085ce2ba192d754532061867c3703038cfc4347e4f8488bac1a42ea98825d6253816b534630b2e785abbc189c86965986b61aaffafd4831245c011cbb1c", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45d8f42e053d18c5e90f3febd6e17ad7", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "26d7f5563eb3e42a81f7c715fcd2799d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -74349,26 +69926,27 @@ } ], "Tags": [ - "HwOs2Ec10x64.sys" - ] + "WinRing0.sys" + ], + "yara": true }, { - "Id": "c2e70ee6-2f13-4d43-ad5a-c2bf033cc457", + "Id": "d827f7a6-1832-4ddb-90dd-7a8cf1c7f25e", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-03-04", "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", + "Category": "malicious", + "Verified": "TRUE", "Commands": { - "Command": "sc.exe create d4.sys binPath=C:\\windows\\temp\\d4.sys type=kernel && sc.exe start d4.sys", - "Description": "", + "Command": "sc.exe create LcTkA.sys binPath=C:\\windows\\temp\\LcTkA.sys type=kernel && sc.exe start LcTkA.sys", + "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", + "" ], "Acknowledgement": { "Person": "", @@ -74377,9 +69955,15 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "d4.sys", - "SHA256": "823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba", - "Signature": [], + "Filename": "LcTkA.sys", + "MD5": "909f3fc221acbe999483c87d9ead024a", + "SHA1": "b2f955b3e6107f831ebe67997f8586d4fe9f3e98", + "SHA256": "c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], "Date": "", "Publisher": "", "Company": "", @@ -74387,92 +69971,38 @@ "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "d4.sys" - ] - }, - { - "Id": "31797996-6973-402d-a4a0-d01ce51e02c0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsrIbDrv.sys binPath=C:\\windows\\temp\\AsrIbDrv.sys type=kernel && sc.exe start AsrIbDrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsrIbDrv.sys", - "MD5": "5bab40019419a2713298a5c9173e5d30", - "SHA1": "2d503a2457a787014a1fdd48a2ece2e6cbe98ea7", - "SHA256": "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a", - "Signature": [ - "ASROCK Incorporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "ASROCK Incorporation", - "Company": "RW-Everything", - "Description": "RW-Everything Read & Write Driver", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "FileVersion": "1.00.00.0000 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "RwDrv.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "a2bb232491925c750971c731b5fe0769", - "SHA1": "dd71b95f82ae2c31008da781c4de64d6059c5fca", - "SHA256": "b8d748834fb982fa033cd2671843de727999b21fad30979ac4acc4828910ef8b" + "MD5": "b663d79a688800d84065ccc2809874b7", + "SHA1": "46a9d9e9904ba5f4c011ad69d0795969c721c662", + "SHA256": "675329ef7a63a7c58d3daa6cb5c6e299143decec7a149c36a6bfe204bbf0407e" }, - "InternalName": "RwDrv.sys", - "Copyright": "Copyright (C) 2008 RW-Everything", + "InternalName": "", + "Copyright": "", "Imports": [ + "ntoskrnl.exe", + "HAL.dll", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "KeInitializeEvent", + "HalReturnToFirmware", + "ExAllocatePool", + "NtQuerySystemInformation", "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", - "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", "MmUnlockPages", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -74480,52 +70010,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } @@ -74533,75 +70035,97 @@ } ], "Tags": [ - "AsrIbDrv.sys" - ] + "LcTkA.sys" + ], + "yara": false }, { - "Id": "de003542-80e1-4aa0-9b99-ed8647a93a6e", + "Id": "6fc3034f-8b40-44ef-807a-f61d3ea2dece", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create cpuz_x64.sys binPath=C:\\windows\\temp\\cpuz_x64.sys type=kernel && sc.exe start cpuz_x64.sys", + "Command": "sc.exe create NBIOLib_X64.sys binPath=C:\\windows\\temp\\NBIOLib_X64.sys type=kernel && sc.exe start NBIOLib_X64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "cpuz_x64.sys", - "MD5": "7d46d0ddaf8c7e1776a70c220bf47524", - "SHA1": "d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57", - "SHA256": "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3", + "Filename": "NBIOLib_X64.sys", + "MD5": "f2f728d2f69765f5dfda913d407783d2", + "SHA1": "35829e096a15e559fcbabf3441d99e580ca3b26e", + "SHA256": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5", "Signature": [ - "CPUID", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" + "MICRO-STAR INTERNATIONAL CO., LTD.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign Root CA - R1" ], "Date": "", - "Publisher": "CPUID", - "Company": "Windows (R) Server 2003 DDK provider", - "Description": "CPUID Driver", - "Product": "Windows (R) Server 2003 DDK driver", - "ProductVersion": "5.2.3790.0", - "FileVersion": "5.2.3790.0 built by: WinDDK", + "Publisher": "", + "Company": "MSI", + "Description": "NTIOLib", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", "MachineType": "AMD64", - "OriginalFilename": "cpuz.sys", + "OriginalFilename": "NTIOLib.sys", "Authentihash": { - "MD5": "68dbbf7551556cc1f85b2bb03549cc7a", - "SHA1": "21dcf78975dc9df6628e8624a56408ac66dd5218", - "SHA256": "539aa921b5352ab385430e1608ac5c0ae36f35e678d471b7a5994ec7c02eadea" + "MD5": "2d87365d63e81ef0edc577bf0cb33995", + "SHA1": "b472d32094e258b2af60914db8604cd0bf439c4b", + "SHA256": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8" }, - "InternalName": "cpuz.sys", - "Copyright": "© Microsoft Corporation. All rights reserved.", + "InternalName": "NTIOLib.sys", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", "IoDeleteDevice", - "IoDeleteSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", "RtlInitUnicodeString", - "MmMapIoSpace", "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlUnwindEx", - "MmUnmapIoSpace", - "PsGetVersion", - "IofCompleteRequest", + "IoDeleteSymbolicLink", + "__C_specific_handler", "HalSetBusDataByOffset", "HalGetBusDataByOffset" ], @@ -74611,45 +70135,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=FR, ST=NORD, L=DUNKERQUE, O=CPUID, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=CPUID", - "ValidFrom": "2007-02-08 00:00:00", - "ValidTo": "2009-02-07 23:59:59", - "Signature": "6ca08361ce69863ade5289039d2e6eaf79729d950a57fc32158e56bc0bfc05ca3b76263b8e8a5e2279522eceed35495c697a2f1b1631e1a4f997c8b2e14cd08a3b4aaeca9f150126f5933e6a29fde1e3ef607f452219582ac034c3f95023fd6c5474008ecea3aab5ba096ae73a3dd76b296d3c8b06a72ca763698e49474d624c22ad57a3d11342be8a6d2a49e4af5893003fcf02900a0fbf4854858cc0468d23b9917cfe59ac8b7058de49ab25bbca0bc67f1f367309deed4827295173fad53932d12ad79b8c70175e640f7917fd60940be86d1af397dd5eb0ecb9e92f9e3dc03f2cbf51e9776b31a8cba38fabd8b27e561f66a5ddad46546d6bc984a6a8d8bc", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2014-06-03 09:16:15", + "ValidTo": "2017-09-03 09:16:15", + "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "10e29d74903d9c7cd58caa35a0944770", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } @@ -74657,17 +70181,18 @@ } ], "Tags": [ - "cpuz_x64.sys" - ] + "NBIOLib_X64.sys" + ], + "yara": true }, { - "Id": "b03798af-d25a-400b-9236-4643a802846f", + "Id": "2651f5c4-d9e1-4b06-92be-e9e7313f87c4", "Author": "Nasreddine Bencherchali", "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create RwDrv.sys binPath=C:\\windows\\temp\\RwDrv.sys type=kernel && sc.exe start RwDrv.sys", + "Commands": "sc.exe create asio.sys binPath=C:\\windows\\temp\\asio.sys type=kernel && sc.exe start asio.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -74682,23 +70207,23 @@ "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "RwDrv.sys", - "MD5": "f853abe0dc162601e66e4a346faed854", - "SHA1": "35b28b15835aa0775b57f460d8a03e53dc1fb30f", - "SHA256": "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe", + "FileName": "asio.sys", + "MD5": "bedc99bbcedaf89e2ee1aa574c5a2fa4", + "SHA1": "160a237295a9e5cbb64ca686a84e47553a14f71d", + "SHA256": "0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6", "Authentihash": { - "MD5": "9996409a6c7c91374a597ea9d1f7799c", - "SHA1": "5851f58c92f8fd548c42f10c258d1e95afe7ce88", - "SHA256": "1fd7a44b042d397ad5a6417e4aa4b30eb2e40df6274d3ac7155ecc68c88cdb6d" + "MD5": "7bb2dcc29ba50372d08fea800c190f09", + "SHA1": "e5c090903a20744ba3583a8ea684d035e8cecc34", + "SHA256": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3" }, - "Description": "RwDrv Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RwDrv Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2011 RW-Everything", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -74706,42 +70231,22 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "IoRegisterPlugPlayNotification", - "MmFreeContiguousMemorySpecifyCache", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", + "ZwClose", "IoDeleteDevice", - "IoFreeWorkItem", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "KeReleaseSpinLock", - "MmUnmapIoSpace", - "IoFreeMdl", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "MmGetPhysicalAddress", - "IoGetDeviceObjectPointer", - "IoBuildAsynchronousFsdRequest", - "ExInterlockedInsertTailList", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "IoUnregisterPlugPlayNotification", - "IofCompleteRequest", - "KeWaitForSingleObject", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "RtlCopyUnicodeString", - "ObfDereferenceObject", "IoCreateDevice", - "IoQueueWorkItem", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoAllocateWorkItem", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -74749,104 +70254,83 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2014-12-19 19:27:34", + "ValidTo": "2016-03-19 19:27:34", + "Signature": "9c8895d0b78e2fb9a8fff5d730270c52de3a7ead8c7e649a21d81298c0a56bed1fb109217ae8b55a5c3a4334ee73203e5d44c03ef843ef2b93621369e7079513d72985c1143d04b5f342dc3a92f554bd1a8a58943c177dda5dd7c3e5280891583cd251dac090051e36faa455e751498657c06ff9f886e6d431b498fce1ea596e21d8bc45c8ad97e2376158c2d18a1f1daaa694fd736ab959c8980358f5f83ccf340fc6594ddeb60587c567e7167ea1129a81f536222046cdde2706e30d6f2fb3b9984bace9f40afe2473a4b4ee4e1fb799259ba41101e08b546d55b55ecd52f10296d5ad0dadeba22cf7c250d5f029457c15f95dee91af4ee7ee0ed6f67ff4fc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "330000001dc31a761624754f8000000000001d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RwDrv.sys", - "MD5": "4ad30223df1361726ff64417f8515272", - "SHA1": "3f6a997b04d2299ba0e9f505803e8d60d0755f44", - "SHA256": "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f", + "FileName": "AsIO32.sys", + "MD5": "2ca1044a04cb2f0ce5bd0a5832981e04", + "SHA1": "8b86c99328e4eb542663164685c6926e7e54ac20", + "SHA256": "1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a", "Authentihash": { - "MD5": "a3b9e0285d00597ea1531664a051be06", - "SHA1": "e7fac017b371a43276e03bf5f71d437e8d377930", - "SHA256": "0a3090ae46b3ce5f4cc6ba2d4dd265033e23c813d5c1e9c7a20a84d5d167dae3" + "MD5": "3824dd56459d29ffc5d4bb51d7123778", + "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", + "SHA256": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9" }, - "Description": "RW-Everything Read & Write Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2008 RW-Everything", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", + "IoDeleteSymbolicLink", + "WRITE_REGISTER_ULONG", + "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "ZwUnmapViewOfSection", "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "KeTickCount", + "WRITE_REGISTER_USHORT", + "WRITE_REGISTER_UCHAR", + "READ_REGISTER_ULONG", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "KeQuerySystemTime", + "MmGetPhysicalAddress", + "KeDelayExecutionThread", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "HalTranslateBusAddress", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG" ], "Signatures": [ { @@ -74854,75 +70338,47 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2014-03-07 00:00:00", - "ValidTo": "2017-05-05 23:59:59", - "Signature": "1a2d36e51fc7012c4b1548f12a0b4dbef774c3662171e0e1779f412648292619a8d74f8603af4fff5516d4859e7a26de9f0f688b2714b64ff296e56165afb0781c9a9dd23220d939c15cc218fe29d63d9ccd12f74127268c027d4041d392cad853e9da0a6d9379ac46efa8fe2099da7c49374b6c416139038143a94cc56334fad15ccbba2a821a22591d2c5b1449999e40af21e4f8280485d02056d904740e5c73a36e30c43376e7dbc8d0ccb7520e4bffc6501d0c0674a684398281b23d7dcb4386721fdece5817c74509fe6cc86751cd28e255dd47de330646d6bfe863fc50c773b90078f0332c3a02539c9e82b5e793c288063f91ed5f2036eb6cd4eae9e0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2014-12-19 19:27:34", + "ValidTo": "2016-03-19 19:27:34", + "Signature": "9c8895d0b78e2fb9a8fff5d730270c52de3a7ead8c7e649a21d81298c0a56bed1fb109217ae8b55a5c3a4334ee73203e5d44c03ef843ef2b93621369e7079513d72985c1143d04b5f342dc3a92f554bd1a8a58943c177dda5dd7c3e5280891583cd251dac090051e36faa455e751498657c06ff9f886e6d431b498fce1ea596e21d8bc45c8ad97e2376158c2d18a1f1daaa694fd736ab959c8980358f5f83ccf340fc6594ddeb60587c567e7167ea1129a81f536222046cdde2706e30d6f2fb3b9984bace9f40afe2473a4b4ee4e1fb799259ba41101e08b546d55b55ecd52f10296d5ad0dadeba22cf7c250d5f029457c15f95dee91af4ee7ee0ed6f67ff4fc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "03ffdaa3aac322387d7eb98acf9524bf", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "330000001dc31a761624754f8000000000001d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "RwDrv.sys", - "MD5": "969f1d19449dc5c2535dd5786093f651", - "SHA1": "78834ff75e2ff8b7456e85114802e58bc9fda457", - "SHA256": "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14", + "FileName": "AsIO3.sys", + "MD5": "40f39a98fb513411dacdfc5b2d972206", + "SHA1": "fe02ae340dc7fe08e4ad26dab9de418924e21603", + "SHA256": "26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40", "Authentihash": { - "MD5": "a36411168cc8b448c6864d890c7727ea", - "SHA1": "c2f2ac17f06be23c0b71f929ea63356123f3a72f", - "SHA256": "aa7f25d4857a4b443222934bcbb0904348a799fc884096f653d921817c0b34aa" + "MD5": "8c33214968ec9043fa1c6abf1911e06d", + "SHA1": "3075f1fc419a62544b291d02e9067783cb0fd1f3", + "SHA256": "5aa7a47c7abaf13453b8ab309ef16bdd80ceaf7407e67fa27932d4591f025d67" }, - "Description": "RW-Everything Read & Write Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2008 RW-Everything", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -74930,28 +70386,34 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoBuildAsynchronousFsdRequest", - "MmMapIoSpace", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", - "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", "KeBugCheckEx", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -74959,75 +70421,68 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] }, { - "FileName": "RwDrv.sys", - "MD5": "c2585e2696e21e25c05122e37e75a947", - "SHA1": "f736ccbb44c4de97cf9e9022e1379a4f58f5a5b8", - "SHA256": "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf", + "FileName": "AsIO3.sys", + "MD5": "19f32bf24b725f103f49dc3fa2f4f0bd", + "SHA1": "e40ea8d498328b90c4afbb0bb0e8b91b826f688e", + "SHA256": "2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396", "Authentihash": { - "MD5": "0496b6428ce874959af5387ce44b4eaf", - "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", - "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" + "MD5": "cf61dd8f9a187de6219f930866defcbd", + "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", + "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" }, - "Description": "RwDrv Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RwDrv Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2011 RW-Everything", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -75035,42 +70490,40 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "KeSetEvent", + "KeDelayExecutionThread", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "IoRegisterPlugPlayNotification", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoFreeWorkItem", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "KeReleaseSpinLock", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoGetDeviceObjectPointer", - "IoBuildAsynchronousFsdRequest", - "ExInterlockedInsertTailList", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "IoUnregisterPlugPlayNotification", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "IofCompleteRequest", - "KeWaitForSingleObject", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "IoCreateDevice", "IoCreateSymbolicLink", - "RtlCopyUnicodeString", + "IoCreateSynchronizationEvent", + "IoDeleteDevice", + "RtlGetVersion", + "IoIs32bitProcess", + "ObReferenceObjectByHandle", "ObfDereferenceObject", - "IoCreateDevice", - "IoQueueWorkItem", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", "KeBugCheckEx", - "IoAllocateWorkItem", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "DbgPrint", + "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -75078,104 +70531,83 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "CN=ccf(TestCo)", - "ValidFrom": "2022-11-26 13:56:19", - "ValidTo": "2039-12-31 23:59:59", - "Signature": "7e36e0c156b1833305532bd71b31ac46e8ecda9e6ae43daa5fa320096f3a11a25088a82063ecbcd7f51700d61bdd85257ba4cc35e4e73f54f5ab8feb6a2ab7ca9d876f5ca6ff8a69dfe683ee68705fdcdc13ced023247ddd1b495d2cb4ffe68981d4c71359c55af660c55965a7c1ba8fdb6d953b1b29b6a60eca2919ed1e7c516171400e52f3b0c2cc770b4c2471395681b2b79868188dc6c04c2adfad8f83886d64c7beaba6cc6fd34b707edc53d4d93aa4245b081fe140c47d63240e896dd95e04fb1c161f64a68200fbdd3fb66a9ce574e436dca6f5edfb340606fc0fc16043590b3a70586d2b3736214164adf83157f1fc43214718418f906e45c1aada4b", - "SignatureAlgorithmOID": "1.3.14.3.2.29" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", - "ValidFrom": "2022-08-01 00:00:00", - "ValidTo": "2031-11-09 23:59:59", - "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", - "ValidFrom": "2022-03-23 00:00:00", - "ValidTo": "2037-03-22 23:59:59", - "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", - "ValidFrom": "2022-09-21 00:00:00", - "ValidTo": "2033-11-21 23:59:59", - "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2021-10-22 00:00:00", + "ValidTo": "2024-10-22 23:59:59", + "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "7030126691c282b942598e0cdadcf4bc", - "Issuer": "CN=ccf(TestCo)" + "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] }, { - "FileName": "RwDrv.sys", - "MD5": "7437d4070b5c018e05354c179f1d5e2a", - "SHA1": "03a56369b8b143049a6ec9f6cc4ef91ac2775863", - "SHA256": "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de", + "FileName": "asio.sys", + "MD5": "bfe96411cf67edb3cee2b9894b910cd5", + "SHA1": "67dfd415c729705396ce54166bd70faf09ac7f10", + "SHA256": "48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9", "Authentihash": { - "MD5": "7fd75a9a4906445cc73a0a402bae506a", - "SHA1": "cd111bf04815d4d1040a2813efb2d15ccfbd9b74", - "SHA256": "a97e5c6cd926fa47ab1a69963169223cc669bd654a2f128165ba4ebe1d08bd17" + "MD5": "3824dd56459d29ffc5d4bb51d7123778", + "SHA1": "5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346", + "SHA256": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9" }, - "Description": "RW-Everything Read & Write Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RW-Everything Read & Write Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2008 RW-Everything", - "MachineType": "AMD64", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "IoRegisterPlugPlayNotification", - "MmFreeContiguousMemorySpecifyCache", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", "IoDeleteDevice", - "IoFreeWorkItem", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "KeReleaseSpinLock", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoGetDeviceObjectPointer", - "IoBuildAsynchronousFsdRequest", - "ExInterlockedInsertTailList", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "IoUnregisterPlugPlayNotification", + "IoDeleteSymbolicLink", + "WRITE_REGISTER_ULONG", + "MmAllocateContiguousMemory", "IofCompleteRequest", - "KeWaitForSingleObject", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "ZwUnmapViewOfSection", "IoCreateSymbolicLink", - "RtlCopyUnicodeString", - "ObfDereferenceObject", "IoCreateDevice", - "IoQueueWorkItem", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoAllocateWorkItem", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "KeTickCount", + "WRITE_REGISTER_USHORT", + "WRITE_REGISTER_UCHAR", + "READ_REGISTER_ULONG", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "KeQuerySystemTime", + "MmGetPhysicalAddress", + "KeDelayExecutionThread", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "HalTranslateBusAddress", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG" ], "Signatures": [ { @@ -75183,10 +70615,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -75211,10 +70643,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", - "ValidFrom": "2011-03-07 00:00:00", - "ValidTo": "2014-04-03 23:59:59", - "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -75227,7 +70659,7 @@ ], "Signer": [ { - "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -75235,23 +70667,23 @@ ] }, { - "FileName": "RwDrv.sys", - "MD5": "903c149851e9929ec45daefc544fcd99", - "SHA1": "1901467b6f04a93b35d3ca0727c8a14f3ce3ed52", - "SHA256": "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a", + "FileName": "asio.sys", + "MD5": "ea14899d1bfba397bc731770765768d1", + "SHA1": "c775ca665ed4858acc3f7e75e025cbbda1f8c687", + "SHA256": "506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28", "Authentihash": { - "MD5": "0496b6428ce874959af5387ce44b4eaf", - "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", - "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" + "MD5": "9fd03554246c6c74c232919c680d7be8", + "SHA1": "b25550309c902a21b03367ae27694c5a29b891b5", + "SHA256": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614" }, - "Description": "RwDrv Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RwDrv Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2011 RW-Everything", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -75259,42 +70691,22 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "IoRegisterPlugPlayNotification", - "MmFreeContiguousMemorySpecifyCache", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", "IoDeleteDevice", - "IoFreeWorkItem", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "KeReleaseSpinLock", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoGetDeviceObjectPointer", - "IoBuildAsynchronousFsdRequest", - "ExInterlockedInsertTailList", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "IoUnregisterPlugPlayNotification", - "IofCompleteRequest", - "KeWaitForSingleObject", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "IoDeleteSymbolicLink", + "ZwClose", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "RtlCopyUnicodeString", - "ObfDereferenceObject", "IoCreateDevice", - "IoQueueWorkItem", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoAllocateWorkItem", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -75302,61 +70714,54 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "CN=lab,z.com", - "ValidFrom": "2022-07-26 05:54:45", - "ValidTo": "2039-12-31 23:59:59", - "Signature": "3509d504605054d964ca214b28b1926809a3009a7852971a2b9e44a225131f0f772bdd65194ba25e929c2892fbcd99e37100985452a2f5a079b2e356731faf0d2f32dc47c09415c07d529d4f0383a52904b1f2d19ccbf17b5c99829593ff626607b95465f79d0e07bca1164d482e2e9b7f7bc03678804f6179453076e1de7e2a144438534dbe9a91f62d46d6fd3bf6971dfafa79c2c69bf330ba5ff3011f45bff7b21f1ebe80cf9a48f8c1381cf4199dd580a4a55c2f9166a3c7e0ac5f7f942183339ea90fdcfe92f41cb7a26aba213b769f439bb8e6f16862cc65661f92b1c272834ec4da1a39100f238079c5de28067ebbcff9445262e4ba04106ad75facde", - "SignatureAlgorithmOID": "1.3.14.3.2.29" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", - "ValidFrom": "2022-06-09 00:00:00", - "ValidTo": "2031-11-09 23:59:59", - "Signature": "9a1602a501ef81fb0db458b278ada82319d97337da609e51d7cbf82f40b9a31f7c404e333e903ce789017585e8627b1d56e071bade5ec637bc795c62004df8497a514d0632f3c5d2002a2720ea892e1539e02c3ef8757c2c824161350f23d0ed3595d288952943cbe0a658107c538e9f45c9203714c0ed19ba7e7739d25496c7a611df3433f67552424b1c9d8d96d5956c471214245f2641fa1a46bddeb0e5914703ac1808cbcbdb66897f2b9c65bfbe374ebe2df39d4ac3cccc475ec89595add1cbbb2a0620f93f72ea36eb4572927a297b14033cfb4dd648717a10118a0874cd6c1b045cd28a950376515053d62ef74a46c3ae102c714cb087b62737446044", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", + "ValidFrom": "2011-09-02 00:00:00", + "ValidTo": "2014-09-01 23:59:59", + "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", - "ValidFrom": "2022-03-23 00:00:00", - "ValidTo": "2037-03-22 23:59:59", - "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2022 , 2", - "ValidFrom": "2022-03-29 00:00:00", - "ValidTo": "2033-03-14 23:59:59", - "Signature": "0d2d2374a6d1f5f8ea4b993f01e4f60ce4af169dd9b38c9782299c436f012dab38b57011bf84198b3f5de5864fbe933ade2a395a394ed88459a5bc1b98aae86cefd1486919385bcf89391d7070d94edf23226cd5dff659cba1c2ea4c76caa1dca12b96b89b55a91a6b7dd1f502094f82d6a57388c49880dfee4995b7b3ccc5a7ee0ee1ef1e388a9fef11c9314a58b6df387ccbfa5cf7e453bf6e0a7c7ed7de98d52965890fa29cc065f4012265c7ea5e74a65b3592507cf417a687644f3e46891663206bcbf27bd035e34a7048a9b6e71d60bd04221525700672a9443b694711d3eee9c7a03e4f10b93036e4f3aa6909a88b7e64a2659411fb6e32f1f5bb38adcdc09311d532784a4b372a4cf35cdcb685c0bb70305578d698fe546d7f71a9481a78dd46772e1b7ac0338af84a288c12a873cf2df9d323f29e19e00d9428a0ebdb1a51a095828e286ba4ce9d76dea973aa486a5943ae5feaf80f06429ddf066896fe2aa0745b6366de6b2cb878aa4d706df02cf107157e35b4e6b50ca299a5d7156b350e85d6e02ccce00c24b87c520b1e997cefc8c8c58c5869afab3de1cfcc7d15ae14bf8a71dfca97b1d847ea1c85e0454e121c142958cc6fd37fcbbec10e4a6f209caed973325908e72d92a11a11fe3298a65d2b97e08bd39ccc6db50dae47633847175b6f13da6a106e1f49b7445bb4080a875a59047611a1a77702131c", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0dabd5a60a452fb44eadf46f478c7028", - "Issuer": "CN=lab,z.com" + "SerialNumber": "43bb437d609866286dd839e1d00309f5", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "RwDrv.sys", - "MD5": "60e84516c6ec6dfdae7b422d1f7cab06", - "SHA1": "66e95daee3d1244a029d7f3d91915f1f233d1916", - "SHA256": "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d", + "FileName": "AsIO2.sys", + "MD5": "09672532194b4bff5e0f7a7d782c7bf2", + "SHA1": "aa2ea973bb248b18973e57339307cfb8d309f687", + "SHA256": "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a", "Authentihash": { - "MD5": "0496b6428ce874959af5387ce44b4eaf", - "SHA1": "39257fb86df888207e4f3a7768561b4ab1557848", - "SHA256": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d" + "MD5": "9387de920b7da0bd65f15323feed6a18", + "SHA1": "92fee95e32a727d135f1f46ca98c201fffbf6950", + "SHA256": "9c7ad854f6670452d7da064d4b429eb90c42155b6f7eaa52ee471d9ee8b61e6f" }, - "Description": "RwDrv Driver", - "Company": "RW-Everything", - "InternalName": "RwDrv.sys", - "OriginalFilename": "RwDrv.sys", - "FileVersion": "1.00.00.0000 built by: WinDDK", - "Product": "RwDrv Driver", - "ProductVersion": "1.00.00.0000", - "Copyright": "Copyright (C) 2011 RW-Everything", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -75364,46 +70769,38 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", + "DbgPrint", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "IoRegisterPlugPlayNotification", - "MmFreeContiguousMemorySpecifyCache", - "RtlInitUnicodeString", - "IoDeleteDevice", - "IoFreeWorkItem", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "KeReleaseSpinLock", - "MmUnmapIoSpace", - "IoFreeMdl", - "MmGetPhysicalAddress", - "IoGetDeviceObjectPointer", - "IoBuildAsynchronousFsdRequest", - "ExInterlockedInsertTailList", - "IoBuildDeviceIoControlRequest", - "MmMapIoSpace", - "IoUnregisterPlugPlayNotification", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", "IofCompleteRequest", - "KeWaitForSingleObject", - "IoFreeIrp", - "RtlCompareMemory", - "MmUnlockPages", + "IoCreateDevice", "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoIs32bitProcess", "RtlCopyUnicodeString", "ObfDereferenceObject", - "IoCreateDevice", - "IoQueueWorkItem", - "MmAllocateContiguousMemorySpecifyCache", - "IofCallDriver", - "KeAcquireSpinLockRaiseToDpc", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "RtlCompareUnicodeString", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "__C_specific_handler", "KeBugCheckEx", - "IoAllocateWorkItem", - "ExAllocatePoolWithTag", - "KeStallExecutionProcessor" + "ObReferenceObjectByHandle", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -75413,20 +70810,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, CN=ChongKim Chan", - "ValidFrom": "2012-07-31 20:41:59", - "ValidTo": "2013-08-01 20:41:59", - "Signature": "6b86336c2008e3d1a9cb42f4e323c36c782602b06948e63b7cc646ca61b5768677c2cdd5cf24f58d68844079cd6d8e9534b3170a0261fe64ea47971eecf4a84de8174a4a8b5c6ad87894cf5cc8a10ec522db9697504b208442ae34ec6e9a0e85d93470f66374f36c4f1ec3483c136497b2880d8ba4de0342b5aa2c0890ad80e010c8e34ae8792740e677952d3bc05a36a032ab7bbb64051d506f674e0232f66900c8c29dad2df6960012a8bb216f9e83157632545ead40db592c1e7de76f407601b111113e9b087db3e780f21a61e9f7593e96332f0c35162e0900a61c6ba3a88faee64d9fe94cad5705d6d16585603b5bb376161bdcf01b0bb9022bb360aceb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -75435,118 +70818,109 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "11218f56dafd7542d5f3d70b213e2a546cff", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - } - ], - "Tags": [ - "RwDrv.sys" - ] - }, - { - "Id": "2ea12acc-95b6-4f91-afb7-8ded7a2fe9d9", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create vmdrv.sys binPath=C:\\windows\\temp\\vmdrv.sys type=kernel && sc.exe start vmdrv.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "vmdrv.sys", - "MD5": "6d67da13cf84f15f6797ed929dd8cf5d", - "SHA1": "1a17cc64e47d3db7085a4dc365049a2d4552dc8a", - "SHA256": "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921", + "FileName": "AsIO3.sys", + "MD5": "ba23266992ad964eff6d358d946b76bd", + "SHA1": "d1670bd08cfd376fc2b70c6193f3099078f1d72f", + "SHA256": "71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d", "Authentihash": { - "MD5": "9ee5190f4bd124445626451cc09d49ce", - "SHA1": "b73a1aae1e15b9a7e2cc0d486449e132671aebec", - "SHA256": "fabe94809d90ade89dad012b22243e3fb755a131800140f8f8b30c989c371301" + "MD5": "ace2d8ea30005bce12b1421f431bc39c", + "SHA1": "f084b6ba134b23e06f5867e650ba4eb9d1007231", + "SHA256": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61" }, - "Description": "Voicemod Virtual Audio Device (WDM)", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "vmdrv.sys", - "OriginalFilename": "vmdrv.sys", - "FileVersion": "10.0.10011.16384", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "10.0.10011.16384", - "Copyright": "Copyright (C) Voicemod S.L.2010-2020", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "portcls.sys" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeClearEvent", - "KeSetEvent", - "ExFreePool", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ExEventObjectType", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExSystemTimeToLocalTime", - "_purecall", - "KeInitializeDpc", - "KeFlushQueuedDpcs", - "KeInitializeMutex", - "KeReleaseMutex", - "KeInitializeTimerEx", - "KeCancelTimer", - "KeSetTimerEx", - "KeWaitForSingleObject", - "KeInitializeSpinLock", - "IoAllocateWorkItem", - "IoFreeWorkItem", - "IoQueueWorkItem", - "RtlIsNtDdiVersionAvailable", - "PcInitializeAdapterDriver", - "PcDispatchIrp", - "PcAddAdapterDevice", - "PcRegisterAdapterPowerManagement", - "PcNewServiceGroup", - "PcRegisterSubdevice", - "PcRegisterPhysicalConnection", - "PcNewPort" + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", "ValidFrom": "2011-04-15 19:45:33", @@ -75555,10 +70929,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=ES, ??=Private Organization, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", - "ValidFrom": "2019-12-13 00:00:00", - "ValidTo": "2020-12-17 12:00:00", - "Signature": "3d61f91d3417ea68406f8f16faa42f704866212beb1e47ede42931cefc8e5a240a6320d9cdc2eb1911c5a72db5514cdfa4a40e554c2874d9da134ef850077c6859f540b5d89f3e2168a0ad1b26ffa730588d98ec52b386174b06e96f6254c86315cb6c982c1f6c3748ec1f28b779cfee301ab12ce5fc1b817b018637dd93ac6419957f3d3dd4e362b8f34b41664444e4743c12309e9c14996430719db60684117206890b140b5e87f708838b3b53b5395a1e1a562840c2939c64e2e5f50c40d148830fdeb425077e74fbabfde856bf8ccb0036fbec5d49e58056200cdb24eba2382fc9a1b60ba342759097634855dfd66520763cf7c04c2b85abebd5b5057052", + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { @@ -75571,7 +70945,7 @@ ], "Signer": [ { - "SerialNumber": "02c5372170daa825b5e24b614268c5b5", + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] @@ -75579,69 +70953,59 @@ ] }, { - "FileName": "vmdrv.sys", - "MD5": "0e625b7a7c3f75524e307b160f8db337", - "SHA1": "5088c71a740ef7c4156dcaa31e543052fe226e1c", - "SHA256": "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3", + "FileName": "AsIO2.sys", + "MD5": "f4e1997192d5a95a38965c9e15c687fc", + "SHA1": "d3b23a0b70d6d279abd8db109f08a8b0721ce327", + "SHA256": "72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de", "Authentihash": { - "MD5": "b402effbea875040846c88d9b8b08b36", - "SHA1": "08e1ee43f0e00155730448f017a4616efa2afdf0", - "SHA256": "57ae8d2d962cdde554831415725583fcf4ae5fc844c19983a7c37e31b12109a3" + "MD5": "00222ac0100839199b77ebb2c911eda5", + "SHA1": "bb4bff7156e15818a9e6344bad411587f3dcc0a1", + "SHA256": "0e955e57f078a2c0de7d113e85859bb3e0fcac772a5a1b9b9709a90a86ef4cd5" }, - "Description": "Voicemod Virtual Audio Device (WDM)", - "Company": "Windows (R) Win 7 DDK provider", - "InternalName": "vmdrv.sys", - "OriginalFilename": "vmdrv.sys", - "FileVersion": "10.0.10011.16384", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "10.0.10011.16384", - "Copyright": "Copyright (C) Voicemod S.L.2010-2020", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "portcls.sys" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeClearEvent", - "KeSetEvent", - "ExFreePool", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ExEventObjectType", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExSystemTimeToLocalTime", - "_purecall", - "KeInitializeDpc", - "KeFlushQueuedDpcs", - "KeInitializeMutex", - "KeReleaseMutex", - "KeInitializeTimerEx", - "KeCancelTimer", - "KeSetTimerEx", - "KeWaitForSingleObject", - "KeInitializeSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "IoAllocateWorkItem", - "IoFreeWorkItem", - "IoQueueWorkItem", - "RtlIsNtDdiVersionAvailable", - "PcInitializeAdapterDriver", - "PcDispatchIrp", - "PcAddAdapterDevice", - "PcRegisterAdapterPowerManagement", - "PcNewServiceGroup", - "PcRegisterSubdevice", - "PcRegisterPhysicalConnection", - "PcNewPort" + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "RtlCompareUnicodeString", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "__C_specific_handler", + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -75649,637 +71013,341 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "??=ES, ??=Private Organization, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", - "ValidFrom": "2019-12-13 00:00:00", - "ValidTo": "2020-12-17 12:00:00", - "Signature": "3d61f91d3417ea68406f8f16faa42f704866212beb1e47ede42931cefc8e5a240a6320d9cdc2eb1911c5a72db5514cdfa4a40e554c2874d9da134ef850077c6859f540b5d89f3e2168a0ad1b26ffa730588d98ec52b386174b06e96f6254c86315cb6c982c1f6c3748ec1f28b779cfee301ab12ce5fc1b817b018637dd93ac6419957f3d3dd4e362b8f34b41664444e4743c12309e9c14996430719db60684117206890b140b5e87f708838b3b53b5395a1e1a562840c2939c64e2e5f50c40d148830fdeb425077e74fbabfde856bf8ccb0036fbec5d49e58056200cdb24eba2382fc9a1b60ba342759097634855dfd66520763cf7c04c2b85abebd5b5057052", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", "ValidFrom": "2012-04-18 12:00:00", "ValidTo": "2027-04-18 12:00:00", "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "02c5372170daa825b5e24b614268c5b5", + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - } - ], - "Tags": [ - "vmdrv.sys" - ] - }, - { - "Id": "f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create WinRing0x64.sys binPath=C:\\windows\\temp\\WinRing0x64.sys type=kernel && sc.exe start WinRing0x64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "WinRing0x64.sys", - "MD5": "0c0195c48b6b8582fa6f6373032118da", - "SHA1": "d25340ae8e92a6d29f599fef426a2bc1b5217299", - "SHA256": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5", - "Signature": [ - "Noriyuki MIYAZAKI", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "OpenLibSys.org", - "Description": "WinRing0", - "Product": "WinRing0", - "ProductVersion": "1.2.0.5", - "FileVersion": "1.2.0.5", - "MachineType": "AMD64", - "OriginalFilename": "WinRing0.sys", + "FileName": "AsIO3_64.sys", + "MD5": "07efb8259b42975d502a058db8a3fd21", + "SHA1": "9f22ebcd2915471e7526f30aa53c24b557a689f5", + "SHA256": "7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8", "Authentihash": { - "MD5": "2bab314d894a026ac6073efe43c14a3d", - "SHA1": "266821a39174d29f6f8791cf9f44f1a1f3439dda", - "SHA256": "1b845e5e43ce9e9b645ac198549e81f45c08197aad69708d96cdb9a719eb0e29" + "MD5": "9a476899b3d01439880bcc7ae9991d47", + "SHA1": "ac07c5670916f6c3949a49036460ac08ec43a582", + "SHA256": "54231728c29f2d2003ec575729760369bb72be7b656b52b4f02ec198f4ee4dfd" }, - "InternalName": "WinRing0.sys", - "Copyright": "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "IoDeleteDevice", + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeSetEvent", + "KeDelayExecutionThread", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", - "MmMapIoSpace", - "KeBugCheckEx", "IoCreateSymbolicLink", - "MmUnmapIoSpace", - "IofCompleteRequest", + "IoCreateSynchronizationEvent", + "IoDeleteDevice", + "RtlGetVersion", + "IoIs32bitProcess", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "DbgPrint", + "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalGetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", - "ValidFrom": "2007-09-24 10:50:55", - "ValidTo": "2008-09-24 10:50:55", - "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", - "ValidFrom": "2003-12-16 13:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", - "ValidFrom": "2007-02-05 09:00:00", - "ValidTo": "2014-01-27 09:00:00", - "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2021-10-22 00:00:00", + "ValidTo": "2024-10-22 23:59:59", + "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "01000000000115372421a8", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] - } - ], - "Tags": [ - "WinRing0x64.sys" - ] - }, - { - "Id": "1524a54d-520d-4fa4-a7d5-aaaa066fbfc4", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create dbk64.sys binPath=C:\\windows\\temp\\dbk64.sys type=kernel && sc.exe start dbk64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "dbk64.sys", - "MD5": "1c294146fc77565030603878fd0106f9", - "SHA1": "6053d258096bccb07cb0057d700fe05233ab1fbb", - "SHA256": "18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6", - "Signature": [ - "Cheat Engine", - "GlobalSign Extended Validation CodeSigning CA - SHA256 - G3", - "GlobalSign", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "AsIO3.sys", + "MD5": "1414629b1ee93d2652ff49b2eb829940", + "SHA1": "df58f9b193c6916aaec7606c0de5eba70c8ec665", + "SHA256": "7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7", "Authentihash": { - "MD5": "50dadd183094b8711a4f00a198972e6b", - "SHA1": "d7512b033d7332edd747631f9d1ccc9276dadbe4", - "SHA256": "71dc8d678e0749599d3db144c93741f64def1b8b0efb98bef963d2215ebb4992" + "MD5": "cf61dd8f9a187de6219f930866defcbd", + "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", + "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" }, + "Description": "", + "Company": "", "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ksecdd.sys", "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "BCryptVerifySignature", - "BCryptCreateHash", - "BCryptDestroyKey", - "BCryptFinishHash", - "BCryptDestroyHash", - "BCryptImportKeyPair", - "BCryptCloseAlgorithmProvider", - "BCryptGetProperty", - "BCryptHashData", - "BCryptOpenAlgorithmProvider", - "ExDeleteResourceLite", + "KeSetEvent", + "KeDelayExecutionThread", + "KeWaitForSingleObject", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "MmGetSystemRoutineAddress", "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObUnRegisterCallbacks", - "ZwClose", - "ZwOpenKey", - "ZwQueryValueKey", - "SeSinglePrivilegeCheck", - "PsSetCreateProcessNotifyRoutineEx", - "KeInitializeDpc", - "KeInsertQueueDpc", - "KeSetTargetProcessorDpc", - "KeFlushQueuedDpcs", - "KeRevertToUserAffinityThreadEx", - "KeSetSystemAffinityThreadEx", - "KeQueryActiveProcessors", - "KeInitializeEvent", - "KeSetEvent", - "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "PsGetCurrentThreadId", - "KeDelayExecutionThread", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "PsWrapApcWow64Thread", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", + "RtlGetVersion", + "IoIs32bitProcess", "ObReferenceObjectByHandle", "ObfDereferenceObject", - "ObRegisterCallbacks", + "ZwClose", "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "MmGetPhysicalMemoryRanges", "MmGetPhysicalAddress", - "PsSetCreateThreadNotifyRoutine", - "PsGetProcessId", - "PsGetThreadProcessId", - "ExFreePoolWithTag", - "KeDetachProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "KeInitializeApc", - "KeInsertQueueApc", - "ZwOpenThread", - "ZwQueryInformationProcess", - "PsProcessType", - "PsThreadType", - "DbgBreakPointWithStatus", - "RtlGetVersion", - "ExAllocatePoolWithTag", - "MmGetVirtualForPhysical", - "PsLookupThreadByThreadId", "__C_specific_handler", - "KeQueryActiveProcessorCount", - "KeClearEvent", - "ExAcquireResourceSharedLite", - "RtlInitializeGenericTable", - "RtlInsertElementGenericTable", - "RtlDeleteElementGenericTable", - "RtlLookupElementGenericTable", - "RtlGetElementGenericTable", - "KeReleaseSemaphore", - "KeInitializeSemaphore", - "KeWaitForMultipleObjects", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "MmBuildMdlForNonPagedPool", - "ZwCreateFile", - "ZwWriteFile", - "HalDispatchTable", - "KeInitializeMutex", - "KeReleaseMutex", - "KeSetSystemAffinityThread", - "KeQueryMaximumProcessorCount", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemory", - "PsCreateSystemThread", - "ZwDeleteFile", - "ZwWaitForSingleObject", - "swprintf_s", - "MmMapIoSpace", - "MmUnmapIoSpace", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmAllocatePagesForMdl", + "ZwOpenFile", "ZwQueryInformationFile", "ZwReadFile", - "RtlAppendUnicodeToString", - "RtlUnwindEx", - "RtlAnsiCharToUnicodeChar", "KeBugCheckEx", - "ExInitializeResourceLite", - "RtlCopyUnicodeString", - "ExAllocatePool", "DbgPrint", + "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "KeAttachProcess", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass", - "WdfVersionUnbind" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2009-11-18 10:00:00", - "ValidTo": "2019-03-18 10:00:00", - "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", - "ValidFrom": "2016-06-15 00:00:00", - "ValidTo": "2024-06-15 00:00:00", - "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "??=Private Organization, serialNumber=50212036, ??=NL, C=NL, ST=Noord,Brabant, L=Eindhoven, ??=Frankendaal 32, O=Cheat Engine, CN=Cheat Engine", - "ValidFrom": "2018-01-26 17:35:01", - "ValidTo": "2019-05-04 16:21:19", - "Signature": "18beceb33f0c3f5f8ab5da7182304418e057d64a8b76da01bc40435890fb6acc3510536dd110b2f83b33b04cd1ce4bb98361336a9df16cc0984fc8fda7515a0af74769478718f10a998c8dc3fba375ce1051543703dbb4825fd8c33efaa5f0ec937e1347281058d2b42683b25596e31ef6738e38551c4c87652708d0c56157a4ff399d7875ba9a97848eb23a2cc46e42faa3dad68e9b5d079925ed84cc5b1df2167e53cd4317aa88a83348d2526b0f8563d56f40e19786433c4442a5539f34a7041ff54e3f4f9e1499b3ce6930849d96dd078072ac742dba3e209503408ecd4bf2f65e1b08cd6b51e80108124bf6a0278fcbe879856bfc9bf905c843d8ef8f94", + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2021-10-22 00:00:00", + "ValidTo": "2024-10-22 23:59:59", + "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1a9706fde692d88ca99b822d", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" + "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] - } - ], - "Tags": [ - "dbk64.sys" - ] - }, - { - "Id": "13b2424a-d337-4bc7-ad1d-2049c79906b4", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create d3.sys binPath=C:\\windows\\temp\\d3.sys type=kernel && sc.exe start d3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "d3.sys", - "SHA256": "36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", + "FileName": "AsIO3.sys", + "MD5": "67e03f83c503c3f11843942df32efe5a", + "SHA1": "b0c7ec472abf544c5524b644a7114cba0505951e", + "SHA256": "7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456", + "Authentihash": { + "MD5": "a41fc38c2ffe9e5097c8d781a89bbbe9", + "SHA1": "a248637b54b10942743e0caf8698ce8b84559f79", + "SHA256": "9512115b60e67fa268a7463119add2404150842bb3dffa41124b12dd9cb580a2" + }, "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "d3.sys" - ] - }, - { - "Id": "5d3f0b7d-7413-48e6-8d9c-7fc0bb5a66ee", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create Proxy64.sys binPath=C:\\windows\\temp\\Proxy64.sys type=kernel && sc.exe start Proxy64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Proxy64.sys", - "SHA256": "c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a", - "Signature": [], - "Date": "", - "Publisher": "", "Company": "", - "Description": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", "Product": "", "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "Proxy64.sys" - ] - }, - { - "Id": "6d21df78-d718-44df-b722-99eec654f5b2", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create MsIo64.sys binPath=C:\\windows\\temp\\MsIo64.sys type=kernel && sc.exe start MsIo64.sys", - "Description": "The MSI AmbientLink MsIo64 driver 1.0.0.8 has a Buffer Overflow (0x80102040, 0x80102044, 0x80102050,and 0x80102054)", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - " https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/", - "https://packetstormsecurity.com/files/159315/MSI-Ambient-Link-Driver-1.0.0.8-Privilege-Escalation.html", - "https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities", - "https://github.com/Exploitables/CVE-2020-17382", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "MsIo64.sys", - "MD5": "dc943bf367ae77016ae399df8e71d38a", - "SHA1": "6b54f8f137778c1391285fee6150dfa58a8120b1", - "SHA256": "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "MICSYS Technology Co., LTd", - "Description": "MICSYS driver", - "Product": "MsIo64 Driver Version 1.1", - "ProductVersion": "1.1 x64", - "FileVersion": "1.1 x64 built by: WinDDK", + "Copyright": "", "MachineType": "AMD64", - "OriginalFilename": "MsIo64.sys", - "Authentihash": { - "MD5": "9bb721ac0afc94a499a238ae32418d51", - "SHA1": "04a903f13528536f1d0b1751886754d9aa5cdafa", - "SHA256": "5bf00eff58e5bbe4cf578ec37b9e13c8fa74511fb2644352fcc091347153a709" - }, - "InternalName": "MsIo64.sys", - "Copyright": "Copyright (c) 2019 MICSYS", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "ObfDereferenceObject", + "IoCreateSymbolicLink", "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - } - ], - "Tags": [ - "MsIo64.sys" - ] - }, - { - "Id": "5c45ae9e-cb6f-4eab-a070-b0187202e080", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create amigendrv64.sys binPath=C:\\windows\\temp\\amigendrv64.sys type=kernel && sc.exe start amigendrv64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "amigendrv64.sys", - "MD5": "32365e3e64d28cc94756ac9a09b67f06", - "SHA1": "d48757b74eff02255f74614f35aa27abbe3f72c7", - "SHA256": "09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9", + "FileName": "AsIO64.sys", + "MD5": "85b756463ab0c000f816260d49923cde", + "SHA1": "de0c16e3812924212f04e15caa09763ae4770403", + "SHA256": "841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b", "Authentihash": { - "MD5": "50ce9def1a59a6ec02ac018e8e42b9e1", - "SHA1": "64e1b960b4fd0b597e36f3986abd37cca8ebd230", - "SHA256": "e4dbc382c21b4b14b54d37b2fd86e12a7637f177ba4170e19ffde3584ec48e6c" + "MD5": "e0f8fb00de2a72c7808c94223cea5145", + "SHA1": "cbe317096adb8eba45f7e8b22830257ff8625514", + "SHA256": "e304e5d70d3f986f623fad7f4355d5218d8c1681e423b02db0946cbe1503eb76" }, "Description": "", "Company": "", @@ -76292,47 +71360,25 @@ "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoAllocateMdl", - "IoFreeMdl", - "MmGetPhysicalAddress", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", + "IoDeleteDevice", + "DbgPrint", "IofCompleteRequest", - "IoCreateDevice", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", - "IoDeleteDevice", + "IoCreateDevice", "IoDeleteSymbolicLink", - "KeLowerIrql", - "KfRaiseIrql", - "MmMapIoSpace", - "MmUnmapIoSpace", - "MmFreeContiguousMemory", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ExFreePoolWithTag", - "MmGetSystemRoutineAddress", - "PsGetVersion", - "ExAllocatePoolWithQuotaTag", - "ZwQuerySystemInformation", - "MmAllocateContiguousMemory", - "MmUnmapLockedPages", - "MmMapLockedPagesSpecifyCache", - "RtlCopyUnicodeString", - "DbgPrintEx", - "MmBuildMdlForNonPagedPool", - "RtlCompareMemory", - "ObReferenceObjectByHandle", - "RtlGetVersion", - "HalTranslateBusAddress", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -76340,690 +71386,504 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "serialNumber=7155083, ??=US, ??=Delaware, ??=Private Organization, C=US, postalCode=30093, ST=Georgia, L=Norcross, ??=5555 Oakbrook Parkway Suite 200, O=AMI US HOLDINGS INC, CN=AMI US HOLDINGS INC", - "ValidFrom": "2020-09-21 00:00:00", - "ValidTo": "2023-09-21 23:59:59", - "Signature": "0aa1219fe537cf6f85a9144e7017472eed1f32156a449a50e02ed4cf73ebbf72698577f35aa306a2f80a3fe97215d89040d8ba197aa4c4fd3ae28a87b8728efc279f9685828da2d807bcdc83301fad324a131e79f26855abe6fd0e37604d5c34f27012c2d6ba21be1b268ca621fc1bd0b4bf08d7bf549653613f5b8ae6f1d2a4e34fae1a8e13cbb90f7b9e94ed50487e4d6645e29beb5fd5373e4e0ac8b48bb1566e2da8b0cf424c3ae93e4f75ab7887d8df5bb0b7cbaf623b092f69c58ea8936bbe008b66c1e1a08169893c8dee549bc847412ce9f789697109376b1cb8b7bc737f5fd522e9d330a7ecdbf9c1e4c0ac5a8368a6aa413a19084bc5bc1135ef60", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", - "ValidFrom": "2014-12-03 00:00:00", - "ValidTo": "2029-12-02 23:59:59", - "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2011-04-11 22:06:20", - "ValidTo": "2021-04-11 22:16:20", - "Signature": "81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2006-06-27 00:00:00", + "ValidTo": "2007-07-16 23:59:59", + "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "00b9963758ead236c6e15cd48ba5433aae", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + "SerialNumber": "284649f592786c4851c1138e364185ae", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "amigendrv64.sys" - ] - }, - { - "Id": "23f11e19-0776-4dd4-9c9c-7f6b60f8553f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create ATSZIO.sys binPath=C:\\windows\\temp\\ATSZIO.sys type=kernel && sc.exe start ATSZIO.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", - "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "ATSZIO.sys", - "MD5": "b12d1630fd50b2a21fd91e45d522ba3a", - "SHA1": "490109fa6739f114651f4199196c5121d1c6bdf2", - "SHA256": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "ASUSTek Computer Inc.", - "Description": "ATSZIO Driver", - "Product": "ATSZIO Driver", - "ProductVersion": "0.2.1.7", - "FileVersion": "0.2.1.7", - "MachineType": "AMD64", - "OriginalFilename": "ATSZIO.sys", + "FileName": "AsIO3_64.sys", + "MD5": "598f8fb2317350e5f90b7bd16baf5738", + "SHA1": "a8be6203c5a87ecc3ae1c452b7b6dbdf3a9f82ae", + "SHA256": "910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135", "Authentihash": { - "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", - "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", - "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" + "MD5": "ace2d8ea30005bce12b1421f431bc39c", + "SHA1": "f084b6ba134b23e06f5867e650ba4eb9d1007231", + "SHA256": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61" }, - "InternalName": "ATSZIO.sys", - "Copyright": "Copyright (C) 2012", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "ExAllocatePool", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", - "IoCreateSynchronizationEvent", - "KeSetEvent", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", "ObReferenceObjectByHandle", + "ObfDereferenceObject", "ZwClose", "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", "MmGetPhysicalAddress", "__C_specific_handler", - "DbgPrint", - "IoDeleteDevice", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "IoIs32bitProcess", "RtlInitUnicodeString", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2012-07-31 00:00:00", - "ValidTo": "2015-08-03 23:59:59", - "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - } - ], - "Tags": [ - "ATSZIO.sys" - ] - }, - { - "Id": "5969b6dc-b136-480e-a527-3cb2ea2f0da9", - "Author": "Guus Verbeek", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create hw_sys binPath=C:\\windows\\temp\\hw.sys type=kernel && sc.exe start hw.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/detection" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "hw.sys", - "MD5": "3247014ba35d406475311a2eab0c4657", - "SHA1": "74e4e3006b644392f5fcea4a9bae1d9d84714b57", - "SHA256": "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8", - "Signature": [ - "Marvin Test Solutions, Inc.", - "GlobalSign Extended Validation CodeSigning CA - SHA256 - G3", - "GlobalSign", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "Marvin Test Solutions, Inc.", - "Description": "HW - Windows NT-10 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", - "Product": "HW", - "ProductVersion": "4.9.8.0", - "FileVersion": "4.9.8.0", - "MachineType": "I386", - "OriginalFilename": "HW.sys", + "FileName": "asio.sys", + "MD5": "2b4e66fac6503494a2c6f32bb6ab3826", + "SHA1": "ed219d966a6e74275895cc0b975b79397760ea9f", + "SHA256": "923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782", "Authentihash": { - "MD5": "6eafc9b68f2047adf6879e955d3b69e8", - "SHA1": "8a6d85617bc601b818ddf1b8e8d5db6cf7ae31c1", - "SHA256": "615a7c647eba3f2dcea463d5705d5d59ca70b4250f895ad20ce6876076a8fa28" + "MD5": "1b20fb8ed378500e83656fd527ac48c4", + "SHA1": "e471ba6d1327d1026eb2c6a905e2bad3952dabbd", + "SHA256": "ed302ea33feb557b879f64c4b7835947a9ca31054573e1487f5bbc38449753ff" }, - "InternalName": "Hw.sys", - "Copyright": "Copyright © 1996-2021 Marvin Test Solutions, Inc. All Rights Reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeReleaseMutex", - "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "KeInitializeDpc", - "MmGetSystemRoutineAddress", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeMutex", - "IoCreateDevice", - "IoDeleteSymbolicLink", - "memcpy", - "PsGetVersion", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "MmUnmapLockedPages", - "MmUnmapIoSpace", - "IoGetDmaAdapter", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "ZwOpenProcess", - "KeInitializeEvent", - "ObfDereferenceObject", - "ExAllocatePoolWithTag", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IofCompleteRequest", - "WRITE_REGISTER_BUFFER_ULONG", - "WRITE_REGISTER_BUFFER_USHORT", - "WRITE_REGISTER_BUFFER_UCHAR", - "WRITE_REGISTER_ULONG", - "WRITE_REGISTER_USHORT", - "WRITE_REGISTER_UCHAR", - "READ_REGISTER_BUFFER_ULONG", - "READ_REGISTER_BUFFER_USHORT", - "READ_REGISTER_BUFFER_UCHAR", - "READ_REGISTER_ULONG", - "READ_REGISTER_USHORT", "READ_REGISTER_UCHAR", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "KeReleaseInterruptSpinLock", - "KeAcquireInterruptSpinLock", - "ExEventObjectType", + "READ_REGISTER_USHORT", + "READ_REGISTER_ULONG", + "WRITE_REGISTER_UCHAR", + "KeQuerySystemTime", "KeDelayExecutionThread", - "KeInsertQueueDpc", + "IofCompleteRequest", "ZwClose", - "KeSetEvent", - "IoCreateNotificationEvent", - "KeClearEvent", - "RtlQueryRegistryValues", - "RtlAppendUnicodeStringToString", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoDeleteSymbolicLink", + "DbgPrint", + "ZwUnmapViewOfSection", + "IoCreateSymbolicLink", "RtlInitUnicodeString", - "memset", - "ExFreePoolWithTag", - "IoGetDeviceProperty", - "ExAllocatePool", - "READ_PORT_UCHAR", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "READ_PORT_BUFFER_UCHAR", - "READ_PORT_BUFFER_USHORT", - "READ_PORT_BUFFER_ULONG", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", + "IoCreateDevice", + "WRITE_REGISTER_USHORT", + "IoDeleteDevice", + "WRITE_REGISTER_ULONG", "WRITE_PORT_ULONG", - "WRITE_PORT_BUFFER_UCHAR", - "WRITE_PORT_BUFFER_USHORT", - "WRITE_PORT_BUFFER_ULONG", - "HalAssignSlotResources", + "WRITE_PORT_USHORT", "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalGetInterruptVector" + "READ_PORT_ULONG", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_USHORT" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2018-09-19 00:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", - "ValidFrom": "2016-06-15 00:00:00", - "ValidTo": "2024-06-15 00:00:00", - "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, serialNumber=2147696, ??=US, ??=DELAWARE, C=US, ST=CA, L=Irvine, ??=1770 Kettering, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc.", - "ValidFrom": "2019-07-29 13:20:49", - "ValidTo": "2022-07-29 13:20:49", - "Signature": "278a08ea60d9c1c18b2b6f4f1913860edab3f46bc0945c57e099d37309bab4bbf99feec663d1dc2ef68152baa6e95b0da0e4fdb7793c2c7e779dd7206ad76432f28af41448200c079a9ffe26c8355134d71fb598f08e3864416a1925d5253f2344208a90d8b42790191581c112c3145e23fa979ec06f41cb559ad4e4d60cf549598f3746673c745a3a82e2525c9704adaa59d987ddf6a89641378a558686ca78f920cf1c975508f3943ff6df3aae70f9c5fb1db61134ad5b8d0f455e8483ad250403160b984a4fef6b0baed3cb129c953451c23a4bb9a37c762f286e8bb57049c50c4e06fb17e3fc2e6fcd4dffde6e3ee0ad173b19a9862bae7c921c8976344b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2007-07-03 00:00:00", + "ValidTo": "2008-07-26 23:59:59", + "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "716ef836a8ceb23aeaf9174e", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" + "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "HW.sys", - "MD5": "45c2d133d41d2732f3653ed615a745c8", - "SHA1": "4e56e0b1d12664c05615c69697a2f5c5d893058a", - "SHA256": "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Marvin Test Solutions, Inc.", - "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", - "Product": "HW", - "ProductVersion": "4.8.2.0", - "FileVersion": "4.8.2.0", - "MachineType": "AMD64", - "OriginalFilename": "HW.sys", + "FileName": "AsIO2.sys", + "MD5": "79329e2917623181888605bc5b302711", + "SHA1": "844d2345bde50bf8ee7e86117cf7b8c6e6f00be4", + "SHA256": "a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6", "Authentihash": { - "MD5": "22db74f3f2e50ccdeb471c81e3a62532", - "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", - "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" + "MD5": "220f8ab33b94d37e06e465825c05a867", + "SHA1": "06dd63bd069498a712cdfe3d9ac27bfbf5d661f5", + "SHA256": "7ebc5906d7fd9c606dc6ef9b49f3e57b63af838f5807fcdcdd5ff47b5b05e39c" }, - "InternalName": "Hw.sys", - "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "RtlAppendUnicodeStringToString", - "ZwClose", - "ZwOpenProcess", - "KeReleaseMutex", - "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "KeInitializeDpc", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "MmGetSystemRoutineAddress", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeMutex", + "MmAllocateContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "PsGetVersion", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", + "RtlCopyUnicodeString", "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", "ZwOpenSection", - "ExFreePoolWithTag", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "MmUnmapLockedPages", - "MmUnmapIoSpace", - "MmFreeContiguousMemory", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "IoGetDeviceProperty", - "KeInitializeEvent", - "ObfDereferenceObject", - "ExAllocatePoolWithTag", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IofCompleteRequest", - "IoDisconnectInterrupt", - "KeReleaseInterruptSpinLock", - "KeAcquireInterruptSpinLock", - "ExEventObjectType", - "KeFlushQueuedDpcs", - "KeInsertQueueDpc", - "KeSetEvent", - "IoFreeMdl", - "ExAllocatePool", - "HalGetBusDataByOffset" + "__C_specific_handler", + "RtlCompareUnicodeString", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", - "ValidFrom": "2015-06-17 17:46:36", - "ValidTo": "2018-05-04 18:44:13", - "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] }, { - "Filename": "hw.sys", - "MD5": "3cf7a55ec897cc938aebb8161cb8e74f", - "SHA1": "22fc833e07dd163315095d32ebcd3b3e377c33a4", - "SHA256": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Marvin Test Solutions, Inc.", - "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", - "Product": "HW", - "ProductVersion": "4.8.2.0", - "FileVersion": "4.8.2.0", - "MachineType": "AMD64", - "OriginalFilename": "HW.sys", + "FileName": "AsIO3.sys", + "MD5": "1ce19950e23c975f677b80ff59d04fae", + "SHA1": "4f30f64b5dfcdc889f4a5e25b039c93dd8551c71", + "SHA256": "b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df", "Authentihash": { - "MD5": "22db74f3f2e50ccdeb471c81e3a62532", - "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", - "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" + "MD5": "cf61dd8f9a187de6219f930866defcbd", + "SHA1": "80bb26a2ef12a3d9d77fe5dd6059d5955b690b2e", + "SHA256": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532" }, - "InternalName": "Hw.sys", - "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "RtlAppendUnicodeStringToString", - "ZwClose", - "ZwOpenProcess", - "KeReleaseMutex", + "KeSetEvent", + "KeDelayExecutionThread", "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "KeInitializeDpc", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "MmGetSystemRoutineAddress", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeMutex", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", - "IoDeleteSymbolicLink", - "PsGetVersion", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "IoDeleteDevice", + "RtlGetVersion", + "IoIs32bitProcess", "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", "ZwOpenSection", - "ExFreePoolWithTag", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "MmUnmapLockedPages", - "MmUnmapIoSpace", - "MmFreeContiguousMemory", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "IoGetDeviceProperty", - "KeInitializeEvent", - "ObfDereferenceObject", - "ExAllocatePoolWithTag", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IofCompleteRequest", - "IoDisconnectInterrupt", - "KeReleaseInterruptSpinLock", - "KeAcquireInterruptSpinLock", - "ExEventObjectType", - "KeFlushQueuedDpcs", - "KeInsertQueueDpc", - "KeSetEvent", - "IoFreeMdl", - "ExAllocatePool", - "HalGetBusDataByOffset" + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", + "DbgPrint", + "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", - "ValidFrom": "2015-06-17 17:46:36", - "ValidTo": "2018-05-04 18:44:13", - "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2021-10-22 00:00:00", + "ValidTo": "2024-10-22 23:59:59", + "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } ] }, { - "Filename": "hw.sys", - "MD5": "376b1e8957227a3639ec1482900d9b97", - "SHA1": "18f34a0005e82a9a1556ba40b997b0eae554d5fd", - "SHA256": "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Marvin Test Solutions, Inc.", - "Description": "HW - Windows NT-10 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", - "Product": "HW", - "ProductVersion": "4.9.8.0", - "FileVersion": "4.9.8.0", - "MachineType": "AMD64", - "OriginalFilename": "HW.sys", + "FileName": "AsIO3.sys", + "MD5": "370a4ca29a7cf1d6bc0744afc12b236c", + "SHA1": "cfa85a19d9a2f7f687b0decdc4a5480b6e30cb8c", + "SHA256": "c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646", "Authentihash": { - "MD5": "0e03e32b8b0f3a1abb52581c1b5698f6", - "SHA1": "4614a646d19fb297aa878ba5e70dc9a6a1c5dd8a", - "SHA256": "25bc1b72ba6092674ec561d7de8f5e4a7adb23c29fa68de5b29a30a671257dac" + "MD5": "2f131a8ffb55f70edd90f4cda9e4f84e", + "SHA1": "4bfc51e23494f7eaf27560f92cd6fbced2ffa4f6", + "SHA256": "9b1af050481bda270a08ae873224a142c8b2119eeda59d3a04b1f6d66715a8c8" }, - "InternalName": "Hw.sys", - "Copyright": "Copyright © 1996-2021 Marvin Test Solutions, Inc. All Rights Reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlQueryRegistryValues", - "KeClearEvent", - "IoCreateNotificationEvent", - "KeSetEvent", - "ZwClose", - "ZwOpenProcess", - "KeReleaseMutex", - "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "KeInitializeDpc", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", "MmGetSystemRoutineAddress", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeMutex", + "MmAllocateContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "PsGetVersion", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ExFreePoolWithTag", + "RtlCopyUnicodeString", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", "ZwOpenSection", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "MmUnmapLockedPages", - "MmUnmapIoSpace", - "MmFreeContiguousMemory", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "IoGetDeviceProperty", - "KeInitializeEvent", - "ObfDereferenceObject", - "ExAllocatePoolWithTag", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IofCompleteRequest", - "IoDisconnectInterrupt", - "KeReleaseInterruptSpinLock", - "KeAcquireInterruptSpinLock", - "ExEventObjectType", - "KeFlushQueuedDpcs", - "KeInsertQueueDpc", - "ObReferenceObjectByHandle", - "ExAllocatePool", - "HalGetBusDataByOffset" + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "__C_specific_handler", + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -77031,318 +71891,224 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2018-09-19 00:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", - "ValidFrom": "2016-06-15 00:00:00", - "ValidTo": "2024-06-15 00:00:00", - "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "??=Private Organization, serialNumber=2147696, ??=US, ??=DELAWARE, C=US, ST=CA, L=Irvine, ??=1770 Kettering, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc.", - "ValidFrom": "2019-07-29 13:20:49", - "ValidTo": "2022-07-29 13:20:49", - "Signature": "278a08ea60d9c1c18b2b6f4f1913860edab3f46bc0945c57e099d37309bab4bbf99feec663d1dc2ef68152baa6e95b0da0e4fdb7793c2c7e779dd7206ad76432f28af41448200c079a9ffe26c8355134d71fb598f08e3864416a1925d5253f2344208a90d8b42790191581c112c3145e23fa979ec06f41cb559ad4e4d60cf549598f3746673c745a3a82e2525c9704adaa59d987ddf6a89641378a558686ca78f920cf1c975508f3943ff6df3aae70f9c5fb1db61134ad5b8d0f455e8483ad250403160b984a4fef6b0baed3cb129c953451c23a4bb9a37c762f286e8bb57049c50c4e06fb17e3fc2e6fcd4dffde6e3ee0ad173b19a9862bae7c921c8976344b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "716ef836a8ceb23aeaf9174e", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" - } - ] - } - ] - } - ], - "Tags": [ - "hw.sys" - ] - }, - { - "Id": "a4e31604-3b53-4173-87c3-bf4f52ca9295", - "Author": "BlureL", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create procexp152.sys binPath=C:\\windows\\temp\\procexp152.sys type=kernel && sc.exe start procexp152.sys", - "Description": "Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://malware.news/t/lazarus-group-attack-case-using-vulnerability-of-certificate-software-commonly-used-by-public-institutions-and-universities/67715", - "https://waawaa.github.io/en/Bypass-PPL-Using-Process-Explorer/", - "https://github.com/magicsword-io/LOLDrivers/issues/57" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, { - "Filename": "procexp152.sys", - "MD5": "ad03f225247b58a57584b40a4d1746d3", - "SHA1": "e525f54b762c10703c975132e8fc21b6cd88d39b", - "SHA256": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Sysinternals - www.sysinternals.com", - "Description": "Process Explorer", - "Product": "Process Explorer", - "ProductVersion": "15.00", - "FileVersion": "15.00", - "MachineType": "AMD64", - "OriginalFilename": "procexp.Sys", + "FileName": "asio.sys", + "MD5": "68726474c69b738eac3a62e06b33addc", + "SHA1": "8453fc3198349cf0561c87efc329c81e7240c3da", + "SHA256": "c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2", "Authentihash": { - "MD5": "9e4c2a2e8832f10ecdd2be70eb6bc300", - "SHA1": "2b15e90dc654ce779bd460787352639768cd8baa", - "SHA256": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34" + "MD5": "9f79edf758e219929902ec7564e0f435", + "SHA1": "c92148d0666f2235500805975be79738b84e48c2", + "SHA256": "19c74ea0e0baf04820e5642bd2fa224158801ed966be1041539e3c55bd65c471" }, - "InternalName": "procexp.sys", - "Copyright": "Copyright (C) Mark Russinovich 1996-2014", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", "ZwClose", - "MmIsAddressValid", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", - "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "NtBuildNumber", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", + "IoCreateSymbolicLink", "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeBugCheckEx" + "IoDeleteSymbolicLink", + "KeDelayExecutionThread", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Sysinternals, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Sysinternals", - "ValidFrom": "2013-04-06 00:00:00", - "ValidTo": "2016-05-05 23:59:59", - "Signature": "dcae28e748027154f884826e2ddb877a410d735e07184d1777b9fe78bb3458d7b9cb6be5a892e1f6f16f040f4c143bb40dee252c632d495822bf8eef37429257332efd651b27023dba183f9824886a3602f3a0b3d78addfc85e235da619e504d300242eb19dc85c34d170a78d849372b6fb7de286fe6ed87c62f45d8e7ddf4840c009fadfbb0cf4268f0d476113f2f970d04be95e41665f20166a156b5a407c62f7e7b3d7b2acce45a615af50c85631dadab3088137df317645ef6c901b313a02abe7cf128aff2a16dfebb8e1dc4d39b5919e9433955fc3f2ba065833b573ef8e346f1505e613d5cee2efc71d7b5477a80dcc32ae5acb580370ddfa9dda309f2", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2008-07-22 00:00:00", + "ValidTo": "2009-07-31 23:59:59", + "Signature": "89ad20860cc0358a80a8a1a898ed70bff3f31496402a4cc453d2f0e46ad52635e6c42d305874ddb46fc271e5721ae1253f16050842c579562bdd0c470db15d1fdc1429d585118c27862594e46cbb8dd8f42379f0d3f074498e03d8242fb7c2917be7fee09fbb2b35ac52950881082e51171f6fec7b998b0e257bf42d33745ed6c673c23fed0a6d6d69024458b30244d8c58a1c92fba89e0d709264793ceeb8f69a39d0b1b6011855035003ce50e3ee3c7a59d394e589126e2ab96c3b243b0abbc1e485ce9ae9e70da5ba5d925cacbc054d78bd4fb82686509b0803e8526c5ab202d8307b9701b983e424919eeb1485981a5cff8f307c551266a89d499badb24e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1efd983a49d3f152ac9cd2941b8a0edd", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "37ed9092bdd1dccf58d2afa47f961448", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - } - ], - "Tags": [ - "procexp152.sys" - ] - }, - { - "Id": "b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create WiseUnlo.sys binPath=C:\\windows\\temp\\WiseUnlo.sys type=kernel && sc.exe start WiseUnlo.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "WiseUnlo.sys", - "MD5": "356bda2bf0f6899a2c08b2da3ec69f13", - "SHA1": "b9807b8840327c6d7fbdde45fc27de921f1f1a82", - "SHA256": "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69", - "Signature": [ - "Lespeed Technology Co., Ltd", - "COMODO RSA Extended Validation Code Signing CA", - "Sectigo (formerly Comodo CA)" - ], - "Date": "", - "Publisher": "", - "Company": "WiseCleaner.com", - "Description": "WiseUnlo", - "Product": "WiseUnlo", - "ProductVersion": "1.0.2.13", - "FileVersion": "1.0.2.13", - "MachineType": "AMD64", - "OriginalFilename": "WiseUnlo.sys", + "FileName": "AsIO3_64.sys", + "MD5": "d5556c54c474cf0bff25804bfbe788d3", + "SHA1": "c71597c89bd8e937886e3390bc8ac4f17cdeae7c", + "SHA256": "fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91", "Authentihash": { - "MD5": "6d1e6e5682f9a5e8a64dc8d2ec6ddfac", - "SHA1": "49fb554b77c8d533e4a1ff30bbc60ef7f80b7055", - "SHA256": "c36ace67f4e25f391e8709776348397e4fd3930e641b32c1b0da398e59199ca7" + "MD5": "d9af966d89c5f045997042d35b9a7b91", + "SHA1": "b6f1e92a8452c2aec22aaa7657e92d2aa48b3055", + "SHA256": "26b8e689a13d3434951559cff24fcfe55edeb7b78c7cc16db1a273c90aa694c1" }, - "InternalName": "WiseUnlo.sys", - "Copyright": "Copyright © 2015", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", - "IoGetRelatedDeviceObject", - "RtlInitUnicodeString", - "IoDeleteDevice", "KeSetEvent", - "IoCreateFile", - "KeInitializeEvent", - "IoFileObjectType", - "ZwClose", - "IofCompleteRequest", - "ObReferenceObjectByHandle", + "KeDelayExecutionThread", "KeWaitForSingleObject", - "IoFreeIrp", - "IoAllocateIrp", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "IoDeleteDevice", + "RtlGetVersion", + "IoIs32bitProcess", + "ObReferenceObjectByHandle", "ObfDereferenceObject", - "IoCreateDevice", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "KeBugCheckEx", "DbgPrint", - "IofCallDriver" + "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", - "ValidFrom": "2014-12-03 00:00:00", - "ValidTo": "2029-12-02 23:59:59", - "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2011-04-11 22:06:20", - "ValidTo": "2021-04-11 22:16:20", - "Signature": "81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "serialNumber=91110101593898951F, ??=CN, ??=Private Organization, C=CN, postalCode=100028, ST=Beijing Shi, L=Beijing, ??=Chaoyang District, ??=Room 1610, Haocheng Building, No.9 Building, No.6 Courtyard, Zuojiazhuang Middle Street, O=Lespeed Technology Co., Ltd, CN=Lespeed Technology Co., Ltd", - "ValidFrom": "2020-07-09 00:00:00", - "ValidTo": "2023-07-09 23:59:59", - "Signature": "0813de16aad5aae2206ec189ee90af05a8a8b9d096e6812c419f8a6320ea5936e3089eb2abf2022a5e946464d9a3cb09d0b041ce8dd90c37d791f5e3fdafa755ad2fd7fbd7da760fa4bbaeba655509ad015c5f37df20229360fb596ebb7a91b644f7a86ef28c4f8d16debe8666f4d6ebefd7d4a4d5d8c3b96d36c54ebc0386ae680dd469dc252893eca2fba6929f4e589974cf6cb1d33fa8270b67d606dc4118ee320a1cb2894a7ea655dbf42f9ef9c2e204a736a62e326ef85afad054c8f38506b050580120383f3136b33f8f6160bddabbe9cdc3c9d130d2915a5987951d7237bb2480172bb326256efa866a88f4e4432b844a69892ea38c560dde939f18d7", + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2021-10-22 00:00:00", + "ValidTo": "2024-10-22 23:59:59", + "Signature": "1a8b6fd4e11cec34a3dfea314f0d59c6f41c56f76e1ac51f68e0285f1abdbda9e22628939dbd7acdf890d8ff3c7c4fff180c624b8434c6536bb61f1ff459d48a14c001d9d40ff1587cf64ce82edee2a24da8d80cd240e2af6d0e1c61aab24ce95f9c8ef50eeb0e153a343c1279fe6a003c44f3bd3ffa75ffbe314fc13bb36a9bbb3cea6026f5cb582992b016059074e4fcd8c16d4c5e8750bc9a196f94525317febcddb2d0121a235bb95136a0e4fc25611cd2915f4b488b66888168b90824e171d3214480c99fadb7b6c89cafc500eee468cb7faa9c1c1526d224ff389de012480480ced98831c324b129f2df3d3493d002ec8d4725e00eda33994f82493505861f61035c625d1c9ce2c7363799d3f1df9b17712b43cbf4c2027b54c796cbaca6b1523d028291e07774168a976ee3c879c850c1aaf65b1cec5c6dcb445487ab11b3967b8dd7726fe0dc529f7d624346a996adfd9dc6aab808edd9836a93e229ddbba4e8bb1c59719b6ebdcfc74d73f57ed946e936b5659783c199395bd2595458958edde6674bf08b3b650a8aeaa5507053b3f6ee7aedf16f55b849111535ca68ea11a5827551cba28023e230db7a209c763743ea22be0948ecf03d98ed447f66ecb97c0a525eb3b469779f2417f2082c4244b50936a9cb215745c71f3c27c98220f76395ba22a2f921a87655237977febd8b9a1564333af0cdf8e749bce0dd", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "2e4a279bde2eb688e8ab30f5904fa875", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + "SerialNumber": "0bbe02c8838fbf02ab56edabb1e34c19", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1" } ] } @@ -77350,249 +72116,286 @@ } ], "Tags": [ - "WiseUnlo.sys" - ] + "asio.sys" + ], + "yara": false }, { - "Id": "ee2d68aa-1a65-4967-8627-73590b041538", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "40a78fac-5aea-4bc5-afc6-24f877f3e7e5", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create DirectIo32.sys binPath=C:\\windows\\temp\\DirectIo32.sys type=kernel && sc.exe start DirectIo32.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create AMDRyzenMasterDriver.sys binPath=C:\\windows\\temp\\AMDRyzenMasterDriver.sys type=kernel && sc.exe start AMDRyzenMasterDriver.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "DirectIo32.sys", - "MD5": "79ab228766c76cfdf42a64722821711e", - "SHA1": "b0a684474eb746876faa617a28824bee93ba24f0", - "SHA256": "0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1", + "Filename": "AMDRyzenMasterDriver.sys", + "MD5": "13ee349c15ee5d6cf640b3d0111ffc0e", + "SHA1": "4f7a8e26a97980544be634b26899afbefb0a833c", + "SHA256": "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433", + "Signature": [ + "Advanced Micro Devices INC.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Advanced Micro Devices", + "Description": "AMD Ryzen Master Service Driver", + "Product": "AMD Ryzen Master Service Driver", + "ProductVersion": "1.3.0.0", + "FileVersion": "1.3.0.0", + "MachineType": "AMD64", + "OriginalFilename": "AMDRyzenMasterDriver.sys", "Authentihash": { - "MD5": "643df6049601b73ec4ceaa3d80673871", - "SHA1": "956c004dbed19d2682f159e03d4faa3e2e8fc56c", - "SHA256": "a8492a553ee840235fd12fa47b6caf1e5a8c82c3f4b681921246d7f192ed9126" + "MD5": "aa6e3970343cb83f7c924e98aeaf0c85", + "SHA1": "c29a625c02bf49f3f055db90b280a1f201c59975", + "SHA256": "001cd8b2ce1932d1a8c32bc2d643ee4fa6f67626d1b6895beea916285450566c" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", + "InternalName": "AMDRyzenMasterDriver.sys", + "Copyright": "Copyright © 2018 AMD, Inc.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", - "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", - "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", + "KeLeaveCriticalRegion", + "MmMapIoSpace", + "MmUnmapIoSpace", "IofCompleteRequest", - "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "ObfDereferenceObject", - "RtlQueryRegistryValues", - "ZwOpenKey", - "_snwprintf", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", - "IoCreateDevice", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetSystemRoutineAddress", "ZwClose", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "KeEnterCriticalRegion", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeDelayExecutionThread", + "RtlGetVersion", "DbgPrint", + "RtlCopyUnicodeString", "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "strncmp", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices INC., CN=Advanced Micro Devices INC.", + "ValidFrom": "2019-02-13 00:00:00", + "ValidTo": "2022-02-13 23:59:59", + "Signature": "8c521a9a934b3e45eaccd7ed8e301606b9e25215b4914181c8dfb5226b0e0e96df11e24e5d5985637b0ed21b121b6b46cc448cea697a0cb62faccc7cd5ec515797e424cf9e28634da84b95fa2eef52f8b9cc0752b6a161bae0be9f4924d7fd9a8fe5443177f16025dbf020287184581d3b1eed67fa369b80eb66cb70050089965da0bf36d68dd303738ac99edff5b7943ce863c4f3b2833a04576e6a28555c630d91bd4ea9f0ca41c0d97b07240c1059bc4a6cbe58276fede21f22de0ec57efe20b33ee4b2bb35cbfb1e5590193aa35368e728a09d27c3bf8e84815c66e092b91e63d025665756aa8e73f847b5506e6b118dde05bf7d72547ec2146d8b9dec80", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "1885b7e188d8fafd38a43d48967d7488", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] - }, + } + ], + "Tags": [ + "AMDRyzenMasterDriver.sys" + ], + "yara": true + }, + { + "Id": "f3215c19-8053-458c-81a5-90a74c5d2e6d", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create CITMDRV_AMD64.sys binPath=C:\\windows\\temp\\CITMDRV_AMD64.sys type=kernel && sc.exe start CITMDRV_AMD64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "DirectIo32.sys", - "MD5": "e913a51f66e380837ffe8da6707d4cc4", - "SHA1": "0be77bb3720283c9a970a97dab25d2a312e86110", - "SHA256": "38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305", - "Authentihash": { - "MD5": "91941a5ecd36d5eda1e509e9f525fc83", - "SHA1": "1ad46a8e038a62e146ddb5a4fe8ca5a56c53f018", - "SHA256": "542cd21b0c835b818e6b2eea2efe5b340ff3d554b2b7e13af084f0817cc920fd" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "e076dadf37dd43a6b36aeed957abee9e", + "SHA1": "468e2e5505a3d924b14fedee4ddf240d09393776", + "SHA256": "29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "ObfDereferenceObject", - "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "RtlIntegerToUnicodeString", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -77603,10 +72406,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -77615,18 +72418,11 @@ "ValidTo": "2019-05-20 23:59:59", "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "SerialNumber": "45595f53cb4840a48f7415305213fba6", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -77634,104 +72430,61 @@ ] }, { - "FileName": "DirectIo32.sys", - "MD5": "8ac6d458abbe4f5280996eb90235377c", - "SHA1": "bd421ffdcc074ecca954d9b2c2fbce9301e9a36c", - "SHA256": "3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa", - "Authentihash": { - "MD5": "e4b5345eaa754dce6279e13b09b491ca", - "SHA1": "ae806ca05e141b71664d9c6f20cc2369ef26f996", - "SHA256": "38fa9b5b66a11fd7387012c5c4bbd414eca8361273d57dba1e49aa6af23337f3" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "aa1ed3917928f04d97d8a217fe9b5cb1", + "SHA1": "2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8", + "SHA256": "45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "IoGetDeviceProperty", - "ObfDereferenceObject", - "IoEnumerateDeviceObjectList", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IoGetAttachedDeviceReference", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "IoAllocateMdl", - "MmMapIoSpace", - "ZwMapViewOfSection", "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "ZwUnmapViewOfSection", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "IofCallDriver", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "RtlQueryRegistryValues", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "ZwOpenKey", - "RtlWriteRegistryValue", - "IoBuildDeviceIoControlRequest", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "KeWaitForSingleObject", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "_vsnwprintf", - "memcpy", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -77741,13 +72494,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -77756,387 +72502,298 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2014-10-23 00:00:00", - "ValidTo": "2017-01-13 23:59:59", - "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo32.sys", - "MD5": "592756f68ab8ae590662b0c4212a3bb9", - "SHA1": "aadaec4c31d661c249e4cf455ec752fffa3e5cfc", - "SHA256": "65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75", - "Authentihash": { - "MD5": "ae08002e9920a85b42f78d85e4f5baaa", - "SHA1": "6e2ea1d108b9f05f2d077ed6c254a70e2b11251d", - "SHA256": "fb7cb120d51e217ee4cc50bee619603be5eb6091634df45acc5249aed283c9be" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "dd39a86852b498b891672ffbcd071c03", + "SHA1": "c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f", + "SHA256": "50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "ObfDereferenceObject", - "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "RtlIntegerToUnicodeString", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo32.sys", - "MD5": "0a653d9d0594b152ca835d0b2593269f", - "SHA1": "6102b73489e1d319c0db7b84cb2c426c5f680120", - "SHA256": "72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb", - "Authentihash": { - "MD5": "4ffb30623d9570c0a19742435ba230bb", - "SHA1": "9703903219c7d7f88748fd68f277649b82f2df83", - "SHA256": "c3a215473d836c1d7315f371bff4dea956d7d1b440e43b4671f6e3772bae00dd" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "708ac9f7b12b6ca4553fd8d0c7299296", + "SHA1": "078ae07dec258db4376d5a2a05b9b508d68c0123", + "SHA256": "607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "ZwClose", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "_vsnwprintf", - "RtlAppendUnicodeToString", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo32.sys", - "MD5": "e140cb81bd27434fc4fd9080b7551922", - "SHA1": "2a06006e54c62a2e8bdf14313f90f0ab5d2f8de8", - "SHA256": "7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd", - "Authentihash": { - "MD5": "c62966c201e259ff8b2642470b2bd621", - "SHA1": "abe422f9289fe922f671cc70c78046e2bde5e309", - "SHA256": "c0752dc13548fe8d3b5a7a73c04ebcd7bcfa5e4ecec9ba233d193bd36ed4b54e" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "7a16fca3d56c6038c692ec75b2bfee15", + "SHA1": "623cd2abef6c92255f79cbbd3309cb59176771da", + "SHA256": "61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "IoGetDeviceProperty", - "ObfDereferenceObject", - "IoEnumerateDeviceObjectList", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IoGetAttachedDeviceReference", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmUnmapIoSpace", - "IoAllocateMdl", - "MmMapIoSpace", - "ZwMapViewOfSection", "ZwClose", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmUnmapLockedPages", - "ZwUnmapViewOfSection", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "IofCallDriver", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "IoBuildDeviceIoControlRequest", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "KeWaitForSingleObject", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "_vsnwprintf", - "memcpy", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeStallExecutionProcessor", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -78147,128 +72804,99 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2013-01-14 00:00:00", - "ValidTo": "2015-01-14 23:59:59", - "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo32.sys", - "MD5": "10e681ce84afdd642e59ddfdb28284e9", - "SHA1": "983a8d4b1cb68140740a7680f929d493463e32e3", - "SHA256": "e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac", - "Authentihash": { - "MD5": "d2fd725385f0f7acb722a5cb177b40aa", - "SHA1": "de239bda4c75f8b2cfbbf74823466491d2e1f76d", - "SHA256": "d6753d2e6cf2f11932b4fedd4362ab57651f8f3baa886eace22fd98a14ebc2e8" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "5970e8de1b337ca665114511b9d10806", + "SHA1": "1f3a9265963b660392c4053329eb9436deeed339", + "SHA256": "74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "ObfDereferenceObject", - "RtlQueryRegistryValues", - "ZwOpenKey", - "_snwprintf_s", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "wcscpy_s", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -78286,10 +72914,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -78298,18 +72926,11 @@ "ValidTo": "2019-05-20 23:59:59", "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "SerialNumber": "45595f53cb4840a48f7415305213fba6", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] @@ -78317,233 +72938,160 @@ ] }, { - "FileName": "DirectIo32.sys", - "MD5": "aa5dd4beca6f67733e04d9d050ecd523", - "SHA1": "ebafebe5e94fdf12bd2159ed66d73268576bc7d9", - "SHA256": "e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc", - "Authentihash": { - "MD5": "e631c2272278e20c81a8d8dcb825ae78", - "SHA1": "ef06513dc0f8456e09260857fd63ee1222c60c82", - "SHA256": "507cee84e2924e81916c8bf090efb1beab3c258a79e1e1bf3637b8b7824d0a86" - }, - "Description": "", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "2509a71a02296aa65a3428ddfac22180", + "SHA1": "4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c", + "SHA256": "76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", "Copyright": "", - "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", + "DbgPrint", "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "vsprintf", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "ObfDereferenceObject", - "RtlQueryRegistryValues", - "ZwOpenKey", - "_snwprintf_s", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", "IoCreateDevice", - "wcscpy_s", - "wcsrchr", - "DbgPrintEx", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "IoDeleteSymbolicLink", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "DirectIo32.sys" - ] - }, - { - "Id": "43d0af25-c066-471f-bb73-6ce25dc7e0eb", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Dh_Kernel.sys binPath=C:\\windows\\temp\\Dh_Kernel.sys type=kernel && sc.exe start Dh_Kernel.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "Dh_Kernel.sys", - "MD5": "98763a3dee3cf03de334f00f95fc071a", - "SHA1": "745bad097052134548fe159f158c04be5616afc2", - "SHA256": "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "296bde4d0ed32c6069eb90c502187d0d", + "SHA1": "ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d", + "SHA256": "81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469", "Signature": [ - "YY Inc.", + "IBM Polska Sp. z o.o.", "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", - "Publisher": "YY Inc.", - "Company": "YY Inc.", - "Description": "dianhu", - "Product": "dianhu", - "ProductVersion": "1.0.99", - "FileVersion": "1.0.99", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "2d03bf608f236ee1f4654e06857a3062", - "SHA1": "508c1a26486188aa1268d6c23c65e57b8efe71f6", - "SHA256": "f5215f83138901ca7ade60c2222446fa3dd7e8900a745bd339f8a596cb29356c" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, "InternalName": "", - "Copyright": "Copyright © 2007-2017 YY Inc. All rights reserved.", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "ProbeForRead", - "MmProbeAndLockPages", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "MmGetSystemRoutineAddress", - "MmUnmapLockedPages", - "MmCreateMdl", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "ExAllocatePoolWithTag", - "MmIsAddressValid", - "KeAttachProcess", - "KeDetachProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsLookupProcessByProcessId", - "PsGetProcessSectionBaseAddress", - "KeBugCheckEx", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "__C_specific_handler", - "RtlCopyUnicodeString", - "ExAllocatePool", - "DbgPrintEx", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "_stricmp", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { @@ -78565,10 +73113,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Guangdong, L=Guangzhou, O=YY Inc., OU=PM, CN=YY Inc.", - "ValidFrom": "2015-07-17 00:00:00", - "ValidTo": "2018-10-15 23:59:59", - "Signature": "d4ce401727e18291036ff6c80bbc6345f4a165c55b6068af11d818772ceb6767e1d9b1b825acfe295bea0c2c2394dd1c04df89e70de7f9deae21ea00853299fc7b22a8e2d20558247695d870fead281c48d6ad4b2075958924d3436d456c6d649b4fd4098c23154a83c40c39273ddcf400a547c68da9db339fe845205865f78d32933bb6a161539c4c07c972411907ece60770fdcc02a683d8f46980e5432c1af11cc684a9a681311ca440b068ce32a0cb2e446aade3829376fc6407d11c8d4f7ad253f45e95673a272aac9f1a1ad9156f9059f34dc444860e40e33847b0d629fe8097f9e82371973e7236de9a5b4bad1840b7961b81f9b7fcb6510e180a5a18", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -78588,149 +73136,65 @@ ], "Signer": [ { - "SerialNumber": "53603f0f228be591521b9822ca852ad4", + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "Dh_Kernel.sys" - ] - }, - { - "Id": "e9b099f6-8a12-46f0-a540-40e88cf0ce17", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create nstrwsk.sys binPath=C:\\windows\\temp \\n \\n \\n strwsk.sys type=kernel && sc.exe start nstrwsk.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "nstrwsk.sys", - "SHA256": "3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd", - "Signature": [], + "Filename": "CITMDRV_AMD64.sys", + "MD5": "d1bac75205c389d6d5d6418f0457c29b", + "SHA1": "4268f30b79ce125a81d0d588bef0d4e2ad409bbb", + "SHA256": "9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], "Date": "", - "Publisher": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "nstrwsk.sys" - ] - }, - { - "Id": "9e87b6b0-00ed-4259-bcd7-05e2c924d58c", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BSMEMx64.sys binPath=C:\\windows\\temp\\BSMEMx64.sys type=kernel && sc.exe start BSMEMx64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "BSMEMx64.sys", - "MD5": "49fe3d1f3d5c2e50a0df0f6e8436d778", - "SHA1": "9d07df024ec457168bf0be7e0009619f6ac4f13c", - "SHA256": "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65", - "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "", - "Company": "BIOSTAR Group", - "Description": "I/O Interface driver file", - "Product": "BIOSTAR I/O driver fle", - "ProductVersion": "1, 1, 0, 0", - "FileVersion": "1, 1, 0, 0", "MachineType": "AMD64", - "OriginalFilename": "BS_I2cIo.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "464c033940c536ca2b627ba616f33fd0", - "SHA1": "59e1a1abd37be9c1e33dd7d47526394d6ecb9c49", - "SHA256": "20c87381f8f0bf953cb109a5d50a2184c0104cc8ab30e2f94dfba89a5d19b9d8" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "InternalName": "I/O driver", - "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeEvent", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "ExInterlockedInsertTailList", - "RtlTimeToTimeFields", - "PsTerminateSystemThread", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", "ZwWriteFile", - "ExInterlockedRemoveHeadList", - "KeSetPriorityThread", + "DbgPrint", "ZwCreateFile", - "RtlInitUnicodeString", - "PsCreateSystemThread", - "IoCreateSymbolicLink", - "IoCreateDevice", + "vsprintf", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoStartNextPacket", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeRemoveEntryDeviceQueue", - "IoStartPacket", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "IofCompleteRequest", - "ObReferenceObjectByHandle", - "ZwClose", - "IoDeleteDevice", - "KeSetEvent", - "HalSetBusDataByOffset", - "HalTranslateBusAddress", - "HalGetBusDataByOffset" + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { @@ -78738,17 +73202,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -78757,104 +73228,69 @@ "ValidTo": "2019-05-20 23:59:59", "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2010-09-19 00:00:00", - "ValidTo": "2013-10-19 23:59:59", - "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", + "SerialNumber": "45595f53cb4840a48f7415305213fba6", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "BSMEMx64.sys" - ] - }, - { - "Id": "6fc3034f-8b40-44ef-807a-f61d3ea2dece", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create NBIOLib_X64.sys binPath=C:\\windows\\temp\\NBIOLib_X64.sys type=kernel && sc.exe start NBIOLib_X64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "NBIOLib_X64.sys", - "MD5": "f2f728d2f69765f5dfda913d407783d2", - "SHA1": "35829e096a15e559fcbabf3441d99e580ca3b26e", - "SHA256": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "b2a9ac0600b12ec9819e049d7a6a0b75", + "SHA1": "c834c4931b074665d56ccab437dfcc326649d612", + "SHA256": "9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e", "Signature": [ - "MICRO-STAR INTERNATIONAL CO., LTD.", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" ], "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "2d87365d63e81ef0edc577bf0cb33995", - "SHA1": "b472d32094e258b2af60914db8604cd0bf439c4b", - "SHA256": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "IoCreateSymbolicLink", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "IoFreeMdl", + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { @@ -78868,13 +73304,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -78883,163 +73312,81 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] - } - ] - } - ], - "Tags": [ - "NBIOLib_X64.sys" - ] - }, - { - "Id": "86cff0de-2536-4b8d-a846-a7312c569597", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create nicm.sys binPath=C:\\windows\\temp \\n \\n \\n icm.sys type=kernel && sc.exe start nicm.sys", - "Description": "nicm.sys is a vulnerable driver. CVE-2013-3956.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + } + ] + }, { - "Filename": "nicm.sys", - "MD5": "22823fed979903f8dfe3b5d28537eb47", - "SHA1": "d098600152e5ee6a8238d414d2a77a34da8afaaa", - "SHA256": "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "79f7e6f98a5d3ab6601622be4471027f", + "SHA1": "8f5cd4a56e6e15935491aa40adb1ecad61eafe7c", + "SHA256": "aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608", "Signature": [ - "Novell, Inc.", + "IBM Polska Sp. z o.o.", "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" + "VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1)" ], "Date": "", - "Publisher": "", - "Company": "Novell, Inc.", - "Description": "Novell XTCOM Services Driver", - "Product": "Novell XTier", - "ProductVersion": "3.1.11", - "FileVersion": "3.1.11.0", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "libnicm.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "4f9030161d60cde6099483f6763e75db", - "SHA1": "6ec1c1cd8c38de77cb35260deeb491e563b5c721", - "SHA256": "aa0a1de59d8697c5f39937edeb778fde7c596b71d64d3427c80fe4c060488990" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, "InternalName": "", - "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "Copyright": "", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" - ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAcquireResourceExclusiveLite", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "RtlEqualString", - "MmUnmapLockedPages", - "ProbeForRead", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "KeInitializeMutex", - "KeLeaveCriticalRegion", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", - "ProbeForWrite", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", "IoFreeMdl", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", - "IoUnregisterShutdownNotification", - "ZwClose", - "IofCompleteRequest", - "IoSetTopLevelIrp", - "KeWaitForSingleObject", - "MmProbeAndLockPages", "MmUnlockPages", - "ExDeleteResourceLite", - "IoGetTopLevelIrp", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", "IoCreateSymbolicLink", "IoCreateDevice", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", - "IoAllocateMdl", - "RtlCreateSecurityDescriptor", - "IoGetCurrentProcess", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "RtlInitUnicodeString", - "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "RtlInitString", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwLoadDriver", - "ZwOpenKey", - "KeBugCheckEx", - "__C_specific_handler" + "KeBugCheckEx" ], "Signatures": [ { @@ -79047,17 +73394,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -79066,267 +73420,169 @@ "ValidTo": "2019-05-20 23:59:59", "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", - "ValidFrom": "2010-04-03 00:00:00", - "ValidTo": "2013-04-26 23:59:59", - "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", + "SerialNumber": "45595f53cb4840a48f7415305213fba6", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "nicm.sys" - ] - }, - { - "Id": "058fb356-e0ff-4f5e-8293-319feb005db2", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create bandai.sys binPath=C:\\windows\\temp\\bandai.sys type=kernel && sc.exe start bandai.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "bandai.sys", - "SHA1": "0f780b7ada5dd8464d9f2cc537d973f5ac804e9c", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" }, { - "Filename": "bandai.sys", - "SHA1": "ea360a9f23bb7cf67f08b88e6a185a699f0c5410", - "Signature": [], + "Filename": "CITMDRV_AMD64.sys", + "MD5": "2d465b4487dc81effaa84f122b71c24f", + "SHA1": "51b60eaa228458dee605430aae1bc26f3fc62325", + "SHA256": "af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], "Date": "", - "Publisher": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "bandai.sys" - ] - }, - { - "Id": "613b8509-18c0-4720-b489-736776b6713e", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create gdrv.sys binPath=C:\\windows\\temp\\gdrv.sys type=kernel && sc.exe start gdrv.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "gdrv.sys", - "MD5": "b0954711c133d284a171dd560c8f492a", - "SHA1": "4f0d9122f57f4f8df41f3c3950359eb1284b9ab5", - "SHA256": "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "f4a434113ef1b0bfed60b8a5bcd4fa9c", - "SHA1": "bffa9edada9f48685c5178f247c416029b423834", - "SHA256": "1bd6a40e294f4f74f9baf172f5a3e21dad3b7e31b5757d91bda309bd54a72fbe" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.0.1.1", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmFreeContiguousMemory", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", - "MmMapIoSpace", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "ExAllocatePool", + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", "DbgPrint", - "memset", - "RtlCopyUnicodeString", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", "IoFreeMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ExFreePoolWithTag", - "WRITE_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "WRITE_PORT_UCHAR", - "READ_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "gdrv.sys", - "MD5": "043d5a1fc66662a3f91b8a9c027f9be9", - "SHA1": "3d8cc9123be74b31c597b0014c2a72090f0c44ef", - "SHA256": "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "4d17b32be70ef39eae5d5edeb5e89877", + "SHA1": "3270720a066492b046d7180ca6e60602c764cac7", + "SHA256": "d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "5029d92e78dd56446eae97c8acd56926", - "SHA1": "00e5f35b31d5bfd2745bb04909f1faf26abfcec0", - "SHA256": "12ae98c0f1d7209cffe3bc8be5b76aa1f4faba40af99a6dd299462cdd3820c94" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.0.1.1", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", "DbgPrint", - "ExAllocatePool", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", - "RtlCopyUnicodeString", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "__C_specific_handler", "IoFreeMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ExFreePoolWithTag", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -79344,290 +73600,277 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "gdrv.sys", - "MD5": "3c55092900343d3d28564e2d34e7be2c", - "SHA1": "1a56614ea7d335c844b7fc6edd5feb59b8df7b55", - "SHA256": "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743", - "Authentihash": { - "MD5": "b661326f2405e4947bf879cc97f13438", - "SHA1": "c7e06ef18efee6d133c5014ef45d6657e1e36b90", - "SHA256": "c92d943a465e20f50bae8d46ea38b635d2da85ae4e34f0170fd6f451890c76d7" - }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.0.1.3", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "c1d3a6bb423739a5e781f7eee04c9cfd", + "SHA1": "2a6e6bd51c7062ad24c02a4d2c1b5e948908d131", + "SHA256": "d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" + }, + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "ExAllocatePool", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "RtlInitUnicodeString", "ZwClose", - "ZwOpenSection", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", - "RtlCopyUnicodeString", + "__C_specific_handler", "IoFreeMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ObReferenceObjectByHandle", - "ExFreePoolWithTag", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "gdrv.sys", - "MD5": "7907e14f9bcf3a4689c9a74a1a873cb6", - "SHA1": "b9b72a5be3871ddc0446bae35548ea176c4ea613", - "SHA256": "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "054299e09cea38df2b84e6b29348b418", + "SHA1": "19bd488fe54b011f387e8c5d202a70019a204adf", + "SHA256": "e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "b4709bbd5e329d55130e0db781afc89c", - "SHA1": "b483cdd20bb24ed9a20f4168628b7053b04ebb93", - "SHA256": "bb0063e65c44da66d705d25121af09b641070219c174f5d83e288ba8fe59e46f" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "Description": "GIGABYTE Tools", - "Company": "Windows (R) Server 2003 DDK provider", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "5.2.3790.1830 built by: WinDDK", - "Product": "Windows (R) Server 2003 DDK driver", - "ProductVersion": "5.2.3790.1830", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", + "ZwWriteFile", "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "MmUnmapIoSpace", - "MmMapIoSpace", - "ZwClose", "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "IoCreateSymbolicLink", - "KeReleaseInStackQueuedSpinLock", - "KeAcquireInStackQueuedSpinLock", - "MmFreeContiguousMemory", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmGetPhysicalAddress", - "IofCompleteRequest", "ZwUnmapViewOfSection", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", "ZwOpenSection", - "IoDeleteDevice", - "HalTranslateBusAddress" + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", - "ValidFrom": "2007-10-02 00:00:00", - "ValidTo": "2010-10-18 23:59:59", - "Signature": "5c404cbb1176300b3b0f2b98924c5be7571d28c8e8086cea2fe21a4d3687b441facd3aec26e2722d2d4dabac900ab1158ad7b53edc2a3678743ae411eeb48e00560ce2e49a4954a5d3223cbb3fbcb6f19185ea33ac10f5c96fc80593236a3512ad98599c931486810fd0ca98df4c75fcdd6d69aceb0d6f755c74d4779ed39cc17946fc61e7a17bee5e5bc46220509aea779cc200315bfb778edc11429dc9763a4a3c7a04346ed759ef357c4744088ac9f4f949e783b42eec05b777c3629b718e0766c5ac956b0f67834009d3e0d171da24ee6b151d7bb40cf9f8e6f1e1a08fe2ec1fb101b766ec261c0ce6f98de3fb452a81a57bb0b72a44c06a01f199a8143d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "720ef3aaa1a44f7d0717a805c290c378", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "FileName": "gdrv.sys", - "MD5": "a72e10ecea2fdeb8b9d4f45d0294086b", - "SHA1": "4692730f6b56eeb0399460c72ade8a15ddd43a62", - "SHA256": "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097", + "Filename": "CITMDRV_AMD64.sys", + "MD5": "0ba6afe0ea182236f98365bd977adfdf", + "SHA1": "a6fe4f30ca7cb94d74bc6d42cdd09a136056952e", + "SHA256": "f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "8e9f3d61eaa5d5df8ac92c3c89eb7347", - "SHA1": "c1b7be5e37f29ee8114b701f88d68748f196c530", - "SHA256": "b213524b22aadcc273142c4b8afc2a6219d6b8b7cab4b41adf9944efb8f46005" + "MD5": "6df250bd96e46a522bd7536100737f13", + "SHA1": "d917e8e8aee2cb3d01d1ba123098654cf370689f", + "SHA256": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac" }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.0.0.5", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "WDFLDR.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "ExAllocatePool", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", - "RtlInitUnicodeString", "ZwClose", - "ZwOpenSection", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", - "RtlCopyUnicodeString", + "__C_specific_handler", "IoFreeMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ObReferenceObjectByHandle", - "ExFreePoolWithTag", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "MmUnlockPages", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -79645,238 +73888,370 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=TW, ??=Private Organization, serialNumber=22044755, C=TW, ST=Taiwan, L=New Taipei, O=GIGA,BYTE TECHNOLOGY CO., LTD., OU=Quality Validation Department II, CN=GIGA,BYTE TECHNOLOGY CO., LTD.", - "ValidFrom": "2015-11-25 00:00:00", - "ValidTo": "2018-11-24 23:59:59", - "Signature": "4b80390dbbac3854acdd732ced7a533a35cb04b57da3e63120d90c4111b9e11f0255d4264a960873efa865d8dd122d77d082d72b197f3fd2b1df36bc03dac88c0e193e023129b8e144e4e75f75ff24ad2843094442e85611c4c8a1a622fcd7cdc61984d07df686844320b6af005280432251809de912567b74cf92e07daa504060bf26ed15cfaa23b09096c79fab8607e6bfb848c62a0e9f8734e20837fa5b420374642dc972cb188a71714087a47114dbf41e2f339707c404189e288d6f26fb2c5c24ee3d9dc8c03201c03155ce1eabe56e125913c361fc425dda869335fbb8f8d19afb58d1a19dd65e4a85ffd75021946cfcb5b0170624616009ce5b2b0d2f", + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "47547865fbe14ca43b8231902649d74d", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] + } + ], + "Tags": [ + "CITMDRV_AMD64.sys" + ], + "yara": false + }, + { + "Id": "bc5e020a-ecff-43c8-b57b-ee17b5f65b21", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create sandra.sys binPath=C:\\windows\\temp\\sandra.sys type=kernel && sc.exe start sandra.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b.yara" }, { - "FileName": "gdrv.sys", - "MD5": "31f34de4374a6ed0e70a022a0efa2570", - "SHA1": "c70989ed7a6ad9d7cd40ae970e90f3c3f2f84860", - "SHA256": "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "sandra.sys", + "MD5": "9a237fa07ce3ed06ea924a9bed4a6b99", + "SHA1": "82ba5513c33e056c3f54152c8555abf555f3e745", + "SHA256": "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b", + "Signature": [ + "SiSoftware Ltd", + "GeoTrust TrustCenter CodeSigning CA I", + "GeoTrust" + ], + "Date": "", + "Publisher": "", + "Company": "SiSoftware", + "Description": "Sandra Device Driver (Win64 x64)(Unicode)", + "Product": "SiSoftware Sandra", + "ProductVersion": "10.11.1.1", + "FileVersion": "10.11.1.1 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "SANDRA", "Authentihash": { - "MD5": "b18b1bff521337695d2d6a0768340252", - "SHA1": "0f5034fcf5b34be22a72d2ecc29e348e93b6f00f", - "SHA256": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb" + "MD5": "6f72f204305c65af27c9f97fe4296b54", + "SHA1": "b785192962dd159acd960c8f8f9f211747c83610", + "SHA256": "b9661dd0dcf81d2ee8e5eb3b728c907b4eb861806971051ad772f7fe4d09eb6a" }, - "Description": "GIGABYTE Tools", - "Company": "Windows (R) Server 2003 DDK provider", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "5.2.3790.1830 built by: WinDDK", - "Product": "Windows (R) Server 2003 DDK driver", - "ProductVersion": "5.2.3790.1830", - "Copyright": "© Microsoft Corporation. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "SANDRA", + "Copyright": "Copyright © SiSoftware Ltd 1995-2008. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "RtlInitUnicodeString", - "DbgPrint", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", + "ZwSetValueKey", + "NtQueryInformationProcess", + "ZwClose", + "MmMapIoSpace", "MmUnmapIoSpace", - "IoFreeMdl", + "IoQueryDeviceDescription", + "ZwSetInformationThread", + "RtlUnicodeStringToAnsiString", + "IoAllocateMdl", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", "MmUnmapLockedPages", - "MmMapIoSpace", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoCreateSymbolicLink", - "KeAcquireInStackQueuedSpinLock", - "MmFreeContiguousMemory", - "MmIsAddressValid", - "MmAllocateContiguousMemory", - "MmGetPhysicalAddress", + "IoFreeMdl", + "ZwCreateKey", + "MmResetDriverPaging", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", "IofCompleteRequest", - "ExAllocatePoolWithTag", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ZwUnmapViewOfSection", - "KeReleaseInStackQueuedSpinLock", + "MmPageEntireDriver", + "IoUnregisterShutdownNotification", + "IoDeleteSymbolicLink", "IoDeleteDevice", - "HalTranslateBusAddress" + "RtlQueryRegistryValues", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoRegisterShutdownNotification", + "KeBugCheckEx", + "RtlAppendUnicodeToString", + "IoReportResourceUsage", + "RtlInitUnicodeString", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset", + "HalTranslateBusAddress", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3", - "ValidFrom": "2016-03-16 00:00:00", - "ValidTo": "2024-03-16 00:00:00", - "Signature": "3b41bbc84f561182b719e3d96dc185ae9e690ec84326234b8d44c8e87d5f070e5341d563444a890bb874ac7db578792f8426e2d7f7bad1ae2dfd69cffa7c64dc24162a4adac097a9bbd5dd88e7a1929a0aa5f6f7bace85d6e4e3d455deeddc3e211f1bc87788cffc65fb05b48f12a630d30d66982f6c2e6f85187c8ff5f6fbb1ab10e183270885b07321ba5d2cba8330b73984dd5db67fd28bb455534c42a2bc4a6c78395b631ca37827bfbe34836b6d7b1e60fbc29b0d88ac8c72546bdc3b88ba81525e689783b8ce7fa3cdf9ea2f2676facd0b06ac4344497bf64c9442b2abcfd542d51942696e618664c7b37d078bdbe5767b6e5f65a91690a2cee4ae6492", + "Subject": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I", + "ValidFrom": "2006-02-01 21:44:28", + "ValidTo": "2016-01-30 21:44:28", + "Signature": "65c62c9e0fc5dec5639b6e8341e0d9137104dcd9813151f57eb9930d2ef80ae8c329c0e15e02c935bb2d936ff620702b7af688c0a60133696035618235da87d374289fa4b7c023012a763198473d2bd618173691b6203e8c00876f603252123d15d2a49c00def933f55e980a433ab6af40d8924b85b25701b2c9b09174f7b754", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", - "ValidFrom": "2021-01-01 00:00:00", - "ValidTo": "2031-01-06 00:00:00", - "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=CN, ST=?????????, L=?????????, O=????????????????????????????????????, CN=????????????????????????????????????", - "ValidFrom": "2020-01-02 07:05:30", - "ValidTo": "2021-01-02 03:42:16", - "Signature": "42c4e375f4ebd7d918dfa735bb07fdb9af9b462be297aa35cf580fc20f8033e6cc7f9188539e9955409465acef09c83073cfc95205e3fac3f134e7b9d6294998c88f01a2931463d3e61fc754fffd99444abf886172aeeb6a87f12d925aed520cfa07fa6f5c43c4548bb2d7f60e6a0e6b742d32da2edbfc4effe616ec5a94582419ffd89e0b741b8fad70b5a6ac110f270182eba9cda4f99f24a04712bf09301f4642e2a4b0df9fd3efbb9dd2a2b735deb4604aa2356b48502c4ac1d2492ad1461fb1e8d496da60d9d17ad123db61173e01f99d284d6d8a5dce80e7bf062424154a66fd03d987e4b70c6fa576a136c186347e3d467a18e4d0eba18ee1a313a4b5", + "Subject": "C=GB, ST=London, L=London, O=SiSoftware Ltd, OU=Development, OU=GeoTrust Code Signing, CN=SiSoftware Ltd", + "ValidFrom": "2006-08-25 14:34:37", + "ValidTo": "2009-08-25 14:34:37", + "Signature": "4c99f17e9f0b78f896f63b6e8169341c47002763232639c5a84b1ca9ce9af913f4fb60a7a35671b1eedbdd3a6f8e25f1976ec8ca8cd430e26df8872f17e846280193959d43d627fe7e1ec7090b0b5d556a343835712f2a89963601f1ada68ec83c674d1314800ccef6cb90950d53488917e8ad20a291bedbe8bdf439d2d7e511510ed93e25efc0c96d47dcebada3c4343a3572e8c54b73d5d9945278129d735147ca201016dd7ae28429501b4fcf0ec713e6a1399dcc6050e3f7ced3c3d470beed59c912a287014097a3cd1b30fed67c26e21a78b1e32f3dc2ddfb118a9208cd030d936f380cecd2c20046f6ce477d1a303a4ff6666b1294702a2d5d0cf3cbc7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=GeoTrust Inc., OU=GeoTrust TrustCenter Timestamp, CN=GeoTrust TrustCenter Authenticode Timestamp I", + "ValidFrom": "2006-02-13 15:40:22", + "ValidTo": "2016-02-11 15:40:22", + "Signature": "bb64424e3d84a554ba24c4d75f1adbff39b1e0569823903b43d0d95dde4aacb2c13c40d61330b7ba52d48127399813f0c3754d556b0375bcc671348bf7e7e73916ed64ef034ef6a611ad21b3ecc0281f040d8c09aa32d72c99f16216d26e6f387e29504782ab56733ba9e75c53456699b30acfc19840d31d4228274c497f1ab1f9827a2ff19b3b784e48511a2af48c06c09610e337b18d9be9739267b2b45fae47daa2fd8f5b9dbbb85a080a12c025ecd637182df0661ec24020c0303cc7fe64d032590519f908d367c1d5ffa85948d7c1dda9f06fe09acc4e55a625fa3175f41d46ab5c9e35a86b9dfa1bb608e586a0ed95d9fe6ff59f4f26724567ba77449e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", - "ValidFrom": "2016-01-07 12:00:00", - "ValidTo": "2031-01-07 12:00:00", - "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Equifax, OU=Equifax Secure Certificate Authority", + "ValidFrom": "2006-05-23 17:01:15", + "ValidTo": "2016-05-23 17:11:15", + "Signature": "87a40f6b55916248ff54811ccf5db6c5a514aa671df485f6860d38b31c8d22ce7c867946fb71e16114d0ed4e46a48bca64654094f92ad7870ca9b7bedcc40bbd09c106eb9530841b9d8de7bc70c6f86539c4e5c4e65c8fcda130baef065e555290edd8587f15142ecc21a593dab8508d805e6e22a70fde8093add71d24b02aa2f4f20b98750131cc69bc359b3d13662f21bde54ec3639cc8518d59f5b600937ef10c35b0f4180dbfa7bdb2aae16b9f3ce6bb41b5d904e7c8a63abf8a5bdcaa9a3cd2c8dfcb1774163d78470b4c108e406616a0f300ede034998af0f9460ff27fbf202c972616d59e81da94a6dc61c8f18e092d4e32d03df682267d91d7a6c67bc1311d210ed4a342c1b4dfc0446b4f2aeebb29d62787b0a450ae1a9ab5f996f4ccabe52b3df166e2d5e1c3f0c687b659536638026e6194df1563aa415052f9bb64dc95e05b6c2aacfed6e603c21ff65557fe7e813fcb5a0bc1029cac84e47cd3f4c25a17c312706009ec82e5eccdd0b2106d69868c8da60e0416c57164ebd95bb8b08cfc32427e60846f655b7244272b846181f461d50fd51dbc05a27a5f937f26d1c8b3afa0190723e43e225d32d14a0fcee7b72a5c7b6e1c57126864e8337e8c501340a487b0d3a69b1eacbd3d7812bc52af09e0bab0508e5c81f98383af1482f50a6d035721bb9ac32e66fb04215b0a120fc1c907d63cecabf9a52f90883a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0f05d43d469ef74a803e0b3c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G3" + "SerialNumber": "008da900010020ba965fe3dc471ba8", + "Issuer": "C=US, OU=GeoTrust TrustCenter CodeSigning CA, O=GeoTrust Inc, CN=GeoTrust TrustCenter CodeSigning CA I" } ] } ] + } + ], + "Tags": [ + "sandra.sys" + ], + "yara": true + }, + { + "Id": "578d4909-c2ba-4363-b6e3-98fb62d5e55c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create bw.sys binPath=C:\\windows\\temp\\bw.sys type=kernel && sc.exe start bw.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "bw.sys", + "SHA256": "0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "bw.sys" + ], + "yara": false + }, + { + "Id": "d9e00cc7-a8f4-4390-a6dc-0f5423e97da4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create mydrivers.sys binPath=C:\\windows\\temp\\mydrivers.sys type=kernel && sc.exe start mydrivers.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6.yara" }, { - "FileName": "gdrv.sys", - "MD5": "4e093256b034925ecd6b29473ff16858", - "SHA1": "eba5483bb47ec6ff51d91a9bdf1eee3b6344493d", - "SHA256": "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "mydrivers.sys", + "MD5": "507a649eb585d8d0447eab0532ef0c73", + "SHA1": "7859e75580570e23a1ef7208b9a76f81738043d5", + "SHA256": "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6", + "Signature": [ + "Beijing Kingsoft Security software Co.,Ltd", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "MyDrivers.com", + "Description": "DriverGenius Hardware monitor", + "Product": "DriverGenius", + "ProductVersion": "2016.7.7.1214", + "FileVersion": "9.2.707.1214", + "MachineType": "I386", + "OriginalFilename": "mydrivers.sys", "Authentihash": { - "MD5": "ce38d9daee9b1de9c5fbaac0e6932ed3", - "SHA1": "025656c5696aa4834b4d32149a93176cf0322854", - "SHA256": "35b1fdfa5cc9bb4a0d6e148140d59351447fa35c5c899e95da5f62a6b054af56" + "MD5": "74a1e675b4fd736298bc24d082684b0e", + "SHA1": "c57e38ce02ba45c3ad886faff98fe346560b1f5e", + "SHA256": "a689804c4e6e9aa07d48f9c99b7a1be6b05cba1c632b1a083b8031f6e1651c28" }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.1.0.1", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", - "MachineType": "AMD64", + "InternalName": "HWM", + "Copyright": "Copyright MyDrivers.com all right", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "ExAllocatePool", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_ULONG", + "IofCompleteRequest", + "WRITE_REGISTER_BUFFER_UCHAR", + "IoCreateDevice", + "KeTickCount", "MmMapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "IoAllocateMdl", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", "RtlInitUnicodeString", - "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "IoFreeMdl", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "RtlUnwind", "KeBugCheckEx", - "RtlCopyUnicodeString", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ObReferenceObjectByHandle", - "ExFreePoolWithTag", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=CN, ST=BeiJing, L=BeiJing, O=Beijing Kingsoft Security software Co.,Ltd, OU=OPS, CN=Beijing Kingsoft Security software Co.,Ltd", + "ValidFrom": "2015-12-22 00:00:00", + "ValidTo": "2017-02-19 23:59:59", + "Signature": "4eddc641407750a5260530bf6d19afcce9c2b4f8aef8a03486e9622e51669745b3d7d5120b61abac108ede47697e58e0dd0b0d5d688831194584a6a1f3c97096a911e4a1aac543bdb073d20de64425e940f6311a69578bffae7f7499e857c990e07be4126efca2d85f12b01760e6225d1c9e364d8dca8863975c164d84a07716d738ec322c7b37a3945bbf3c5667c71ef27c44da856356f606c067811a11da51647286c76b0519dfa117193d7f9556a8f0a186bafa4755f4eb5b598e04e6756952b7d0a8147f8cc70219bc4ec419cb2af59c3dcff5f935749c6079e6ab47cc7a4008b630c2ece745f71b8767668afaabd57a8706e4500ca53838d7ab098d38b9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", @@ -79884,173 +74259,389 @@ "ValidTo": "2021-02-22 19:35:17", "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "6e744ece6b39ec11594755543471d551", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "mydrivers.sys" + ], + "yara": true + }, + { + "Id": "404f6db5-6be8-44a9-9898-badd56f96721", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create c.sys binPath=C:\\windows\\temp\\c.sys type=kernel && sc.exe start c.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "c.sys", + "SHA256": "cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "c.sys" + ], + "yara": false + }, + { + "Id": "a5ebba11-5a31-48d2-9c6d-78bba397edf1", + "Author": "Michael Haag", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create PcieCubed.sys binPath=C:\\windows\\temp\\PcieCubed.sys type=kernel && sc.exe start PcieCubed.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8.yara" }, { - "FileName": "gdrv.sys", - "MD5": "1549e6cbce408acaddeb4d24796f2eaf", - "SHA1": "18f09ec53f0b7d2b1ab64949157e0e84628d0f0a", - "SHA256": "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "PcieCubed.sys", + "MD5": "22949977ce5cd96ba674b403a9c81285", + "SHA1": "745335bcdf02fb42df7d890a24858e16094f48fd", + "SHA256": "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "Legal Corp.", + "Description": "PCIe Video Capture", + "Product": "PCI Express Video Capture", + "ProductVersion": "1.0.0.15", + "FileVersion": "1.0.0.15", + "MachineType": "AMD64", + "OriginalFilename": "PcieCubed.sys", "Authentihash": { - "MD5": "9524a8cc0f1ce8a124e88f31c917c89d", - "SHA1": "8d6286e5d3e1558f6870bf1c4343da8a1d77aef3", - "SHA256": "3ede3c99d8a049232cd6baae9d44518a73c19d93230a1d320407a3fc2f506569" + "MD5": "489c034fa8dcfc9d211fc7e8e80c24e6", + "SHA1": "0a2da48019251954888ff3963ef21ccb624c1aba", + "SHA256": "2bbbe2ae5aa51868e7afc2c16c3a0a79fa3302e6830feeccca7f0363a62dddb4" }, - "Description": "GIGA-BYTE NonPnP Driver", - "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", - "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "1.0.0.1", - "Product": "GIGA-BYTE Software driver", - "ProductVersion": "1.0.0.1", - "Copyright": "Copyright (C) 2017", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "2016 Legal", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.DLL", + "ks.sys" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "ExAllocatePool", - "MmBuildMdlForNonPagedPool", + "KeDelayExecutionThread", + "KeWaitForMultipleObjects", + "ZwReadFile", + "RtlInitUnicodeString", "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "ZwQueryInformationFile", "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmIsAddressValid", - "KeBugCheckEx", + "RtlAnsiStringToUnicodeString", + "IoBuildSynchronousFsdRequest", + "RtlAppendUnicodeToString", + "RtlQueryRegistryValues", + "RtlInitAnsiString", + "ZwSetValueKey", + "ObfDereferenceObject", + "ZwQueryValueKey", + "ExAllocatePool", + "RtlAppendUnicodeStringToString", + "IoFreeIrp", + "IoGetAttachedDeviceReference", + "IoAllocateIrp", "RtlCopyUnicodeString", + "IoOpenDeviceRegistryKey", + "IoGetDeviceProperty", + "ZwEnumerateKey", + "IofCallDriver", + "ZwQueryKey", + "ZwOpenKey", + "PoUnregisterSystemState", + "PoRegisterSystemState", + "RtlCompareMemory", + "KeBugCheckEx", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "ObReferenceObjectByHandle", + "KeInitializeSemaphore", + "ZwClose", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeInitializeEvent", + "KeSetEvent", + "KeSetPriorityThread", + "KeClearEvent", + "ExFreePool", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "DbgPrint", + "ExFreePoolWithTag", + "RtlFreeUnicodeString", + "ExAllocatePoolWithTag", + "ZwOpenFile", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "IoGetDmaAdapter", "IoFreeMdl", + "KeInsertQueueDpc", + "MmProbeAndLockPages", + "MmUnlockPages", "MmUnmapIoSpace", - "MmUnmapLockedPages", - "ExFreePoolWithTag", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" + "KeInitializeDpc", + "MmMapIoSpace", + "KeSetTimerEx", + "KeInitializeTimerEx", + "KeCancelTimer", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "__C_specific_handler", + "memcmp", + "KeQueryPerformanceCounter", + "KsPinGetLeadingEdgeStreamPointer", + "KsPinGetParentFilter", + "KsStreamPointerUnlock", + "KsGetPinFromIrp", + "KsGetFilterFromIrp", + "KsGetDevice", + "_KsEdit", + "KsReleaseDevice", + "KsCreateFilterFactory", + "KsAddItemToObjectBag", + "KsInitializeDriver", + "KsFilterFactoryUpdateCacheData", + "KsPinReleaseProcessingMutex", + "KsPinAcquireProcessingMutex", + "KsAcquireDevice", + "KsPinGetReferenceClockInterface" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] + } + ], + "Tags": [ + "PcieCubed.sys" + ], + "yara": true + }, + { + "Id": "2bea1bca-753c-4f09-bc9f-566ab0193f4a", + "Author": "Michael Haag, rasta-mouse, goosvorbook", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create gdrv.sys binPath=C:\\windows\\temp\\gdrv.sys type=kernel && sc.exe start gdrv.sys", + "Description": "gdrv.sys is vulnerable to multiple CVEs: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321. Read/Write Physical memory, read/write to/from IO ports, exposes ring0 memcpy-like functionality, read and write Machine Specific Registers (MSRs). Affected versions: GIGABYTE APP Center v1.05.21 and previous, AORUS GRAPHICS ENGINE v1.33 and previous, XTREME GAMING ENGINE v1.25 and previous, OC GURU II v2.08", + "Usecase": "Elevate privileges, tamper with PPL or system processes", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/hoangprod/DanSpecial", + "https://github.com/namazso/physmem_drivers", + "https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://github.com/namazso/physmem_drivers", + "https://github.com/hmnthabit/CVE-2018-19320-LPE" + ], + "Acknowledgement": { + "Person": "MattNotMax", + "Handle": "@mattnotmax" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427.yara" }, { - "FileName": "gdrv.sys", - "MD5": "c832a4313ff082258240b61b88efa025", - "SHA1": "1f1ce28c10453acbc9d3844b4604c59c0ab0ad46", - "SHA256": "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b", + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "gdrv.sys", + "MD5": "9ab9f3b75a2eb87fafb1b7361be9dfb3", + "SHA1": "fe10018af723986db50701c8532df5ed98b17c39", + "SHA256": "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427", + "Signature": [ + "Giga-Byte Technology", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "2013-07-03 17:32:00 UTC, 2017-11-30 18:40:00 UTC", + "Publisher": "", + "Company": "Windows (R) Server 2003 DDK provider", + "Description": "GIGABYTE Tools", + "Product": "Windows (R) Server 2003 DDK driver", + "ProductVersion": "5.2.3790.1830", + "FileVersion": "5.2.3790.1830 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "gdrv.sys", "Authentihash": { - "MD5": "1c0c9b05800e86e0e1d158e0b44d4b99", - "SHA1": "a2c4f33de0b2ebb8a505f97697d550ccb3f7b114", - "SHA256": "b5433ec27586bdd8d2ef606f9212d8ed75ae3ae2e201a1acaf325d9b12239df8" + "MD5": "b18b1bff521337695d2d6a0768340252", + "SHA1": "0f5034fcf5b34be22a72d2ecc29e348e93b6f00f", + "SHA256": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb" }, - "Description": "GIGABYTE Tools", - "Company": "Windows (R) 2000 DDK provider", "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "5.00.2195.1620", - "Product": "Windows (R) 2000 DDK driver", - "ProductVersion": "5.00.2195.1620", - "Copyright": "Copyright (C) Microsoft Corp. 1981-1999", - "MachineType": "I386", + "Copyright": "© Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "IofCompleteRequest", - "ExFreePool", + "IoCreateDevice", + "RtlInitUnicodeString", + "DbgPrint", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", "MmUnmapIoSpace", "IoFreeMdl", "MmUnmapLockedPages", - "ZwUnmapViewOfSection", - "IoDeleteSymbolicLink", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", + "MmMapIoSpace", "ZwClose", "ZwMapViewOfSection", "ObReferenceObjectByHandle", "ZwOpenSection", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPages", - "ExAllocatePoolWithTag", - "RtlInitUnicodeString", - "IoCreateDevice", "IoCreateSymbolicLink", - "DbgPrint", + "KeAcquireInStackQueuedSpinLock", + "MmFreeContiguousMemory", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmGetPhysicalAddress", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ZwUnmapViewOfSection", + "KeReleaseInStackQueuedSpinLock", "IoDeleteDevice", - "KfReleaseSpinLock", - "HalTranslateBusAddress", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "KfAcquireSpinLock" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -80099,100 +74690,112 @@ ] }, { - "FileName": "gdrv.sys", - "MD5": "d556cb79967e92b5cc69686d16c1d846", - "SHA1": "de2b56ef7a30a4697e9c4cdcae0fc215d45d061d", - "SHA256": "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b", + "Filename": "gdrv.sys", + "MD5": "1cff7b947f8c3dea1d34dc791fc78cdc", + "SHA1": "8d59fd14a445c8f3f0f7991fa6cd717d466b3754", + "SHA256": "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339", + "Signature": [ + "GIGA-BYTE TECHNOLOGY CO., LTD.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "2013-07-03 17:32:00 UTC, 2017-11-30 18:40:00 UTC", + "Publisher": "", + "Company": "GIGA-BYTE TECHNOLOGY CO., LTD.", + "Description": "GIGA-BYTE NonPNP Driver", + "Product": "gdrv64", + "ProductVersion": "17120101", + "FileVersion": "1.0.0.1", + "MachineType": "AMD64", + "OriginalFilename": "gdrv.sys", "Authentihash": { - "MD5": "906258ee90744ed1307ba969a1c8722e", - "SHA1": "2b94ace70d946caa1fed6c8f97f2fafdb45d6c54", - "SHA256": "1251eef40b877fd379c175c02bb83e230fa5acd30020e54acc0718ab326818b3" + "MD5": "bf45a5d10968424666abede02113a509", + "SHA1": "5c26f130f6a5ad8bdd2eed29140542dae0885b17", + "SHA256": "34da66774ba09c4a8fc59349401ca1fefaaf4e66a9c620c7782c072a16089ba3" }, - "Description": "GIGABYTE Tools", - "Company": "Windows (R) 2000 DDK provider", "InternalName": "gdrv.sys", - "OriginalFilename": "gdrv.sys", - "FileVersion": "5.00.2195.1620", - "Product": "Windows (R) 2000 DDK driver", - "ProductVersion": "5.00.2195.1620", - "Copyright": "Copyright (C) Microsoft Corp. 1981-1999", - "MachineType": "I386", + "Copyright": "Copyright (C) 2017", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "KeAcquireInStackQueuedSpinLock", + "KeReleaseInStackQueuedSpinLock", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPages", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", "MmAllocateContiguousMemory", "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", "ObReferenceObjectByHandle", + "ZwClose", "ZwOpenSection", - "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "IofCompleteRequest", - "RtlInitUnicodeString", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "KeBugCheckEx", "IoCreateDevice", - "IoCreateSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "KfReleaseSpinLock", - "HalTranslateBusAddress", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "KfAcquireSpinLock" + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=TW, ST=Taiwan, L=NEW TAIPEI, O=GIGA,BYTE TECHNOLOGY CO., LTD., CN=GIGA,BYTE TECHNOLOGY CO., LTD.", + "ValidFrom": "2016-07-21 00:00:00", + "ValidTo": "2019-09-19 23:59:59", + "Signature": "088e59029abef549a30601c39db2cb687032de13f40c63bd0d88dbe858d6ddddbdc235044f1f31ddf3f6c960583264c9b7306dadb38eb64160a40e804bfee6deac624b7283eba48591daa22ca7523b1518ce792115fbbc4d9c312d824dd0c4566aa985e8a60cb486447fbba0f2c1de3eff0d98cbdeef89653f045203fda3b6a421d08ed13e45616e7c196ed56284b68d16e24e62ba8222fa6b15c7b586132dd3777b42908d930ab082f549516d886449ae87c20bb0c8474777de6c91917d8f173468f72ef3f89898fed2d861c31a8ea2659eabc3cc023e2008fca26f4c1c7d05594faecb6e437d61c11e947f6fdb6cc0db9cdfd6546d5212c94ed8a37fb723e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei Hsien, O=Giga,Byte Technology, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Testing Department, CN=Giga,Byte Technology", - "ValidFrom": "2007-10-02 00:00:00", - "ValidTo": "2010-10-18 23:59:59", - "Signature": "5c404cbb1176300b3b0f2b98924c5be7571d28c8e8086cea2fe21a4d3687b441facd3aec26e2722d2d4dabac900ab1158ad7b53edc2a3678743ae411eeb48e00560ce2e49a4954a5d3223cbb3fbcb6f19185ea33ac10f5c96fc80593236a3512ad98599c931486810fd0ca98df4c75fcdd6d69aceb0d6f755c74d4779ed39cc17946fc61e7a17bee5e5bc46220509aea779cc200315bfb778edc11429dc9763a4a3c7a04346ed759ef357c4744088ac9f4f949e783b42eec05b777c3629b718e0766c5ac956b0f67834009d3e0d171da24ee6b151d7bb40cf9f8e6f1e1a08fe2ec1fb101b766ec261c0ce6f98de3fb452a81a57bb0b72a44c06a01f199a8143d", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "720ef3aaa1a44f7d0717a805c290c378", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "2ad22e071f61cafe7884bfa43a31b21b", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } @@ -80201,339 +74804,249 @@ ], "Tags": [ "gdrv.sys" - ] + ], + "yara": true }, { - "Id": "a22104a8-126d-449f-ba3e-28678c60c587", - "Author": "Michael Haag", - "Created": "2023-02-28", + "Id": "8d97bb7f-e009-4dc7-ab9d-fde293e679dc", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create wantd_3.sys binPath=C:\\windows\\temp\\wantd_3.sys type=kernel && sc.exe start wantd_3.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, + "Commands": "sc.exe create AsUpIO.sys binPath=C:\\windows\\temp\\AsUpIO.sys type=kernel && sc.exe start AsUpIO.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + "Internal Research" ], "Acknowledgement": { - "Person": "", + "Person": [], "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "wantd_3.sys", - "MD5": "fb7c61ef427f9b2fdff3574ee6b1819b", - "SHA1": "1f25f54e9b289f76604e81e98483309612c5a471", - "SHA256": "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1", - "Signature": "Unsigned", - "Date": "7:52 AM 4/30/2014", - "Publisher": "n/a", - "Company": "Microsoft Corporation", - "Description": "WAN Transport Driver", - "Product": "Microsoft Windows Operating System", - "ProductVersion": "5.2.3790.938", - "FileVersion": "5.2.3790.938", - "MachineType": "I386", - "OriginalFilename": "wantd.sys", + "FileName": "AsUpIO.sys", + "MD5": "9ba7c30177d2897bb3f7b3dc2f95ae0a", + "SHA1": "7115929de6fc6b9f09142a878d1a1bf358af5f24", + "SHA256": "8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2", "Authentihash": { - "MD5": "cbb18883d7893156620f084ff40b2fbf", - "SHA1": "df59532dbae676b3fb2653a1bbd9cd5f1cd3ba78", - "SHA256": "a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7" + "MD5": "a0bb761aa5957303141a7186d0ae717b", + "SHA1": "44638264cb1804ae17757f1336c19613de2f6e20", + "SHA256": "d12acedc9a2702a18499b77dc8ae9e6b2d1eb557eb08c8a14b2ab3a984edec01" }, - "InternalName": "wantd.sys", - "Copyright": "Microsoft Corporation. All rights reserved.", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "NDIS.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", - "KeResetEvent", - "InterlockedIncrement", - "KeSetEvent", - "InterlockedDecrement", - "RtlUnicodeStringToInteger", - "RtlInitUnicodeString", - "KeInitializeEvent", - "wcsncmp", - "wcscat", - "wcslen", - "wcscpy", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "KeInsertQueueApc", - "KeInitializeApc", - "KeDetachProcess", - "KeAttachProcess", - "PsLookupThreadByThreadId", - "ZwAllocateVirtualMemory", - "RtlCompareUnicodeString", - "PsLookupProcessByProcessId", - "ZwFreeVirtualMemory", - "_wcsnicmp", - "ZwQuerySystemInformation", - "ZwQueryInformationProcess", - "RtlImageDirectoryEntryToData", - "_stricmp", - "NtQuerySystemInformation", - "ZwOpenFile", - "MmGetSystemRoutineAddress", - "ZwQueryValueKey", - "ZwOpenKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "IoCreateFile", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "RtlLengthSid", - "RtlCreateSecurityDescriptor", - "NtWriteFile", - "NtReadFile", - "KeWaitForMultipleObjects", - "NtFsControlFile", - "ZwWaitForSingleObject", - "RtlLengthRequiredSid", - "IoCreateSymbolicLink", + "RtlCopyUnicodeString", "DbgPrint", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "IofCompleteRequest", "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "sprintf", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "vsprintf", - "ZwDeviceIoControlFile", - "MmMapLockedPagesSpecifyCache", - "IoFreeMdl", - "KeWaitForSingleObject", - "ObfDereferenceObject", - "KeDelayExecutionThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "PsThreadType", + "MmGetSystemRoutineAddress", "ObReferenceObjectByHandle", "ZwClose", - "KeQueryTimeIncrement", - "KeTickCount", - "KeInitializeSpinLock", - "ExAllocatePoolWithTag", - "PsGetVersion", - "ExFreePool", - "KfReleaseSpinLock", - "KfAcquireSpinLock", - "NdisAllocatePacketPool", - "NdisAllocateBufferPool", - "NdisRegisterProtocol", - "NdisDeregisterProtocol", - "NdisUnchainBufferAtFront", - "NdisAllocatePacket", - "NdisAllocateMemory", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisFreeMemory", - "NdisFreeBufferPool", - "NdisCopyFromPacketToPacket", - "NdisFreePacketPool" + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "RtlCompareUnicodeString", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", + "__C_specific_handler", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], - "Signatures": {} - } - ], - "Tags": [ - "wantd_3.sys" - ] - }, - { - "Id": "ec922c61-e0ae-4794-812c-e9688e5d5445", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create procexp.Sys binPath=C:\\windows\\temp\\procexp.Sys type=kernel && sc.exe start procexp.Sys", - "Description": "The method of abusing the Process Explorer driver to bypass EDR systems isn’t new; it was implemented in the open-source tool Backstab, first published in June 2021. AuKill drops a driver named PROCEXP.SYS (from the release version 16.32 of process Explorer) into the C:\\Windows\\System32\\drivers path. The legitimate Process Explorer driver is named PROCEXP152.sys, and normally is found in the same location.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/Yaxser/Backstab/blob/master/resources/PROCEXP.sys", - "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2031-11-10 00:00:00", + "Signature": "1c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, { - "Filename": "procexp.Sys", - "MD5": "97e3a44ec4ae58c8cc38eefc613e950e", - "SHA1": "bc47e15537fa7c32dfefd23168d7e1741f8477ed", - "SHA256": "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2012", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "Sysinternals - www.sysinternals.com", - "Description": "Process Explorer", - "Product": "Process Explorer", - "ProductVersion": "16.43", - "FileVersion": "16.43", - "MachineType": "AMD64", - "OriginalFilename": "procexp.Sys", + "FileName": "AsUpIO.sys", + "MD5": "f8dce1eb0f9fcaf07f68fe290aa629e4", + "SHA1": "d697a3f4993e7cb15efdeda3b1a798ae25a2d0e9", + "SHA256": "bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0", "Authentihash": { - "MD5": "0a7106a04e6e3b13eb105b013f76e031", - "SHA1": "0c74316dfb9c21b7ff2dc288c005f9474dc26589", - "SHA256": "c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce" + "MD5": "62c8f650e44fbd061ce3bc90a011758c", + "SHA1": "d5f525a3f525aa2dc3459781c249896468e576ed", + "SHA256": "a7c6f397f1fb230627bb537e1cf59283be04d17d050a384661e00aba6877b145" }, - "InternalName": "procexp.sys", - "Copyright": "Copyright (C) Mark Russinovich 1996-2021", + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "strncpy", - "RtlInitUnicodeString", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "KeWaitForSingleObject", + "DbgPrint", + "KeDelayExecutionThread", "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "ExGetPreviousMode", "MmGetSystemRoutineAddress", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", + "MmAllocateContiguousMemory", "IofCompleteRequest", + "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "RtlCopyUnicodeString", "ObReferenceObjectByHandle", - "ObfDereferenceObject", "ZwClose", - "MmIsAddressValid", - "PsGetVersion", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "SePrivilegeCheck", - "PsLookupProcessByProcessId", - "ObOpenObjectByPointer", - "ObQueryNameString", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcessToken", - "ZwQueryInformationProcess", - "ZwQuerySystemInformation", - "ObCloseHandle", - "ObOpenObjectByName", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "RtlCompareUnicodeString", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwReadFile", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsThreadType", - "RtlFreeUnicodeString", - "IoCreateDevice", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "wcschr", - "_wcsnicmp", - "RtlLengthSid", - "RtlAddAccessAllowedAce", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "KeBugCheckEx" + "KeBugCheckEx", + "IoIs32bitProcess", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:30", - "ValidTo": "2021-12-02 22:15:30", - "Signature": "199acc6a8717c0db5b4b2312dccd8bb1e33ef492731fb8e1d60bd6f690de074b6d92293c8260012dcacc668a68f10e726a37d2ff7ee66b1eea424f56f104249bd6d7e7eba8c1745f4f1143bac7e648e48c1b2a1adf6954b5de1669df19c4be5633b791b7a3cba23641006fd58ac2d494a1d00dadbc3b3fe50a7ad0163cb386693824106b5dd9f9b8a579e45f5c5f8804832b8a773701e0ca31dee9a012fce5911492de93beea44a3822f7a83c448a484eeb937a4fa7f4067879b910e534c966d2650bd5c93f066656aa0f4c7c318161d4a8b367056df42af60a0aad0eb2de3bb47b96b948f2c849f330cfef599f1775bb6d41cf150decb40a83d5800727d977e", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2019-04-01 00:00:00", + "ValidTo": "2022-01-11 12:00:00", + "Signature": "646eaa59a80117077ed7d80227a6c3be77f3d9acdc0927d1299369e5636dbb773b61e91390d181178f88e5b92c7cc0c1b851541ee781380f7ac0425fea8a292a9cf93c7f851701db11dd13c8c0e97fd254839b81fdfd7e0a9a520c43186f4c834daa920b8a8e7ddd0048a55a5b7034675394a914b91258751c59b6d9d60ce1d17565fbdcd99311bcbe7e386807ecc186248ddbbb4bae2e4192a0509d661cd307c28a79c6b914854728463b7b39515869858c4975e0fbdd74188afa81c729682705f73bf80e839897b1d61d8deeabb53744e938b4b918fced39ca7dff3076c7f2dca4ddda8621a81fc493480456966901e29041821b116294bc98b445ebb05c33", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000b20f9ad86794f322f60000000000b2", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "0c64962e4467edcc1579646b7337ec8c", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] - }, - { - "Filename": "procexp.sys", - "MD5": "b79475c4783efdd8122694c6b5669a79", - "SHA1": "d612165251d5f1dcfb1f1a762c88d956f49ce344", - "SHA256": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" } ], "Tags": [ - "procexp.Sys" - ] + "AsUpIO.sys" + ], + "yara": false }, { - "Id": "4dd3289c-522c-4fce-b48e-5370efc90fa1", + "Id": "7a722cd5-69ec-4680-9f20-9387f249a891", "Author": "Nasreddine Bencherchali", "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create iQVW64.sys binPath=C:\\windows\\temp\\iQVW64.SYS type=kernel && sc.exe start iQVW64.SYS", + "Commands": "sc.exe create ElbyCDIO.sys binPath=C:\\windows\\temp\\ElbyCDIO.sys type=kernel && sc.exe start ElbyCDIO.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -80545,79 +75058,129 @@ "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "iQVW64.SYS", - "MD5": "c796a92a66ec725b7b7febbdc13dc69b", - "SHA1": "0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc", - "SHA256": "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775", + "FileName": "ElbyCDIO.sys", + "MD5": "702d5606cf2199e0edea6f0e0d27cd10", + "SHA1": "879e327292616c56bd4aafc279fbda6cc393b74d", + "SHA256": "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4", "Authentihash": { - "MD5": "9628077052773b85d492e06322fa4366", - "SHA1": "013c02f8fb3b1eb638a8ccdd9da5277749d1060b", - "SHA256": "46ec6310c5ea5e289299d40f5ecca82b9c722ffc766dfd08f36dc88835e63567" + "MD5": "350ab25a105b2fee583f1b903d48788e", + "SHA1": "23a6345ab41ff68e31cef025de23cc8c81c90725", + "SHA256": "86236392bb2cc77100bd83d34a30e3fb60aa727d0b11c147a838d9a205bae80e" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2011 Intel Corporation All Rights Reserved.", - "MachineType": "IA64", + "Description": "ElbyCD Windows x64 I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 3, 2", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2009 Elaborate Bytes AG", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeGetCurrentIrql", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "ObfDereferenceObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", "KeWaitForSingleObject", - "MmGetPhysicalAddress", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", + "KeReleaseMutex", + "__C_specific_handler", + "ProbeForRead", + "ProbeForWrite", + "ZwReadFile", + "ZwWriteFile", + "ZwCreateFile", + "RtlInitUnicodeString", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwOpenFile", "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeTickCount", - "KeBugCheckEx", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "ZwSetInformationThread", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeInitializeEvent", + "PsGetCurrentProcessId", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", + "KeInitializeMutex", + "ExAllocatePool", + "ExFreePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", "IoDeleteSymbolicLink", - "IofCallDriver", "IoDeleteDevice", - "KeStallExecutionProcessor", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "KeSetEvent", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -80640,234 +75203,100 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2008-12-23 13:26:11", + "ValidTo": "2011-12-23 13:26:11", + "Signature": "5a634dbf49c9d1dbe5ed4b484689b4f95ee13686141c393683a1decdc986cf94613342607a120df492112daaa92fd772bbbcb1c0f14cec7c0c20304c92d62508859c387138f2d145dbcc54c561f1b9dd73d3686ae3859ea986e4f539db7495a64b551b60d6f976ae6075ca3f6dbe1187b875ee267784b5baefaa850078595fb8b1c8944c9c3da355a802ebc52eacb9bdffdd57b0aae5f49c02c5ae6505b7ca1afb2b29e39374eab8bf1e643c3e1c8240dc113ceb078c70a401e92d0610538eaed48e291cad84635d6100930c8e7b9801323490e4f3e58d9f9fea04843f06633f8b8a8774d2b679be008d1d92bb31815f8f01c5e08144ed9574a605b245de2ba7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2009-05-26 00:00:00", - "ValidTo": "2012-05-30 23:59:59", - "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "058258571670ab2b1bac50679cec49a1", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] - }, - { - "FileName": "iQVW64.SYS", - "MD5": "f7d963c14a691a022301afa31de9ecef", - "SHA1": "2e546d86d3b1e4eaa92b6ec4768de79f70eb922f", - "SHA256": "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501", - "Authentihash": { - "MD5": "9e5958641168a690ab2b8003d3095a1f", - "SHA1": "b1ce8991df0af287d5fd6837306384bd4327ea1d", - "SHA256": "6f2cf1c9502c5c5054edb556827ba30ffc2e6689faf807db404672781b032eaf" - }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.3.2.16 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.3.2.16", - "Copyright": "Copyright (C) 2002-2018 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "RtlInitUnicodeString", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "ObfDereferenceObject", - "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2000-05-30 10:48:38", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELND1617S2", - "ValidFrom": "2016-09-22 20:52:10", - "ValidTo": "2018-09-22 20:52:10", - "Signature": "54c74e29a233c023318bb790335296bd320e2fe2d0c3911439fa64bb42649c1b23b4feef4a6d0033c868e6bc100dc48908feb70b8f9a789c244adb601dab2931ba223ab00fa35f20dcdbd4c23d01d1a21fc45475c825817125636a1d291a4d2ad58b4f42a45b6c5099448f1d42b150a46449b77f2da99fb5c96dd4b5171f3fd8469ad8d2754d5ab0de3a66c92b2f0522152c5d431f8930203f1058421de74d752432509fc05513a7bfb8ea307171379148ee283ce62702fbe3be88a717090651c879cde40589550e80453707b604dbefda434187093c85f04a2aedb502f7eeef27675b0a53f3855655ea8c662a98d9a90b16b8dd7ef677ba3233738e8740185fee1ea12b96515e7ed8acdcc980f9fffb00a822fa9cefa8b8935d27d6eda7b10c13cf24e0cd0a55afd3d49bb166a5b1d4b9ab13d7969882c11aef0966e512e17da18affa9139e4bc48b002ed1b3889dd71571b74613f7d340b09a59e4809458d4838f7fdb9f90e4c6f0d9273430c47a10e89272e323ecdb08146dc4d13aad95ab5ca8d8932e090c92102f3e89409967cd8b21507f41d5cf4a65e80723000944911561f15bfd50fc6f612d75185db6c31f94cfad85556b32c3b149aad421f10b42162c01aba2a2f773196b0063506ca08337069ebe6ce23cc2a14582182ed46e267d0dd8e982b8016be5eca29b2130c82b504dac2f3751b3010abde895db438352", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", - "ValidFrom": "2015-10-28 00:00:00", - "ValidTo": "2021-06-17 23:59:59", - "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "560000013927007472d9b99b9b000000000139", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" + "SerialNumber": "0100000000011e643e96d0", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "73a40e29f61e5d142c8f42b28a351190", - "SHA1": "bdfb25cc4ed569dc0d5849545eb4abe08539029f", - "SHA256": "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b", + "FileName": "ElbyCDIO.sys", + "MD5": "945ef111161bae49075107e5bc11a23f", + "SHA1": "ea37a4241fa4d92c168d052c4e095ccd22a83080", + "SHA256": "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445", "Authentihash": { - "MD5": "de5dc7fda88792287ab03e73cece0ba8", - "SHA1": "99adef60a03c2ba9aa008adcd151686175ede2db", - "SHA256": "0ae3c446e5f075e8fc3db31eabd744a65b2c50a9b4a52877873547951bc19bc9" + "MD5": "5560e048b895a592a481f9340852e3cd", + "SHA1": "1e73dbe3d0bed9def62c1f76a0c58aa6c61e8f74", + "SHA256": "d378162a47648bed192270ab4ddd67c99b4ebe8093a267fa1fe1e092559504b0" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.6 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.6", - "Copyright": "Copyright (C) 2002-2012 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 0, 2", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "RtlInitUnicodeString", - "ObfDereferenceObject", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", + "RtlFreeUnicodeString", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", + "ZwOpenKey", "IoDeleteSymbolicLink", - "MmMapIoSpace", + "RtlInitUnicodeString", "IoDeleteDevice", - "KeStallExecutionProcessor", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoFreeMdl", + "MmUnlockPages", + "KeReleaseMutex", + "MmProbeAndLockPages", + "IoAllocateMdl", + "ExFreePool", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExAllocatePool", + "ZwDeleteKey", + "ZwClose", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", + "RtlUnwind", + "KeTickCount", + "MmMapLockedPages", + "IofCompleteRequest", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -80876,10 +75305,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -80890,126 +75319,116 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2012-05-17 00:00:00", - "ValidTo": "2015-05-30 23:59:59", - "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "69ba501a268f09f694ff0e8e208aa20e", - "SHA1": "3d6d53b0f1cc908b898610227b9f1b9352137aba", - "SHA256": "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9", + "FileName": "ElbyCDIO.sys", + "MD5": "24fe18891c173a7c76426d08d2b0630e", + "SHA1": "f640c94e71921479cc48d06b59aba41ffa50a769", + "SHA256": "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185", "Authentihash": { - "MD5": "61c9bc2fd776b341f21b71fb1891eb5a", - "SHA1": "9af173db51828d2a3c64d34e9120f1fd129a2359", - "SHA256": "ecd6e879e5521ca4053a59ef6682a95d97f6d9ba75f313b87bd133afe5267852" + "MD5": "46eca1eab6ab83208b56787f55ed4117", + "SHA1": "1b62759087cbe7f5f9a82477bc2f2b19bb51f41d", + "SHA256": "e35d09a903d76810830aff2fc87bb3071026d982a334b3ee4c68f66cba865109" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.3.2.17 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.3.2.17", - "Copyright": "Copyright (C) 2002-2018 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 1, 1", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", + "ZwWriteFile", + "ZwCreateFile", "RtlInitUnicodeString", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwOpenFile", + "ZwClose", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "ZwSetInformationThread", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "KeSetEvent", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "KeReleaseMutex", + "PsGetCurrentProcessId", + "IofCompleteRequest", + "KeInitializeMutex", + "ZwReadFile", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "ObfDereferenceObject", "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "ZwDeleteKey", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "ExAllocatePool", + "KfReleaseSpinLock", + "KfAcquireSpinLock", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81018,114 +75437,134 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2000-05-30 10:48:38", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=ND, CN=Intel(R) INTELND1820", - "ValidFrom": "2018-08-09 21:34:08", - "ValidTo": "2020-08-08 21:34:08", - "Signature": "714c055fff1a2bd770c1b7103eb47360ca789a29c9e4a59a9050dd5f9b20d559fa927bd5a6a7bb8e90be3324862edbe148f96f164427cd86b7c99ef8e972368a3aad8789e77ad0787ca5361a940eceb6b575a78655040f4104ddc57610bb1045c9aa03f3044b67c067a57c1d2dcf6be9969ce946684d131c1f8e750ddde70bf6740ea6c912945b8aea873d8a2653180e02fa8cd0803d617f6bc1a432d3dd39ee49cb520959cffcab34bf6deba98ce8a8eba46eec31a34a075e1269c8cf68fe8d70b17e72c83206ca40797c51997ee0521ed3ebf4f20fb5a8c48c93722362f65ffb68f49325f479e30b398938d8b87a8adfe0d8c1e68b0be9de1d11dca8aca582ba3a568c0f94b344c0cc5acd6b13870baf515fe169110c33d54f5e475272e485e949bf8f6dd4c7306bc32859dbbcde89228d1f92a7b9a0b20dd88097f76a19e6149afa28fb25574f9885252460aadb51be7695a59f13fe307a8346f4cf54f36b94dd1d8d082747f9869da38daed9301a20e728f7562dd789b52e11d061800bf8eb5bfce47c114b939ed0787760bb530a86585de6b79927216dfadc3b6ab3234b94e3069feedfcac8adfa9ab3f910104f32fb18a44c90a8b9dab58915cccf8ce134bcb39a9eb4ddc158607cccbce0cfb7f23506fc40b99d3c79b6de258c7c1734e29abae3a2330cf45871fc0dd444abbe8057a27b67cb4467f5bfd199d4ddedb7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", - "ValidFrom": "2015-10-28 00:00:00", - "ValidTo": "2021-06-17 23:59:59", - "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "560000077b478c76c9afcafcaf00000000077b", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "de4001f89ed139d1ed6ae5586d48997a", - "SHA1": "cb212a826324909fdedd2b572a59a5be877f1d7d", - "SHA256": "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee", + "FileName": "ElbyCDIO.sys", + "MD5": "aaa8999a169e39fb8b48ae49cd6ac30a", + "SHA1": "2eeab9786dac3f5f69e642f6e29f4e4819038551", + "SHA256": "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60", "Authentihash": { - "MD5": "b962ae9f688f5a0fc864e3b64a8fa443", - "SHA1": "f6e5a0c338354dfbd1a9170fb9bd71123db5ac3b", - "SHA256": "ee625d1910f91fc9e79237bd60b0ee5efb85c7f859922f30e4434db6cd50fa9b" + "MD5": "efa9728ff65fc5bd690400a9a6252642", + "SHA1": "b827692fe57b0b51f7671d55c0a5dd6446342acd", + "SHA256": "911541d26b605a97ba099563b9eb7e027c102f139dba5884a57df5a13cf3dcef" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "IA64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 1, 0", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeGetCurrentIrql", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "MmGetPhysicalAddress", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", + "ZwWriteFile", "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "ZwSetInformationFile", + "ZwQueryInformationFile", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwCreateFile", + "ZwCreateKey", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "ZwQueryValueKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeTickCount", - "KeBugCheckEx", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", + "ZwSetValueKey", + "ZwSetInformationThread", + "PsTerminateSystemThread", + "KeWaitForSingleObject", + "KeSetEvent", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeInitializeEvent", + "ZwReadFile", + "PsGetCurrentProcessId", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", + "KeInitializeMutex", + "ExAllocatePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", "IoDeleteSymbolicLink", - "IofCallDriver", "IoDeleteDevice", - "KeStallExecutionProcessor", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "ZwDeleteKey", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "KeReleaseMutex", + "KfReleaseSpinLock", + "KfAcquireSpinLock", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81134,121 +75573,135 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2006-04-17 00:00:00", - "ValidTo": "2009-05-31 23:59:59", - "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "65680c783b728ab2a1880df4232ded32", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "5adebdb94abb4c76dad2b7ecb1384a9d", - "SHA1": "1e8bccbd74f194db6411011017716c8c6b730d03", - "SHA256": "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572", + "FileName": "ElbyCDIO.sys", + "MD5": "d21fba3d09e5b060bd08796916166218", + "SHA1": "caa0cb48368542a54949be18475d45b342fb76e5", + "SHA256": "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989", "Authentihash": { - "MD5": "772d513b311dd6ff2ded105980a7f92a", - "SHA1": "5db96ed94e2e32cf82f38724f8715fd775e0ebff", - "SHA256": "94b42f99cb2ac4db601a3759afe374168bad1714bd48662d74fed69099517a65" + "MD5": "2b8c47b3e15625119ef7576646fdefda", + "SHA1": "5ad820b5cac4e44ded1534169631e7d3fc8547d1", + "SHA256": "8907c476440abdd7f71feb068443a7c9736aa6bf625dfb8b6931c46341aa4abf" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "IA64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 0, 7", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeGetCurrentIrql", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", + "ZwWriteFile", + "ZwClose", + "ZwSetInformationFile", + "ZwQueryInformationFile", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwCreateFile", + "ZwOpenKey", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "ZwQueryInformationProcess", + "ZwSetInformationThread", + "KeReleaseMutex", "ObfDereferenceObject", + "KeWaitForMultipleObjects", + "PsCreateSystemThread", "KeWaitForSingleObject", - "MmGetPhysicalAddress", - "IoBuildSynchronousFsdRequest", + "ObReferenceObjectByHandle", + "ZwOpenProcess", + "KeSetEvent", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeTickCount", - "KeBugCheckEx", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "RtlInitUnicodeString", + "ZwReadFile", + "IofCompleteRequest", + "KeInitializeMutex", + "ExAllocatePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "IoDeleteSymbolicLink", - "IofCallDriver", "IoDeleteDevice", - "KeStallExecutionProcessor", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "ZwDeleteKey", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "PsGetCurrentProcessId", + "KfReleaseSpinLock", + "KfAcquireSpinLock", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81257,140 +75710,114 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2006-04-17 00:00:00", - "ValidTo": "2009-05-31 23:59:59", - "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "65680c783b728ab2a1880df4232ded32", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "b32497762d916dba6c827e31205b67dd", - "SHA1": "9310239b75394b75a963336fbd154038fc13c4e3", - "SHA256": "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0", + "FileName": "ElbyCDIO.sys", + "MD5": "b5326548762bfaae7a42d5b0898dfeac", + "SHA1": "f3029dba668285aac04117273599ac12a94a3564", + "SHA256": "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00", "Authentihash": { - "MD5": "b08ec7710e9596bf9389b458b4f9717b", - "SHA1": "d544c1dfd17aee4bf15dc4aa8d5208fe304f4eb4", - "SHA256": "b261d4065c03dcc732a951a9451b3a9f6054899eb3b8a4062dfed1c0ca3f3755" + "MD5": "fc16498ddf3716e03fdd527c456ea80b", + "SHA1": "7436e16cf348558015593cbf5ab9c117d97738cc", + "SHA256": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.3.2.13 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.3.2.13", - "Copyright": "Copyright (C) 2002-2017 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 0, 1", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2006 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "RtlInitUnicodeString", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "RtlFreeUnicodeString", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "ObfDereferenceObject", + "RtlInitUnicodeString", "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoFreeMdl", + "MmUnlockPages", + "KeReleaseMutex", + "MmProbeAndLockPages", + "IoAllocateMdl", + "ExFreePool", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExAllocatePool", + "ZwDeleteKey", + "ZwClose", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "KeInitializeMutex", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor", + "RtlUnwind", + "KeTickCount", + "MmMapLockedPages", + "IofCompleteRequest", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81399,75 +75826,75 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELND1617", - "ValidFrom": "2016-09-22 20:33:26", - "ValidTo": "2017-09-22 20:33:26", - "Signature": "58a551acbb46f94e4e69d0dba0bc403d4290ce875c9acf2e6d12020b912d9e0d32875d781c9708fe33ac9ccdeb2bed9145239dd5801cdb9b3bb6fb13cd2faabe50bef817958fbc3da7ae52cf26d0479f7719ca250c3b16a656d91306585d5fdac2ba2f6c1c79aa27c658b15b65782eff638d7a35fdf339431c5781f5097a0a6ea06548d565f2a1242132e946117a7655258902642ade6bdccfc16de3076e8793f72f54a350311120a32012b3867e96be72615d1958972a76672007236bbe386630bbeea96c1eedc9ad9e0a37c552359fdbaf315f2d180e9c5b62f32cb870d1c87600da28fd67a0574e86be564e80ac8918a6fba69a1a151020d4af214528127f", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", - "ValidFrom": "2015-04-24 21:46:24", - "ValidTo": "2018-04-24 21:46:23", - "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000ba45a7f4234edca115e400020000ba45", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "ca6931fcbc1492d7283aa9dc0149032e", - "SHA1": "45a9f95a7a018925148152b888d09d478d56bbf5", - "SHA256": "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683", + "FileName": "ElbyCDIO.sys", + "MD5": "e9ccb6bac8715918a2ac35d8f0b4e1e6", + "SHA1": "9feacc95d30107ce3e1e9a491e2c12d73eef2979", + "SHA256": "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d", "Authentihash": { - "MD5": "5617c10f9fb9e09aba8657adb2c05b07", - "SHA1": "b4d869e7b3be6f0ae0113b05bc5358b955e2f6d4", - "SHA256": "08209cd92723526d56863e89f283750e2ee57c69db37ae501aa889c0c60bb552" + "MD5": "b5cb05a635b6932ea1f7c0ee35592e37", + "SHA1": "e8dc3aa48d494fb2bc096523e11859afdd18b10a", + "SHA256": "e85d36ca271c4d65abc1cdfff0e629dc5d14edb5bf97669badbb40d2715c1d47" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.2.7 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.2.7", - "Copyright": "Copyright (C) 2002-2016 Intel Corporation All Rights Reserved.", + "Description": "ElbyCD Windows x64 I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 1, 1", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", @@ -81475,71 +75902,52 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ZwReadFile", + "ZwWriteFile", + "ZwCreateFile", "RtlInitUnicodeString", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwOpenFile", + "ZwClose", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "ZwSetInformationThread", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "KeSetEvent", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "KeReleaseMutex", + "PsGetCurrentProcessId", + "IofCompleteRequest", + "ExAllocatePool", + "ExFreePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "ObfDereferenceObject", "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "__C_specific_handler", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "ZwDeviceIoControlFile", + "ZwDeleteKey", + "IoCreateSymbolicLink", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor", + "KeBugCheckEx", + "KeInitializeMutex", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81548,120 +75956,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", - "ValidFrom": "2015-09-28 19:41:01", - "ValidTo": "2016-09-27 19:41:01", - "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", - "ValidFrom": "2014-12-09 21:30:38", - "ValidTo": "2017-12-09 21:30:35", - "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "349fa788a4a7b57e37e426aca9b736d5", - "SHA1": "687b8962febbbea4cf6b3c11181fd76acb7dfd5a", - "SHA256": "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9", + "FileName": "ElbyCDIO.sys", + "MD5": "28cb0b64134ad62c2acf77db8501a619", + "SHA1": "5742ad3d30bd34c0c26c466ac6475a2b832ad59e", + "SHA256": "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47", "Authentihash": { - "MD5": "c50808f1da14138ea4b38907f113ab5a", - "SHA1": "859be8b0b744eee0b9a3410fc5a614b924ac4b43", - "SHA256": "e7fe1fa6d2e5502ff1882a345790d0aab3ad34fe269ab23e3115d2d93db3fe6b" + "MD5": "47a02497d57e9ffa7ab2490d15a0bf90", + "SHA1": "da00f69b9d1e4a997094651f4af2c0faad653a10", + "SHA256": "c1bbe628f79528417ea741dfad2f589fc4e5c62152e632a89ed080da029d5384" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 1, 2", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2008 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "ZwWriteFile", + "ZwCreateFile", "RtlInitUnicodeString", - "ObfDereferenceObject", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwOpenFile", + "ZwClose", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "ZwSetInformationThread", + "KeSetEvent", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "KeReleaseMutex", + "PsGetCurrentProcessId", + "IofCompleteRequest", + "KeInitializeMutex", + "ZwReadFile", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "MmMapIoSpace", "IoDeleteDevice", - "KeStallExecutionProcessor", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "ZwDeleteKey", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "ExAllocatePool", + "KfReleaseSpinLock", + "KfAcquireSpinLock", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81669,6 +76087,13 @@ "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", "ValidFrom": "2007-06-15 00:00:00", @@ -81684,126 +76109,93 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2006-04-17 00:00:00", - "ValidTo": "2009-05-31 23:59:59", - "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "65680c783b728ab2a1880df4232ded32", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "1c61eb82f1269d8d6be8de2411133811", - "SHA1": "0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c", - "SHA256": "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7", + "FileName": "ElbyCDIO.sys", + "MD5": "f141db170bb4c6e088f30ddc58404ad3", + "SHA1": "34b0f1b2038a1572ee6381022a24333357b033c4", + "SHA256": "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9", "Authentihash": { - "MD5": "0b6c1cf6b4bad6edccd9c8457af495bc", - "SHA1": "69e6d06476e4c55989507cf47722f0c355f568ad", - "SHA256": "c857c2db1fe1b9c979079add29d5b970147d6a264b4095e6579b5d0669c2b572" + "MD5": "fc16498ddf3716e03fdd527c456ea80b", + "SHA1": "7436e16cf348558015593cbf5ab9c117d97738cc", + "SHA256": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.3.2.18 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.3.2.18", - "Copyright": "Copyright (C) 2002-2019 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 0, 1", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2006 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "RtlInitUnicodeString", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "RtlFreeUnicodeString", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "ObfDereferenceObject", + "RtlInitUnicodeString", "IoDeleteDevice", - "MmGetSystemRoutineAddress", - "ZwSetSecurityObject", - "ObOpenObjectByPointer", - "IoDeviceObjectType", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoFreeMdl", + "MmUnlockPages", + "KeReleaseMutex", + "MmProbeAndLockPages", + "IoAllocateMdl", + "ExFreePool", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExAllocatePool", + "ZwDeleteKey", + "ZwClose", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "KeInitializeMutex", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "_wcsnicmp", - "RtlAddAccessAllowedAce", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "KeStallExecutionProcessor", + "RtlUnwind", + "KeTickCount", + "MmMapLockedPages", + "IofCompleteRequest", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81812,106 +76204,135 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", - "ValidFrom": "2000-05-30 10:48:38", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=ND_QV", - "ValidFrom": "2019-03-27 21:49:54", - "ValidTo": "2021-03-26 21:49:54", - "Signature": "2b03535c8db5fa8488a8241590410378f7362874f1b40f0f3750eae22224e9f559d4f703760a9a0530b2869436b78ef40ec4fd88bc1ebe2783b74b2339d011cde8788c4ed967fd4de5f4ccc2af794eed1d8efc0bf6737ccd5db59f64394a68f0a3a152de60b5c5091c6a9913192cccb7168ab4465ac7da62ad6cba49688c4b2340c7e97386ca3a06fd9ffeb114f21cadf7e0c4f0dcd1457b7c1f7d0b0b286f90cffef6d1802d818c73fdf3588c46dc99855f2e80aa329c3fa62f9f941589e016b6cbb775b311a49cbfc1ae5cb906eee8cf9f93e7ae994e7f6069bd6d9b4b071ba7042653eaf235bae020582b9c6ab78a237c05bbbe8f9182631c0f836ad3da9a71ba48e2c3260d002c88c98f1ad0c6d67d259c393129e17fa2913545c1a9bc7a48e18452d2048bcf2d931d996472155dd91338551feb086e3f8ac979745b1652f6cc8efae1c3c1df6983db6a45549a5de477567bc22ed2529adb7db1002b15bd8ab4e91739a3d4d018aa6bc2ac744abcc68690c938ef2a3a3e2b6552944806f6ba7260c3d8d949d29e056e922a581edd28ff12ee03279882a5e389070fa06a1b1a900b9a32e1208c8f00bfc9a2f2dbb96c10071fb05231ed2ba6170b007717ad33c0934c45d6b9690194dcd0212f5cb68c203400a196a218bb20ca645ed6b72cfba8f31cdae8b56b91415973dd46b6dac1e4b268ebbd17de7da59f253b380c41", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", - "ValidFrom": "2015-10-28 00:00:00", - "ValidTo": "2021-06-17 23:59:59", - "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5600000a6c1826788c3ae621c1000000000a6c", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "31a4631d77b2357ac9618e2a60021f11", - "SHA1": "637d0de7fa2a06e462dad40a575cb0fa4a38d377", - "SHA256": "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5", + "FileName": "ElbyCDIO.sys", + "MD5": "0634299fc837b47b531e4762d946b2ae", + "SHA1": "0a19a9c4c9185b80188da529ec9c9f45cbe73186", + "SHA256": "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439", "Authentihash": { - "MD5": "67bc13f641db5e7b40ffd8fd33b7d9c6", - "SHA1": "627e4a44e5a5da00cdb8ae2a538175ded6a9a113", - "SHA256": "9f94d9180104c820c3d27f03e20f5bbc9d2a5bc2ae6e74baf2a848f2f1790ec8" + "MD5": "c18c29b48a4e04a3cd761dc733cfda55", + "SHA1": "f43590d096d3ed0bbcfd2b0e41a327ba365bd9ec", + "SHA256": "262268f21c789c2bdaf1950b556456a9a5114ed5759d806200b0cec107bf76d7" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Company": "Elaborate Bytes AG", + "InternalName": "ElbyCDIO", + "OriginalFilename": "ElbyCDIO.sys", + "FileVersion": "6, 0, 0, 4", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "Copyright": "Copyright (C) 2000 - 2007 Elaborate Bytes AG", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "ZwWriteFile", + "ZwClose", + "ZwSetInformationFile", + "ZwQueryInformationFile", + "ZwOpenFile", "RtlInitUnicodeString", + "ZwCreateFile", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "ZwQueryInformationProcess", + "ZwSetInformationThread", + "KeReleaseMutex", "ObfDereferenceObject", + "KeWaitForMultipleObjects", + "PsCreateSystemThread", "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", + "ObReferenceObjectByHandle", + "ZwOpenProcess", + "KeSetEvent", "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "PsGetCurrentProcessId", + "ZwReadFile", + "KeInitializeMutex", + "ExAllocatePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "ZwCreateKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "MmMapIoSpace", "IoDeleteDevice", - "KeStallExecutionProcessor", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "ZwDeleteKey", + "ZwDeviceIoControlFile", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "IofCompleteRequest", + "KfReleaseSpinLock", + "KfAcquireSpinLock", "KeQueryPerformanceCounter" ], "Signatures": [ @@ -81919,6 +76340,13 @@ "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2006-12-07 11:07:29", + "ValidTo": "2008-12-07 11:07:29", + "Signature": "312a78bb7289ca49f93bb483f0a56c77003b9bc3dda8096af5a455a642aeb201ceaadcacce82396eadef1bc05108e296eae1d8d074949170f28f78fa24bed56e7dca69067866d2d790c10929db5d6e7026906dc96a4c3e2b0254b86328393272826bad272dc3911b2c3ec6832d88e95a696d7e5da86c3f946c306df5a5d7e78b0cba5df4d78035e76fa33c452afc780ffe36246c58fdd0e150d22fce7df4dd954eae19a60009e5b99b8649b6d728a46bd9f90ddfbccb6951dfa7b106a6d0fda3b76b23ef475dcf2d1147ae15d4d34035e1929681fe802dfbc5bbbcd98e107c39cbe07cce6911a9202709853bcc4748fde8dc409b7939be5e4b6c97fb90dc6031", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", "ValidFrom": "2007-06-15 00:00:00", @@ -81934,104 +76362,196 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2009-05-26 00:00:00", - "ValidTo": "2012-05-30 23:59:59", - "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "058258571670ab2b1bac50679cec49a1", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0100000000010f5c98b8f5", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } ] + } + ], + "Tags": [ + "ElbyCDIO.sys" + ], + "yara": true + }, + { + "Id": "86cff0de-2536-4b8d-a846-a7312c569597", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create nicm.sys binPath=C:\\windows\\temp \\n \\n \\n icm.sys type=kernel && sc.exe start nicm.sys", + "Description": "nicm.sys is a vulnerable driver. CVE-2013-3956.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790.yara" }, { - "FileName": "iQVW64.SYS", - "MD5": "7c22b7686c75a2bb7409b3c392cc791a", - "SHA1": "bed5bad7f405aa828a146c7f71d09c31d0c32051", - "SHA256": "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "nicm.sys", + "MD5": "22823fed979903f8dfe3b5d28537eb47", + "SHA1": "d098600152e5ee6a8238d414d2a77a34da8afaaa", + "SHA256": "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790", + "Signature": [ + "Novell, Inc.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Novell, Inc.", + "Description": "Novell XTCOM Services Driver", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "FileVersion": "3.1.11.0", + "MachineType": "AMD64", + "OriginalFilename": "libnicm.sys", "Authentihash": { - "MD5": "1789a16d20ca2b55f491ad71848166a2", - "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", - "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" + "MD5": "4f9030161d60cde6099483f6763e75db", + "SHA1": "6ec1c1cd8c38de77cb35260deeb491e563b5c721", + "SHA256": "aa0a1de59d8697c5f39937edeb778fde7c596b71d64d3427c80fe4c060488990" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.7 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.7", - "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "NicmCreateInstance", + "NicmDeregisterClassFactory", + "NicmGetVersion", + "NicmRegisterClassFactory", + "XTComCreateInstance", + "XTComDeregisterClassFactory", + "XTComFreeUnusedLibrariesEx", + "XTComGetClassObject", + "XTComGetVersion", + "XTComInitialize", + "XTComRegisterClassFactory" ], - "ExportedFunctions": "", "ImportedFunctions": [ + "ExAcquireResourceExclusiveLite", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "strstr", + "RtlInitAnsiString", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "RtlEqualString", + "MmUnmapLockedPages", + "ProbeForRead", + "IoDeleteSymbolicLink", + "IoRegisterShutdownNotification", + "KeInitializeMutex", + "KeLeaveCriticalRegion", + "IoDeleteDevice", + "ProbeForWrite", + "IoFreeMdl", + "KeEnterCriticalRegion", + "KeReleaseMutex", + "ZwCreateFile", + "MmMapLockedPagesSpecifyCache", + "IoUnregisterShutdownNotification", + "ZwClose", + "IofCompleteRequest", + "IoSetTopLevelIrp", + "KeWaitForSingleObject", + "MmProbeAndLockPages", + "MmUnlockPages", + "ExDeleteResourceLite", + "IoGetTopLevelIrp", "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", + "ExInitializeResourceLite", + "NtSetSecurityObject", + "DbgPrintEx", "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", + "RtlCreateSecurityDescriptor", + "IoGetCurrentProcess", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", "RtlInitUnicodeString", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", + "RtlAppendUnicodeToString", "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "RtlInitString", + "KeDelayExecutionThread", + "RtlFreeUnicodeString", + "ZwWaitForSingleObject", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "RtlAppendUnicodeStringToString", + "RtlCopyString", + "MmIsAddressValid", + "ZwOpenFile", + "ZwQueryInformationFile", + "ZwLoadDriver", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", "KeBugCheckEx", - "IoDeleteSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -82049,855 +76569,1158 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2012-05-17 00:00:00", - "ValidTo": "2015-05-30 23:59:59", - "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2010-04-03 00:00:00", + "ValidTo": "2013-04-26 23:59:59", + "Signature": "2d2eec4636a0c1f359ef30a107e6c2301ad12c09ab9fdac02211aaef81323d1daee3a14a150bf9f4c7d0d788d5f486ea75e40abeb502a2267171be53030fe7614af7a2015eabd4c26e887ec9220beb3666fc68158d2b8dd659e3fe55245821c10e37ddeebac63eb1848512c64a543a13ba6735b156c6dc13395890e8003e03e7c2613e2c1de1dfadfe072cd7655e3b4166fe973233b4f81ecf810541382d67c92f29d76e220543a7179b606011b932cee250f99f260b29e79236cec10b67e0e0e48cb74593a7ce2e3cfafb6c58ac7ae5c10a591037c380b5f7516cac8f4ec695b020ca2445cb9bf97eb56c09d4a62618871b482ef97c5894349e10f62e2ee68b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "41ec87c0295f2c734169b8a23c66ac9a", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] + } + ], + "Tags": [ + "nicm.sys" + ], + "yara": true + }, + { + "Id": "bb808089-5857-4df2-8998-753a7106cb44", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create DBUtilDrv2.sys binPath=C:\\windows\\temp\\DBUtilDrv2.sys type=kernel && sc.exe start DBUtilDrv2.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009.yara" }, { - "FileName": "iQVW64.SYS", - "MD5": "477e02a8e31cde2e76a8fb020df095c2", - "SHA1": "9449f211c3c47821b638513d239e5f2c778dc523", - "SHA256": "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "DBUtilDrv2.sys", + "MD5": "dacb62578b3ea191ea37486d15f4f83c", + "SHA1": "90a76945fd2fa45fab2b7bcfdaf6563595f94891", + "SHA256": "2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2012", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "99f8e77dfc84cbd445500575ec9ab78a", - "SHA1": "154c4d80f243b40dcebc2d5a2f3cee968d2f6f0c", - "SHA256": "7cc54914473d7c75a483c5672655bd9df2ce20b556a0d92c6e4cb8722ab1647b" + "MD5": "3736439958e5533142648f0d278fe7df", + "SHA1": "6bc2ab0f03d7a58685a165b519e8fee6937526a6", + "SHA256": "d7c683ef033ac2dc4dfa0dc61f39931f91c0e8fd19e613f664cb03e14112ef6e" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WppRecorder.sys", + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemorySpecifyCache", + "MmAllocateContiguousMemorySpecifyCache", "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", - "IoDeleteSymbolicLink", "MmMapIoSpace", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "MmGetPhysicalAddress", + "RtlCopyUnicodeString", + "KeSetPriorityThread", + "KeInsertQueueDpc", + "IoWMIRegistrationControl", + "RtlInitUnicodeString", + "imp_WppRecorderReplay", + "WppAutoLogStop", + "WppAutoLogStart", + "WppAutoLogTrace", + "WdfVersionUnbindClass", + "WdfVersionBindClass", + "WdfVersionUnbind", + "WdfVersionBind" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:06:32", + "ValidTo": "2020-06-03 18:06:32", + "Signature": "11f64665e99ee9a3212a8317075cf2122256a6cd5452564366da4b3e890c7a94b167d27a0cb1e962de146f371429f531349fc359cccece5f32fa84cd25231f892e44c4676b5ff4008ce6b3f3d9a2690a956a2a6a9e982ba8ebd4256971437156136a25b2e5184e11550aecb83f5ec8ae5467e866d6bbf44b9e8642c8bd5e316a4a494f676aa15eefad41893dd0a7187c881fa235b45f1a0696a8ad2d5c1531eed442d7281290b84f976f9ca241027378c241157a326739b2e8305adbfcef5005f5ccec402c1ab03d6e28c36987ae0d07cd12e41a348098d846f57c3225dbfed0c1b809ad311770854d368d150ee7767676c39a3d148f05cf7c2dcea5f1f7c6f2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2009-05-26 00:00:00", - "ValidTo": "2012-05-30 23:59:59", - "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "058258571670ab2b1bac50679cec49a1", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000857f83dc2a6ca979b8000000000085", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] }, { - "FileName": "iQVW64.SYS", - "MD5": "ce67e51b8c0370d1bfe421b79fa8b656", - "SHA1": "4885cd221fa1ea330b9e4c1702be955d68bd3f6a", - "SHA256": "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c", + "Filename": "DBUtilDrv2.sys", + "MD5": "d104621c93213942b7b43d65b5d8d33e", + "SHA1": "b03b1996a40bfea72e4584b82f6b845c503a9748", + "SHA256": "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2012", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "Dell", + "Description": "DBUtil", + "Product": "DBUtil", + "ProductVersion": "2.7.0.0", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "02eedc6afdeb843f391a69611266a838", - "SHA1": "9dae306ebc30a8c2f160e3f6e726fcd3e4f92280", - "SHA256": "727666434d5ea292a7631d0944edd36097db12862730996ce8a3f052be04a2cd" + "MD5": "1e96108c0938d4c34d7072f04bc8b951", + "SHA1": "d46ae9bcc746ca408fbb55fb0d61b638720a8f25", + "SHA256": "7bacb353363cc29f7f3815a9d01e85cd86202d92378d1ab1b11df1ab2f42f40a" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "© 2021 Dell Inc. All Rights Reserved. ", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", + "MmMapIoSpace", "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "RtlInitUnicodeString", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", + "MmAllocateContiguousMemorySpecifyCache", + "KeSetPriorityThread", + "MmGetPhysicalAddress", "KeBugCheckEx", - "IoDeleteSymbolicLink", - "MmMapIoSpace", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "KeInsertQueueDpc", + "RtlCopyUnicodeString", + "IoWMIRegistrationControl", + "MmGetSystemRoutineAddress", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:33", + "ValidTo": "2021-12-02 22:15:33", + "Signature": "0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2009-05-26 00:00:00", - "ValidTo": "2012-05-30 23:59:59", - "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "058258571670ab2b1bac50679cec49a1", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "33000000b5213fca1e4aa03de40000000000b5", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } ] + } + ], + "Tags": [ + "DBUtilDrv2.sys" + ], + "yara": false + }, + { + "Id": "1ad765f9-6ea7-4c45-a964-6c21ad8a7c08", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WYProxy32.sys binPath=C:\\windows\\temp\\WYProxy32.sys type=kernel && sc.exe start WYProxy32.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WYProxy32.sys", + "SHA256": "de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WYProxy32.sys" + ], + "yara": false + }, + { + "Id": "a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create segwindrvx64.sys binPath=C:\\windows\\temp\\segwindrvx64.sys type=kernel && sc.exe start segwindrvx64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd.yara" }, { - "FileName": "iQVW64.SYS", - "MD5": "2cc65e805757cfc4f87889cdceb546cd", - "SHA1": "7c625de858710d3673f6cb0cd8d0643d5422c688", - "SHA256": "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "segwindrvx64.sys", + "MD5": "4ae55080ec8aed49343e40d08370195c", + "SHA1": "d702d88b12233be9413446c445f22fda4a92a1d9", + "SHA256": "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd", + "Signature": [ + "Insyde Software Corp.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Insyde Software Corp.", + "Description": "SEG Windows Driver x64", + "Product": "SEG Windows Driver x64", + "ProductVersion": "100.00.07.02", + "FileVersion": "100.00.07.02", + "MachineType": "AMD64", + "OriginalFilename": "segwindrvx64.sys", "Authentihash": { - "MD5": "3e2ca18cf98afa0faac4da0fb1eca408", - "SHA1": "15a85aa659248751080984a29dc848c37e900002", - "SHA256": "ccc65f108ad084af41725e42efc3c3c539f89a474c1b1293b111a83e3eba216a" + "MD5": "bfc8d6405949be17179975d604e62c90", + "SHA1": "c7d32983805f04c7aac4e9713d203399aaca7acc", + "SHA256": "f1f345591efe74fd12e706132939f51963eb39dd0a1db556123c3e850c60fada" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.1.2 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.1.2", - "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "segwindrvx64.sys", + "Copyright": "Copyright (c) 2012 - 2015, Insyde Software Corp. All Rights Reserved.", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", + "MmMapIoSpace", "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemorySpecifyCache", + "IofCompleteRequest", + "MmGetPhysicalAddress", + "_vsnprintf", "RtlInitUnicodeString", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "RtlInitAnsiString", "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "MmFreeContiguousMemory", + "ExAllocatePool", + "RtlCopyString", + "RtlEqualString", + "RtlCompareMemory", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", - "ValidFrom": "2015-09-28 19:41:01", - "ValidTo": "2016-09-27 19:41:01", - "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Insyde Software Corp., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Insyde Software Corp.", + "ValidFrom": "2012-12-28 00:00:00", + "ValidTo": "2016-01-27 23:59:59", + "Signature": "19cf4cfe8a901a2d50614d496664fcdaaa80098ec50cec3e3f56a3d08a399d96d13046789c8281a1a9bf1054c79351f73e091664da593dcd39ec4ad7077513b01270666042cb743d4cd2387b61067384d5ed20ee0773e7e61fc1a8a750c3882c6e64ad0f8819b91c19c50708510467ee34ac845fb0a68259e90c7dbef65dcc4b75c72fde8d954ef37d53bba6f00a40e1c85deeb81531772b07232f8e8fe791eac42ab152b5e970c008f14bdec7a7e1ac114bae73ae1ba4f3a525a169f37de670a9447f65653426abb77c6a8b7f91c2d5428a63059129ba94818d3f6cceac0e0790ddb23d56f598e0a9083fc8b92a3b100c0dc1729290ba44fb1538ac4cedf926", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", - "ValidFrom": "2015-04-24 21:46:24", - "ValidTo": "2018-04-24 21:46:23", - "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + "SerialNumber": "0355af7ef9418e476d877eecd9f9e9e2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "segwindrvx64.sys" + ], + "yara": true + }, + { + "Id": "dfce8b0f-d857-4808-80ef-61273c7a4183", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Dh_Kernel_10.sys binPath=C:\\windows\\temp\\Dh_Kernel_10.sys type=kernel && sc.exe start Dh_Kernel_10.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3.yara" }, { - "FileName": "iQVW64.SYS", - "MD5": "e1ebc6c5257a277115a7e61ee3e5e42f", - "SHA1": "b67945815e40b1cd90708c57c57dab12ed29da83", - "SHA256": "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Dh_Kernel_10.sys", + "MD5": "51207adb8dab983332d6b22c29fe8129", + "SHA1": "ddbe809b731a0962e404a045ab9e65a0b64917ad", + "SHA256": "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3", + "Signature": [ + "YY Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "YY Inc.", + "Company": "YY Inc.", + "Description": "dianhu", + "Product": "dianhu", + "ProductVersion": "1.0.99", + "FileVersion": "1.0.99", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "d6a18c98a17d12e0c8678cd0c1cc5fc6", - "SHA1": "d3f4a292c29d6c87b4744370a430889cba6ab093", - "SHA256": "83aad7f91c4ebec89fb63e60ccc05628281aa0439362097bd91c69f4b74470bb" + "MD5": "df4f1e566667e15b3d81c5c3e50e97ca", + "SHA1": "b92959042d232605abba254bc0368b87ec047079", + "SHA256": "c786f3ca229da18b2806af4d57ecad603859ee548549b19f71a623f477fc740e" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "IA64", + "InternalName": "", + "Copyright": "Copyright © 2007-2017 YY Inc. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "WDFLDR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeGetCurrentIrql", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", + "ExAllocatePool", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ProbeForRead", + "MmProbeAndLockPages", "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", + "MmMapLockedPages", "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "MmGetPhysicalAddress", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeTickCount", - "KeBugCheckEx", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", + "MmCreateMdl", "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCallDriver", "IoDeleteDevice", - "KeStallExecutionProcessor", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "KeQueryPerformanceCounter" + "IoDeleteSymbolicLink", + "KeInitializeSpinLock", + "ObfDereferenceObject", + "MmIsAddressValid", + "KeAttachProcess", + "KeDetachProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "PsGetProcessSectionBaseAddress", + "__C_specific_handler", + "RtlCopyUnicodeString", + "DbgPrintEx", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IoFreeMdl", + "_stricmp", + "WdfVersionBindClass", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionUnbindClass" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=CN, ST=Guangdong, L=Guangzhou, O=YY Inc., OU=PM, CN=YY Inc.", + "ValidFrom": "2015-07-17 00:00:00", + "ValidTo": "2018-10-15 23:59:59", + "Signature": "d4ce401727e18291036ff6c80bbc6345f4a165c55b6068af11d818772ceb6767e1d9b1b825acfe295bea0c2c2394dd1c04df89e70de7f9deae21ea00853299fc7b22a8e2d20558247695d870fead281c48d6ad4b2075958924d3436d456c6d649b4fd4098c23154a83c40c39273ddcf400a547c68da9db339fe845205865f78d32933bb6a161539c4c07c972411907ece60770fdcc02a683d8f46980e5432c1af11cc684a9a681311ca440b068ce32a0cb2e446aade3829376fc6407d11c8d4f7ad253f45e95673a272aac9f1a1ad9156f9059f34dc444860e40e33847b0d629fe8097f9e82371973e7236de9a5b4bad1840b7961b81f9b7fcb6510e180a5a18", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2006-04-17 00:00:00", - "ValidTo": "2009-05-31 23:59:59", - "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "65680c783b728ab2a1880df4232ded32", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "53603f0f228be591521b9822ca852ad4", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "Dh_Kernel_10.sys" + ], + "yara": true + }, + { + "Id": "65660363-0080-4432-abd9-64368dac0283", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create t.sys binPath=C:\\windows\\temp\\t.sys type=kernel && sc.exe start t.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "iQVW64.SYS", - "MD5": "edbf206c27c3aa7d1890899dffcc03ec", - "SHA1": "3bb1dddb4157b6b8175fc6e1e7c33bef7870c500", - "SHA256": "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5", + "Filename": "t.sys", + "SHA256": "146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "t.sys" + ], + "yara": false + }, + { + "Id": "0d0d204b-f6ce-4ce4-8d76-1724a1676c3f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create Proxy32.sys binPath=C:\\windows\\temp\\Proxy32.sys type=kernel && sc.exe start Proxy32.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "Proxy32.sys", + "SHA256": "49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "Proxy32.sys" + ], + "yara": false + }, + { + "Id": "2cfede23-67f4-4af7-830f-c95ba30a43ae", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WinIo64A.sys binPath=C:\\windows\\temp\\WinIo64A.sys type=kernel && sc.exe start WinIo64A.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WinIo64A.sys", + "SHA1": "0c74d09da7baf7c05360346e4c3512d0cd433d59", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIo64A.sys" + ], + "yara": false + }, + { + "Id": "79692987-1dd0-41a0-a560-9a0441922e5a", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsIO64.sys binPath=C:\\windows\\temp\\AsIO64.sys type=kernel && sc.exe start AsIO64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "AsIO64.sys", + "MD5": "8065a7659562005127673ac52898675f", + "SHA1": "fcde5275ee1913509927ce5f0f85e6681064c9d2", + "SHA256": "b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "23b096e4055705b360ce4c802fb5e36c", - "SHA1": "4d3d6c6932e2882067830b2167b994b169e536d1", - "SHA256": "e80597ea0d75e9198428c81ca5b4495bf11922dd29852a0a2e63998e36857746" + "MD5": "d593aec08f96fe410f7a6b53e49551a0", + "SHA1": "2ea631bfe3fd765e3a03b3165790faf8fdd8286b", + "SHA256": "906d8412b357379db9512e3f584fcda1f788acc1337e5b4d4eff5e6fa59324a6" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.1.0 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.1.0", - "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeDelayExecutionThread", + "IofCompleteRequest", + "ZwUnmapViewOfSection", + "IoIs32bitProcess", "IoCreateSymbolicLink", "IoCreateDevice", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "RtlInitUnicodeString", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", "IoDeleteSymbolicLink", - "MmFreeContiguousMemory", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "DbgPrint", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", - "ValidFrom": "2015-09-28 19:41:01", - "ValidTo": "2016-09-27 19:41:01", - "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", - "ValidFrom": "2015-04-24 21:46:24", - "ValidTo": "2018-04-24 21:46:23", - "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2007-07-03 00:00:00", + "ValidTo": "2008-07-26 23:59:59", + "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] - }, + } + ], + "Tags": [ + "AsIO64.sys" + ], + "yara": false + }, + { + "Id": "9748d5c8-62dd-474b-a336-0aadb49e5ff9", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank3.sys binPath=C:\\windows\\temp\\daxin_blank3.sys type=kernel && sc.exe start daxin_blank3.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "iQVW64.SYS", - "MD5": "d0a5f9ace1f0c459cef714156db1de02", - "SHA1": "540b9f9a232b9d597138b8e0f33d83f5f6e247af", - "SHA256": "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54", + "Filename": "daxin_blank3.sys", + "MD5": "bd5b0514f3b40f139d8079138d01b5f6", + "SHA1": "73bac306292b4e9107147db94d0d836fdb071e33", + "SHA256": "7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376", + "Signature": "Unsigned", + "Date": "12:54 AM 11/18/2009", + "Publisher": "n/a", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", "Authentihash": { - "MD5": "a3680d04628485c4f6258dc95f4e8e76", - "SHA1": "a254c2464cf2f39e729125250fa80297de9dcf01", - "SHA256": "dcd4d4bee76aacba8792df291eb55cc716752bd7ddb51ecb9bec491b02f57c70" + "MD5": "800a604e6039d6dc93d68d116c38b640", + "SHA1": "75670f26e2df371741e8832012e06fdcd179b64c", + "SHA256": "afb9e6b70f707149e7243e41ffafbdda463da9a890c56091c454df60608efa0f" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.1.0 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.1.0", - "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ + "NTOSKRNL.EXE", + "HAL.DLL", "ntoskrnl.exe", - "HAL.dll" + "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCompleteRequest", - "MmIsAddressValid", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "MmGetPhysicalAddress", - "DbgPrint", - "strncpy", - "vsprintf", - "IoFreeMdl", "MmMapLockedPagesSpecifyCache", + "ZwClose", + "IofCompleteRequest", + "KeResetEvent", + "InterlockedIncrement", + "KeSetEvent", + "InterlockedDecrement", + "RtlUnicodeStringToInteger", + "RtlInitUnicodeString", + "KeInitializeEvent", + "wcsncmp", + "wcscat", + "wcslen", + "wcscpy", "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "MmUnmapIoSpace", + "strlen", + "RtlCompareUnicodeString", + "IoFreeMdl", + "MmProbeAndLockPages", + "MmUnlockPages", "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "RtlInitUnicodeString", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", + "RtlFreeUnicodeString", + "ZwWriteFile", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "strcat", + "ZwReadFile", + "ZwQueryInformationFile", + "strncmp", + "_wcsnicmp", + "strcmp", + "_stricmp", + "MmGetSystemRoutineAddress", + "ZwQueryValueKey", "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeBugCheckEx", - "IoDeleteSymbolicLink", - "MmFreeContiguousMemory", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "KeQueryPerformanceCounter" + "IoCreateFile", + "KeWaitForMultipleObjects", + "strcpy", + "RtlUnwind", + "vsprintf", + "KeWaitForSingleObject", + "KeDelayExecutionThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "ObReferenceObjectByHandle", + "ExFreePool", + "KeInitializeSpinLock", + "KeTickCount", + "memset", + "memcpy", + "MmMapLockedPages", + "ExAllocatePoolWithTag", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "PsGetVersion", + "ZwTerminateProcess", + "ZwOpenProcess", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwWaitForSingleObject", + "NtFsControlFile", + "NtWriteFile", + "NtReadFile", + "RtlLengthRequiredSid", + "RtlImageDirectoryEntryToData", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "PsLookupProcessByProcessId", + "KeAttachProcess", + "KeDetachProcess", + "PsLookupThreadByThreadId", + "KeInitializeApc", + "KeInsertQueueApc", + "ZwOpenFile", + "ZwDeviceIoControlFile", + "PsThreadType", + "NtQuerySystemInformation", + "NdisAllocateMemory", + "NdisAllocatePacket", + "NdisCopyFromPacketToPacket", + "NdisFreePacket", + "NdisAllocateBuffer", + "NdisDeregisterProtocol", + "NdisRegisterProtocol", + "NdisAllocateBufferPool", + "NdisAllocatePacketPool", + "NdisFreeBufferPool", + "NdisFreePacketPool", + "NdisFreeMemory" ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Intel Network Drivers", - "ValidFrom": "2014-09-25 20:18:50", - "ValidTo": "2015-09-25 20:18:50", - "Signature": "282fbd46725208a238f3b5692c350f5a4c0435aa16618799ca4a4b50e71c9be943c5f066d41ace15a81c2793d1c2e9b028b9e286547b065c092b778c21c4074ac7b680b673e0ddf92264e0a996ac7d377514787cd0f849ee320a25437779313dc9b8a6eb0ad5e39e07af803aae07f604b3face98f2803dc50e662598c62c900f71f0b3108c5ea58ac23c3f03cf82fad4c2a036495844141edc66d5aae317406280975a638b82613d7009d34e6886666c96d72d119f54d1c073e19bfc9a2c52003f7446867a39bd5574cc4fe5c4a43242943759796d16e390c2b418cf86e28f14ffbe9eb0bdfbd827d3998ffbbf471a482866514cd8ab53a7ee64b19cca57f809", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "330000b4a079accd956034e6ae00020000b4a0", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" - } - ] - } - ] + "Signatures": {} + } + ], + "Tags": [ + "daxin_blank3.sys" + ], + "yara": false + }, + { + "Id": "47724cc1-bf75-4ab7-a47a-355a9aa30de1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BSMIx64.sys binPath=C:\\windows\\temp\\BSMIx64.sys type=kernel && sc.exe start BSMIx64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9.yara" }, { - "FileName": "iQVW64.SYS", - "MD5": "cebf532d1e3c109418687cb9207516ad", - "SHA1": "444a2b778e2fc26067c49dde0aff0dcfb85f2b64", - "SHA256": "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7", + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BSMIx64.sys", + "MD5": "444f538daa9f7b340cfd43974ed43690", + "SHA1": "c6bd965300f07012d1b651a9b8776028c45b149a", + "SHA256": "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9", + "Signature": [ + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "SMI Driver", + "Product": "", + "ProductVersion": "1.0.0.3", + "FileVersion": "1.0.0.3", + "MachineType": "AMD64", + "OriginalFilename": "BSMI.sys", "Authentihash": { - "MD5": "e6245e7df4ae8bd2e49e0f41d3fad7fc", - "SHA1": "73d3fbb52669d917c11808919817d8d97681c6ac", - "SHA256": "1452103306895429c54ba1735800b8c8694c3165cdef32ca12ed6ce348019292" + "MD5": "72a5a1e2fc2713cfa0d159485ce1253c", + "SHA1": "b978b3595a1a8cb5a345bce980178e8abf5e0bae", + "SHA256": "15bc804877a607ba0d017df9f6ac951ac7ffbcca8069c5ba28e0cf505f7553b8" }, - "Description": "Intel(R) Network Adapter Diagnostic Driver", - "Company": "Intel Corporation ", - "InternalName": "iQVW64.SYS", - "OriginalFilename": "iQVW64.SYS", - "FileVersion": "1.03.0.4 built by: WinDDK", - "Product": "Intel(R) iQVW64.SYS", - "ProductVersion": "1.03.0.4", - "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", - "MachineType": "IA64", + "InternalName": "BSMI.sys", + "Copyright": "Copyright (C) BIOSTAR Corp. 2011", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeGetCurrentIrql", - "DbgPrint", - "sprintf", - "vsprintf", - "IoFreeMdl", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "IoDeleteDevice", "MmUnmapIoSpace", - "MmUnmapLockedPages", - "MmAllocateContiguousMemory", - "MmFreeContiguousMemory", - "MmMapIoSpace", - "ObfDereferenceObject", - "KeWaitForSingleObject", "MmGetPhysicalAddress", - "IoBuildSynchronousFsdRequest", - "KeInitializeEvent", - "ZwClose", - "RtlFreeAnsiString", - "strstr", - "RtlUnicodeStringToAnsiString", - "ZwEnumerateValueKey", - "ZwOpenKey", - "wcsncpy", - "IoGetDeviceObjectPointer", - "IoGetDeviceInterfaces", - "ObReferenceObjectByPointer", - "KeTickCount", - "KeBugCheckEx", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", + "MmMapIoSpace", "IofCompleteRequest", - "IoCreateDevice", "IoCreateSymbolicLink", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCallDriver", - "IoDeleteDevice", - "KeStallExecutionProcessor", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "KeQueryPerformanceCounter" + "IoCreateDevice", + "RtlAssert", + "DbgPrint", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -82908,17 +77731,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", - "ValidFrom": "2006-04-17 00:00:00", - "ValidTo": "2009-05-31 23:59:59", - "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2010-09-19 00:00:00", + "ValidTo": "2013-10-19 23:59:59", + "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "65680c783b728ab2a1880df4232ded32", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -82926,27 +77749,71 @@ } ], "Tags": [ - "iQVW64.SYS" - ] + "BSMIx64.sys" + ], + "yara": true }, { - "Id": "7e80423f-8b30-4ee2-b904-9f5421826a8c", + "Id": "c2e70ee6-2f13-4d43-ad5a-c2bf033cc457", "Author": "Michael Haag", - "Created": "2023-02-28", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create d4.sys binPath=C:\\windows\\temp\\d4.sys type=kernel && sc.exe start d4.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "d4.sys", + "SHA256": "823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "d4.sys" + ], + "yara": false + }, + { + "Id": "1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create daxin_blank.sys binPath=C:\\windows\\temp\\daxin_blank.sys type=kernel && sc.exe start daxin_blank.sys", - "Description": "Driver used in the Daxin malware campaign.", + "Command": "sc.exe create msrhook.sys binPath=C:\\windows\\temp\\msrhook.sys type=kernel && sc.exe start msrhook.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { "Person": "", @@ -82955,13 +77822,17 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "daxin_blank.sys", - "MD5": "62c18d61ed324088f963510bae43b831", - "SHA1": "8302802b709ad242a81b939b6c90b3230e1a1f1e", - "SHA256": "49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530", - "Signature": "Signed", - "Date": "7:07 AM 1/23/2013", - "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Filename": "msrhook.sys", + "MD5": "c49a1956a6a25ffc25ad97d6762b0989", + "SHA1": "89909fa481ff67d7449ee90d24c167b17b0612f1", + "SHA256": "6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492", + "Signature": [ + "ID TECH", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", "Company": "", "Description": "", "Product": "", @@ -82970,100 +77841,45 @@ "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "253bde63495fa4f995a6debae44e598e", - "SHA1": "57391d4c4e30f91e3e780d5242fd98a178ec67ac", - "SHA256": "a000d211840cb8fbcbf95c334b1d04eadb45ba03b0413c96472e47e9e22413ff" + "MD5": "172df59ed493cc10ccca27239ff3b4e3", + "SHA1": "ccce82f52142229c88746b06b198ea5c5e058961", + "SHA256": "37e33b54de1bbe4cf86fa58aeec39084afb35e0cbe5f69c763ecaec1d352daa0" }, "InternalName": "", "Copyright": "", "Imports": [ "ntoskrnl.exe", - "NDIS.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "wcsncmp", - "DbgPrint", - "IoAllocateMdl", - "_stricmp", - "sprintf", - "RtlLengthRequiredSid", - "ExAllocatePoolWithTag", - "vsprintf", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "RtlAnsiStringToUnicodeString", - "NtWriteFile", - "RtlCreateAcl", - "PsLookupProcessByProcessId", - "NtQuerySystemInformation", - "_wcsnicmp", - "ZwReadFile", - "RtlSetDaclSecurityDescriptor", - "KeInitializeApc", - "IoDeleteDevice", - "NtFsControlFile", - "KeInsertQueueApc", - "MmGetSystemRoutineAddress", - "IoCreateFile", - "ZwQuerySystemInformation", + "KeInitializeEvent", + "KeDelayExecutionThread", + "KeSetPriorityThread", + "KeInitializeSpinLock", + "KeAcquireSpinLockRaiseToDpc", "KeReleaseSpinLock", - "RtlAddAccessAllowedAce", - "RtlImageDirectoryEntryToData", - "KeDetachProcess", - "ZwOpenFile", - "ZwWaitForSingleObject", - "ZwCreateFile", + "KeQueryTimeIncrement", "PsCreateSystemThread", - "ZwQueryValueKey", "PsTerminateSystemThread", - "ZwFreeVirtualMemory", - "KeQueryTimeIncrement", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeAttachProcess", - "PsGetVersion", - "PsThreadType", - "RtlCompareUnicodeString", - "ZwOpenProcess", - "ZwQueryInformationProcess", + "IoAttachDeviceToDeviceStack", + "IofCallDriver", + "IofCompleteRequest", + "DbgPrint", "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoDetachDevice", + "PoCallDriver", + "PoStartNextPowerIrp", "ObfDereferenceObject", - "IoCreateDevice", - "ZwTerminateProcess", - "ZwQueryInformationFile", - "KeWaitForMultipleObjects", - "ZwWriteFile", - "NtReadFile", - "PsLookupThreadByThreadId", - "RtlLengthSid", - "RtlCreateSecurityDescriptor", - "ZwAllocateVirtualMemory", - "ZwOpenKey", - "KeAcquireSpinLockRaiseToDpc", - "RtlUnicodeStringToInteger", - "MmIsAddressValid", - "PsGetCurrentProcessId", - "ZwDeviceIoControlFile", - "IofCompleteRequest", "ZwClose", - "MmMapLockedPagesSpecifyCache", - "MmUserProbeAddress", - "MmBuildMdlForNonPagedPool", - "memchr", - "KeDelayExecutionThread", + "ObReferenceObjectByName", + "__C_specific_handler", + "IoDriverObjectType", + "IoCreateDevice", "RtlInitUnicodeString", - "NdisAllocateMemoryWithTag", - "NdisAllocateNetBufferAndNetBufferList", - "NdisMSendNetBufferListsComplete", - "NdisReturnNetBufferLists", - "NdisAllocateNetBufferListPool", - "NdisFreeMemory", - "NdisCopyFromNetBufferToNetBuffer", - "NdisFreeMdl", - "NdisFreeNetBufferListPool", - "NdisFreeNetBufferList", - "NdisSendNetBufferLists" + "KeStallExecutionProcessor" ], "Signatures": [ { @@ -83085,10 +77901,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", - "ValidFrom": "2011-06-28 00:00:00", - "ValidTo": "2014-06-27 23:59:59", - "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "Subject": "C=US, ST=California, L=Cypress, O=ID TECH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ID TECH", + "ValidFrom": "2013-03-19 00:00:00", + "ValidTo": "2016-04-17 23:59:59", + "Signature": "3ec485b2c22d56d59a02661d02788126082a776de8cfea0b5b99cec18a97567efec0daffbf6f3d3483baec05e3d9b2104ee085137b3ff2bf4be2ae549a08cc7abe57e30537e2d22a6c4928ca03ad0b960be5f9016ff818d15b2a2539c97d2458a68cfd7b433d7224454385d6cd03a2900656c915d8e4c5d04c5e4e5b431ecd9b700d8bc01c5e26ef3e0d9fea1c2727b601ea264f8cc4441309d712a7ad36b27e0b868fe3d64ceaf44fe66de2830f754fb86ee72d1052be89f72db0eb8cb9e734a7da03d4cbba7c4430462769a5e4e997ee212e67c36c1f68262f685ec5f3824d0e3eda8daf521a8b998ace5dbcaf7bae308ba96061a7b642bdf0b7e37a3cd9b8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -83108,7 +77924,7 @@ ], "Signer": [ { - "SerialNumber": "387c9476e28320264594846317d46540", + "SerialNumber": "15bd213c3742423afdeae3990f694e8e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -83117,61 +77933,19 @@ } ], "Tags": [ - "daxin_blank.sys" - ] - }, - { - "Id": "adfb015a-f453-4b9e-a247-50f146209eb0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create b3.sys binPath=C:\\windows\\temp\\b3.sys type=kernel && sc.exe start b3.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "b3.sys", - "SHA256": "708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } + "msrhook.sys" ], - "Tags": [ - "b3.sys" - ] + "yara": false }, { - "Id": "e4609b54-cb25-4433-a75a-7a17f43cec00", + "Id": "91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create HwRwDrv.sys binPath=C:\\windows\\temp\\HwRwDrv.sys type=kernel && sc.exe start HwRwDrv.sys", + "Command": "sc.exe create inpoutx64.sys binPath=C:\\windows\\temp\\inpoutx64.sys type=kernel && sc.exe start inpoutx64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -83185,52 +77959,274 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "HwRwDrv.sys", - "MD5": "dbc415304403be25ac83047c170b0ec2", - "SHA1": "2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b", - "SHA256": "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21", + "Filename": "inpoutx64.sys", + "MD5": "4d487f77be4471900d6ccbc47242cc25", + "SHA1": "cc0e0440adc058615e31e8a52372abadf658e6b1", + "SHA256": "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d", "Signature": [ - "Shuttle Inc.", + "RISINTECH INC.", "VeriSign Class 3 Code Signing 2010 CA", "VeriSign" ], "Date": "", - "Publisher": "Shuttle Inc.", - "Company": "Windows® winows 7 driver kits provider", - "Description": "Hardware read & write driver", - "Product": "Hardware read & write driver", - "ProductVersion": "1.0.5.0", - "FileVersion": "1.0.5.0", + "Publisher": "", + "Company": "Highresolution Enterprises [www.highrez.co.uk]", + "Description": "Kernel level port access driver", + "Product": "inpoutx64 Driver Version 1.2", + "ProductVersion": "1.2 x64", + "FileVersion": "1.2 x64 built by: WinDDK", "MachineType": "AMD64", - "OriginalFilename": "HwRwDrv.sys", + "OriginalFilename": "inpoutx64.sys", "Authentihash": { - "MD5": "62d9c8a109afc08e2858d98df9776850", - "SHA1": "7beb26c59b8d1b9540c6fae7c05c2b1cc2537e54", - "SHA256": "d852810a7319e3249077a1b9f1317f6f4157a19bb99b90063d118c30c2c84ac2" + "MD5": "c21e45ae33d6b1f864a276a13ba3aaeb", + "SHA1": "94b9b91a2acc786b54e8dbc11b759b05bc15fc3f", + "SHA256": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8" + }, + "InternalName": "inpoutx64.sys", + "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "IoDeleteDevice", + "ZwUnmapViewOfSection", + "ZwClose", + "IofCompleteRequest", + "ZwMapViewOfSection", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ZwOpenSection", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taoyuan, O=RISINTECH INC., CN=RISINTECH INC.", + "ValidFrom": "2014-08-18 00:00:00", + "ValidTo": "2016-09-16 23:59:59", + "Signature": "6a61ffd5f53a7447d463fc322233c8e9acc481ddd0b6572729c3e6968ecd5a27f5eddc35572c842f2cba648295c49480e90fe888b910491b25a35a70f477a011ec32434e21a3b4b7c6a430d0ef5d701fc1c6e3e7e40ba18eb6c4daeb54fc93fb074c79f09fc363e70ea74e0f6be6473af423c1d1e38ae26367fbc9fa4d3cefcc8edb1b83fa230e2a41c90236315486abbdd2b9ca62d59e3669444d4ad6ce3fd68a430d7a70544720c880d31e59a12fd66352cd15fa30808db554c407423c92ea6a20e7bb75a01b3f4691df49da583f679126c60b4bb154296ff09fefe146b907c4f7fe4ecca86944ad3acf06638fcc029c443ab009878fb6129776e0694e78bd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08aa09e04443e946331fd1cfe085f12d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "inpoutx64.sys", + "MD5": "5ca1922ed5ee2b533b5f3dd9be20fd9a", + "SHA1": "5520ac25d81550a255dc16a0bb89d4b275f6f809", + "SHA256": "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af", + "Signature": [ + "RISINTECH INC.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Highresolution Enterprises [www.highrez.co.uk]", + "Description": "Kernel level port access driver", + "Product": "inpoutx64 Driver Version 1.2", + "ProductVersion": "1.2 x64", + "FileVersion": "1.2 x64 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "inpoutx64.sys", + "Authentihash": { + "MD5": "c21e45ae33d6b1f864a276a13ba3aaeb", + "SHA1": "94b9b91a2acc786b54e8dbc11b759b05bc15fc3f", + "SHA256": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8" + }, + "InternalName": "inpoutx64.sys", + "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "IoDeleteDevice", + "ZwUnmapViewOfSection", + "ZwClose", + "IofCompleteRequest", + "ZwMapViewOfSection", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ZwOpenSection", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taoyuan, O=RISINTECH INC., CN=RISINTECH INC.", + "ValidFrom": "2014-08-18 00:00:00", + "ValidTo": "2016-09-16 23:59:59", + "Signature": "6a61ffd5f53a7447d463fc322233c8e9acc481ddd0b6572729c3e6968ecd5a27f5eddc35572c842f2cba648295c49480e90fe888b910491b25a35a70f477a011ec32434e21a3b4b7c6a430d0ef5d701fc1c6e3e7e40ba18eb6c4daeb54fc93fb074c79f09fc363e70ea74e0f6be6473af423c1d1e38ae26367fbc9fa4d3cefcc8edb1b83fa230e2a41c90236315486abbdd2b9ca62d59e3669444d4ad6ce3fd68a430d7a70544720c880d31e59a12fd66352cd15fa30808db554c407423c92ea6a20e7bb75a01b3f4691df49da583f679126c60b4bb154296ff09fefe146b907c4f7fe4ecca86944ad3acf06638fcc029c443ab009878fb6129776e0694e78bd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08aa09e04443e946331fd1cfe085f12d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "inpoutx64.sys", + "MD5": "9321a61a25c7961d9f36852ecaa86f55", + "SHA1": "6afc6b04cf73dd461e4a4956365f25c1f1162387", + "SHA256": "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b", + "Signature": [ + "Red Fox UK Limited", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "Highresolution Enterprises [www.highrez.co.uk]", + "Description": "Kernel level port access driver", + "Product": "inpoutx64 Driver Version 1.2", + "ProductVersion": "1.2 x64", + "FileVersion": "1.2 x64 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "inpoutx64.sys", + "Authentihash": { + "MD5": "ad4eff45cdb0b12af3990945afff9a8f", + "SHA1": "8e1f51761f21148f68ac925cc5f9e9c78f3d5ec4", + "SHA256": "d61ce5874adb89b4e992df8df879b568d9c4136df568718a768cd807d789a726" }, - "InternalName": "HwRwDrv.sys", - "Copyright": "Copyright© Microsoft Corporation. All rights reserved.", + "InternalName": "inpoutx64.sys", + "Copyright": "Copyright (c) 2008 Highresolution Enterprises. Portions Copyright (c) Logix4u", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", "IoDeleteDevice", + "ZwUnmapViewOfSection", + "IoCreateSymbolicLink", "IoCreateDevice", "KeBugCheckEx", - "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ZwOpenSection", + "IofCompleteRequest", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -83238,10 +78234,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -83252,31 +78248,31 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Shuttle Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shuttle Inc.", - "ValidFrom": "2012-03-08 00:00:00", - "ValidTo": "2013-03-07 23:59:59", - "Signature": "cf02e69bede8ead2f0e0d61eedbfe480168251486257bcef72f27c482310aa56b7569ecec9ef3955bc5de9fc8f4251dc425df409fcd576c3545e6bc3c1bb2a5987deb41d575e8623e36656a8c119ed34c1e9673bcddb55387d8066417d8c7e7a46368467d4205f505d780c99d2a46aee1206e3300ac6ac5c419b032b01137de7a801c92796b8d62b358b1d120b1ffbeee5f5f9db21f10703094cc13c7e963d79bea0ea2a1d4b6282531295f2f321b4d30beefabdb2dc9cfb1e3835945f7fa213c49677977a58f9986ba6a89d0ce0a4fd15336dcaf31825d1f8706e7b066e3a2afb1cc4b1574e695d01fb16ae689d9892a9be31155ab71e5c20e760b70e7669be", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=GB, ST=London, L=London, O=Red Fox UK Limited, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Development, CN=Red Fox UK Limited", + "ValidFrom": "2008-10-09 00:00:00", + "ValidTo": "2009-10-09 23:59:59", + "Signature": "bd4734f0a0a645fcf8cd628a4f2753ec55afe90ba7866f0643a1258c751d29e4e9ba97907778c9628bae1540f78f459a7b8a8e5dc233f214ef0763f1d45625f34fc6cf4a91ce42a8e5bf46e368145d6853a384b40f1f1c6f8a26b91c43214d7b3027141e149bfa308f500c5ad2e9c252d9fb298abd6b7bc79ed8a4458588ec67fbaa20d5dec8dcc29576ad8206b73dc75963d6f8bb48eeb825f6eecdc785b16cafb933bf4de8f0b7d608fc3d68cf7f65b672c58fd7a40928917c42488aea98b0939a03d52a86edd8ea6419b52e2e9682e3682b6dcaaefa7c01f2db8f1ef8863b064cab07faf45b8a47f72e6b45785baee08886f7d0a965ed3368565be63321d9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "160cb9192dc4e0fde5cbaf859feae671", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "620cbcba5648e27b80aef5226ee67fce", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -83284,92 +78280,115 @@ } ], "Tags": [ - "HwRwDrv.sys" - ] + "inpoutx64.sys" + ], + "yara": true }, { - "Id": "1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3", + "Id": "1b98a160-2e7a-4969-8c8a-4e44949191bf", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create msrhook.sys binPath=C:\\windows\\temp\\msrhook.sys type=kernel && sc.exe start msrhook.sys", + "Command": "sc.exe create rtkio.sys binPath=C:\\windows\\temp\\rtkio.sys type=kernel && sc.exe start rtkio.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "msrhook.sys", - "MD5": "c49a1956a6a25ffc25ad97d6762b0989", - "SHA1": "89909fa481ff67d7449ee90d24c167b17b0612f1", - "SHA256": "6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492", + "Filename": "rtkio.sys", + "MD5": "daf800da15b33bf1a84ee7afc59f0656", + "SHA1": "166759fd511613414d3213942fe2575b926a6226", + "SHA256": "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82", "Signature": [ - "ID TECH", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Realtek Semiconductor Corp.", + "DigiCert EV Code Signing CA", + "DigiCert" ], "Date": "", "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "Company": "Windows (R) Codename Longhorn DDK provider", + "Description": "Realtek IODriver", + "Product": "Windows (R) Codename Longhorn DDK driver", + "ProductVersion": "6.0.6000.16386", + "FileVersion": "6.0.6000.16386 built by: WinDDK", + "MachineType": "I386", + "OriginalFilename": "rtkio.sys", "Authentihash": { - "MD5": "172df59ed493cc10ccca27239ff3b4e3", - "SHA1": "ccce82f52142229c88746b06b198ea5c5e058961", - "SHA256": "37e33b54de1bbe4cf86fa58aeec39084afb35e0cbe5f69c763ecaec1d352daa0" + "MD5": "d543d754cbb1d404d62b6c574a1aa3cd", + "SHA1": "daca8d39b72bbe8a5b6d5fa35bbb4ecef198a359", + "SHA256": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b" }, - "InternalName": "", - "Copyright": "", + "InternalName": "rtkio.sys", + "Copyright": "© Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeEvent", - "KeDelayExecutionThread", - "KeSetPriorityThread", - "KeInitializeSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "KeQueryTimeIncrement", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "IoAttachDeviceToDeviceStack", - "IofCallDriver", - "IofCompleteRequest", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "ExAllocatePool", "DbgPrint", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "MmMapIoSpace", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoDetachDevice", - "PoCallDriver", - "PoStartNextPowerIrp", - "ObfDereferenceObject", - "ZwClose", - "ObReferenceObjectByName", - "__C_specific_handler", - "IoDriverObjectType", "IoCreateDevice", + "KeTickCount", + "IoFreeMdl", + "MmUnmapIoSpace", + "ExFreePoolWithTag", "RtlInitUnicodeString", - "KeStallExecutionProcessor" + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "MmBuildMdlForNonPagedPool", + "IofCompleteRequest", + "RtlUnwind", + "KeBugCheckEx", + "WRITE_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "READ_PORT_UCHAR", + "KeStallExecutionProcessor", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT" ], "Signatures": [ { @@ -83377,45 +78396,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2016-06-13 00:00:00", + "ValidTo": "2019-01-24 12:00:00", + "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Cypress, O=ID TECH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ID TECH", - "ValidFrom": "2013-03-19 00:00:00", - "ValidTo": "2016-04-17 23:59:59", - "Signature": "3ec485b2c22d56d59a02661d02788126082a776de8cfea0b5b99cec18a97567efec0daffbf6f3d3483baec05e3d9b2104ee085137b3ff2bf4be2ae549a08cc7abe57e30537e2d22a6c4928ca03ad0b960be5f9016ff818d15b2a2539c97d2458a68cfd7b433d7224454385d6cd03a2900656c915d8e4c5d04c5e4e5b431ecd9b700d8bc01c5e26ef3e0d9fea1c2727b601ea264f8cc4441309d712a7ad36b27e0b868fe3d64ceaf44fe66de2830f754fb86ee72d1052be89f72db0eb8cb9e734a7da03d4cbba7c4430462769a5e4e997ee212e67c36c1f68262f685ec5f3824d0e3eda8daf521a8b998ace5dbcaf7bae308ba96061a7b642bdf0b7e37a3cd9b8", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "15bd213c3742423afdeae3990f694e8e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0320be3eb866526927f999b97b04346e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } @@ -83423,152 +78442,213 @@ } ], "Tags": [ - "msrhook.sys" - ] + "rtkio.sys" + ], + "yara": true }, { - "Id": "56cdac8e-d87d-49c8-b281-6e096c2390d1", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "ca768fc5-9b5c-4ced-90ab-fd6be9a70199", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create gvcidrv64.sys binPath=C:\\windows\\temp\\gvcidrv64.sys type=kernel && sc.exe start gvcidrv64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create amp.sys binPath=C:\\windows\\temp\\amp.sys type=kernel && sc.exe start amp.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", + "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "gvcidrv64.sys", - "MD5": "1a22a85489a94db6ff68cd624ef43bad", - "SHA1": "d302ae7f016299af323a3542d840004888ab91ff", - "SHA256": "a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48", + "Filename": "amp.sys", + "MD5": "c533d6d64b474ffc3169a0e0fc0a701a", + "SHA1": "3f223581409492172a1e875f130f3485b90fbe5f", + "SHA256": "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "CYREN Inc.", + "Description": "AMP Minifilter", + "Product": "CYREN AMP 5", + "ProductVersion": "5.4.11.1", + "FileVersion": "5.4.11.1", + "MachineType": "AMD64", + "OriginalFilename": "amp.sys", "Authentihash": { - "MD5": "ad8e307b0233a1b6548414390c31f9af", - "SHA1": "4a04ad93f7f4dccca551dc0fea7b9b22f557e39b", - "SHA256": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67" + "MD5": "74ee74d20c3afc42d7722a88aacf3671", + "SHA1": "87a84133f5e4c12d2d4a42fcc3be84b43a6202b5", + "SHA256": "a37371c4e62f106e7da03fd5bdd6f12ecdf7fcaf1195dbf9fb7ef6eb456a7506" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "AMP", + "Copyright": "Copyright © 1999 - 2014. CYREN Inc. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "ObQueryNameString", + "RtlIntegerToUnicodeString", + "IoGetCurrentProcess", + "_strnicmp", + "MmIsAddressValid", + "_strupr", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "KeEnterCriticalRegion", + "ExAcquireResourceSharedLite", + "ExReleaseResourceForThreadLite", + "KeLeaveCriticalRegion", + "ExAcquireResourceExclusiveLite", + "wcschr", + "wcsrchr", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ExUuidCreate", "ObReferenceObjectByHandle", - "IoCreateSymbolicLink", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "IoCreateDevice", - "IofCompleteRequest", + "_wcsupr", + "wcsncmp", + "IoGetTopLevelIrp", + "IoSetTopLevelIrp", + "IoGetStackLimits", + "ObfReferenceObject", + "ZwOpenDirectoryObject", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlFreeUnicodeString", + "KeSetEvent", + "RtlTimeToTimeFields", + "swprintf", + "_wcsicmp", + "ExSystemTimeToLocalTime", + "KeWaitForMultipleObjects", + "KeResetEvent", + "PsTerminateSystemThread", + "PsGetCurrentProcessId", + "wcsncpy", + "PsCreateSystemThread", + "PsGetCurrentThreadId", + "ZwOpenProcess", + "ZwQueryInformationProcess", + "IoAllocateErrorLogEntry", + "IoWriteErrorLogEntry", + "IoAllocateWorkItem", + "IoQueueWorkItem", + "IoFreeWorkItem", + "ExReleaseResourceLite", + "ZwCreateKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlInitAnsiString", + "RtlAnsiStringToUnicodeString", + "RtlUnicodeStringToAnsiString", "RtlCopyUnicodeString", - "DbgPrint", - "ZwClose", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "KeWaitForSingleObject", + "IofCallDriver", + "KeInitializeEvent", + "RtlCompareString", + "RtlInitString", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "IofCompleteRequest", + "IoIs32bitProcess", + "ZwLoadDriver", + "ZwUnloadDriver", "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] - }, - { - "FileName": "GVCIDrv64.sys", - "MD5": "acd221ff7cf10b6117fd609929cde395", - "SHA1": "1586f121d38cc42e5d04fe2f56091e91c6cdd8fa", - "SHA256": "f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573", - "Authentihash": { - "MD5": "ad8e307b0233a1b6548414390c31f9af", - "SHA1": "4a04ad93f7f4dccca551dc0fea7b9b22f557e39b", - "SHA256": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", "IoCreateSymbolicLink", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", "IoCreateDevice", - "IofCompleteRequest", - "RtlCopyUnicodeString", - "DbgPrint", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "ZwClose", - "RtlInitUnicodeString", - "HalTranslateBusAddress", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" + "ExAllocatePool", + "ZwCreateFile", + "ExFreePool", + "RtlUnicodeStringToInteger", + "strncmp", + "_wcsnicmp", + "strchr", + "KeReleaseSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "ExInitializeNPagedLookasideList", + "ExpInterlockedPushEntrySList", + "ExpInterlockedPopEntrySList", + "ExDeletePagedLookasideList", + "ExQueryDepthSList", + "ExInitializePagedLookasideList", + "ExDeleteNPagedLookasideList", + "__C_specific_handler", + "_local_unwind", + "FltGetVolumeFromInstance", + "FltSetCallbackDataDirty", + "FltGetFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetVolumeProperties", + "FltStartFiltering", + "FltRegisterFilter", + "FltGetRoutineAddress", + "FltGetDiskDeviceObject", + "FltUnregisterFilter", + "FltGetTunneledName", + "FltGetDestinationFileNameInformation", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltCancelFileOpen", + "FltCreateFile", + "FltObjectReference", + "FltReleaseContext", + "FltSetInstanceContext", + "FltAllocateContext", + "FltGetInstanceContext", + "FltEnumerateInstances", + "FltGetVolumeFromName", + "FltObjectDereference", + "FltGetFileNameInformationUnsafe", + "FltQueryInformationFile", + "FltClose", + "FltFlushBuffers" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -83586,24 +78666,31 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=?????????, ??=NEW TAIPEI, ??=Private Organization, serialNumber=22044755, C=TW, L=NEW TAIPEI, O=GIGA,BYTE Technology Co., Ltd., CN=GIGA,BYTE Technology Co., Ltd.", - "ValidFrom": "2018-12-07 00:00:00", - "ValidTo": "2021-12-06 23:59:59", - "Signature": "502fd3341b71cab45e302c7b586f9beefdce61639b7ccbaf643eb13bb29fcc6d5e37ba8f8af0b2d775216237d659088cbf124514ebe1fc6a663f20cbbd920afd64fbec463254a4e845cdb452b5768fcb2fb74e13043899381b57ce63419679395729d52fc8efbe19e08c5a4c6337eb910e048d30c2888718355460150ae33f20c8ea3724251dbe28d45de130843b462e11ff1ca90fb98e097b5f372b0aa1c5b2791897b4cf79cdbc02c5aca5a935a3ccf67fb67ef28390ed7913ee32e708869acbba27f24d6c7fc45b795b5e90c7200551babe0bae400343fc6fd75d36da7b5def7fde3a7f97519796d3bd14755a3adaa7cafcbe2cc24eb9a1a046ea8e05376d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Virginia, L=McLean, O=Commtouch, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R&D, CN=Commtouch, Inc.", + "ValidFrom": "2013-11-19 00:00:00", + "ValidTo": "2017-01-16 23:59:59", + "Signature": "58cd58fb0b58e291fe4896a360334f4ad8fdf84720dc356ce98f8f3e45dc0447c7223f75d55c2444202d455e7d282da1d189794fd4e2f499c7c55d98f0aecb3d0ef9b6dd1dff2f125e9d39ce95fb542c8f02d275176fc6da9a493427d018083d5852c13bf8b2908041af46b113f403bb93d6006ea0a0ff2ae7d648ed4280ed1cb4999203fc94832725928af6cb715395bd69bb6ce888efb9a658a15cf88b68de26957f49bb3cdbdb8f6d88cc91ac2c14f0500815e41f977b9cf55a173961bc8c02343b76a91a8e9dd3224329a3bb70d694ca497460aa6360d1f156f5d9fad8d54e846f171c1b5a30b713ba17296ffc75fdbc4b7f13efe4cdabae8769ce0e5609", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4f8eefa0dcc85bbd656ab0f160743d34", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" + "SerialNumber": "560e308d590a10d941619020e45e2c2b", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -83611,27 +78698,27 @@ } ], "Tags": [ - "gvcidrv64.sys" - ] + "amp.sys" + ], + "yara": true }, { - "Id": "1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548", + "Id": "0f6c3a28-4d04-474b-a098-37383f984686", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create kprocesshacker.sys binPath=C:\\windows\\temp\\kprocesshacker.sys type=kernel && sc.exe start kprocesshacker.sys", + "Command": "sc.exe create WinIO32.sys binPath=C:\\windows\\temp\\WinIO32.sys type=kernel && sc.exe start WinIO32.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -83640,120 +78727,120 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "kprocesshacker.sys", - "MD5": "1b5c3c458e31bede55145d0644e88d75", - "SHA1": "a21c84c6bf2e21d69fa06daaf19b4cc34b589347", - "SHA256": "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4", + "Filename": "WinIO32.sys", + "MD5": "", + "SHA1": "8fb149fc476cf5bf18dc575334edad7caf210996", + "SHA256": "", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIO32.sys" + ], + "yara": false + }, + { + "Id": "de4dd27a-1f7e-4271-98a4-55395ab6aabf", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_I2c64.sys binPath=C:\\windows\\temp\\BS_I2c64.sys type=kernel && sc.exe start BS_I2c64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BS_I2c64.sys", + "MD5": "83601bbe5563d92c1fdb4e960d84dc77", + "SHA1": "dc55217b6043d819eadebd423ff07704ee103231", + "SHA256": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a", "Signature": [ - "Wen Jia Liu", - "DigiCert High Assurance Code Signing CA-1", - "DigiCert" + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", "Publisher": "", - "Company": "wj32", - "Description": "KProcessHacker", - "Product": "KProcessHacker", - "ProductVersion": "3.0", - "FileVersion": "3.0", + "Company": "BIOSTAR Group", + "Description": "I/O Interface driver file", + "Product": "BIOSTAR I/O driver fle", + "ProductVersion": "1, 1, 0, 0", + "FileVersion": "1, 1, 0, 0", "MachineType": "AMD64", - "OriginalFilename": "kprocesshacker.sys", + "OriginalFilename": "BS_I2cIo.sys", "Authentihash": { - "MD5": "dd81d5b2343e1976d1708e7eb0649f8f", - "SHA1": "c2b8c1b34f09a91efe196f646ef7f9a11190fb8e", - "SHA256": "4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5" + "MD5": "bcc1ae726001fdbabb8159e3b333f3fd", + "SHA1": "7885fb33d8800fa3c036252af70e0a8391ab367d", + "SHA256": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4" }, - "InternalName": "", - "Copyright": "Licensed under the GNU GPL, v3.", + "InternalName": "I/O driver", + "Copyright": "Copyright (c) 2002-2006 BIOSTAR Group", "Imports": [ "ntoskrnl.exe", - "ksecdd.sys" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "SePrivilegeCheck", - "ZwOpenKey", - "ProbeForRead", - "RtlGetVersion", - "PsProcessType", - "ObOpenObjectByName", - "ObGetObjectType", - "PsReleaseProcessExitSynchronization", - "ZwQueryObject", - "RtlEqualUnicodeString", - "KeUnstackDetachProcess", - "ExEnumHandleTable", - "ObQueryNameString", - "IoFileObjectType", - "IoDriverObjectType", - "ExfUnblockPushLock", - "ObReferenceObjectByHandle", - "PsAcquireProcessExitSynchronization", - "PsInitialSystemProcess", - "ObSetHandleAttributes", - "ZwQueryInformationProcess", - "ObfDereferenceObject", - "ExAllocatePoolWithQuotaTag", - "ZwQueryInformationThread", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "PsLookupProcessByProcessId", - "PsJobType", - "PsReferencePrimaryToken", - "SeTokenObjectType", - "IoCreateDevice", - "PsGetProcessJob", - "PsLookupProcessThreadByCid", - "ZwTerminateProcess", - "PsDereferencePrimaryToken", - "IoThreadToProcess", - "RtlWalkFrameChain", - "KeInitializeApc", - "KeSetEvent", - "KeInsertQueueApc", - "KeWaitForSingleObject", - "PsThreadType", - "PsLookupThreadByThreadId", - "ZwQuerySystemInformation", - "ZwQueryVirtualMemory", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "ZwReadFile", - "MmHighestUserAddress", - "SeLocateProcessImageName", - "KeDelayExecutionThread", - "ZwCreateFile", - "RtlRandomEx", - "ZwQueryInformationFile", - "MmUnmapLockedPages", - "ExRaiseStatus", - "MmMapLockedPagesSpecifyCache", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmIsAddressValid", - "KeBugCheckEx", - "PsGetCurrentProcessId", + "IoDeleteSymbolicLink", + "IoStartNextPacket", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "KeRemoveEntryDeviceQueue", "IofCompleteRequest", - "ZwClose", - "ZwQueryValueKey", - "KeInitializeEvent", - "ProbeForWrite", + "IoStartPacket", + "IoCreateDevice", + "IoCreateSymbolicLink", + "MmMapIoSpace", "IoDeleteDevice", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "IoGetCurrentProcess", - "ExAllocatePoolWithTag", - "__C_specific_handler", - "BCryptCreateHash", - "BCryptDestroyKey", - "BCryptImportKeyPair", - "BCryptCloseAlgorithmProvider", - "BCryptVerifySignature", - "BCryptFinishHash", - "BCryptHashData", - "BCryptDestroyHash", - "BCryptOpenAlgorithmProvider", - "BCryptGetProperty" + "HalSetBusDataByOffset", + "HalTranslateBusAddress", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -83761,45 +78848,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu", - "ValidFrom": "2013-10-30 00:00:00", - "ValidTo": "2017-01-04 12:00:00", - "Signature": "88f1598a6a8a6c4904646770021476573d57c2f9cb88786e823a6312f7c90b578b1316b069d7670f8c5a59386aa72defedeb4187b9e58199c3c2c805b056622022c294ac38e14d5e66a7a77a4524b893fac245341155abf301ae41c91918705d4c9c291e671cea6b9c77dbede85379866ea935ddda4f28e2954a30251d1e0696bd21c948de0d4201487fb7b35faa308b78cfc81a7d51979a5c0d1fe41fc55cddffd0039e6cf49b497cbe7dc15d492da007906accf14a601e1814334045b45198650b317d09653182dd78daccef4964c457cf6d15a7b79fbf0b732ae0ac45cfba627afb622dfe9dc18064c21411f0464ede145be82db7c5124488044547eb2022", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2007-10-16 00:00:00", + "ValidTo": "2010-10-20 23:59:59", + "Signature": "bd6d9abbee60d79e542436d85a6a1ee7cf79e08e0947e5c74d227cdf7e710069e4a5ea9faf821e4e8a98fc8619b24ec41be8cd2d54b65778405c0b1a159184f671bacc976999c08a1df6013408976dbc9ba5dc5001e7da5ca2eef4109b4f57b700d897913a855e00ccf5a96de2b8fa9878e8353e0b7a7753d01cb7b9b47504a9f28629acc9643e4c35f2133362bbfb5adc633501cac7d6553cf553c52998f600043e4030fcc5740ad575b0820f4a0088e77c78e1b5e64b48c2553c362e3a771c2ebe604f28c42db392098e120af5fe67fe7d8b241213f418800a43ecd1759d1c68e54e20cd6ba2cc2ccbb4b189a9a9920b146e8855239a91dd3e01cd640dbadc", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ff1ef66bd621c65b74b4de41425717f", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "4d3675c15944120a97b4ae294ec73245", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -83807,17 +78894,18 @@ } ], "Tags": [ - "kprocesshacker.sys" - ] + "BS_I2c64.sys" + ], + "yara": true }, { - "Id": "a02ee964-a21e-4b08-9c98-a730c90bfd53", + "Id": "6ec5ddda-f302-4008-a73e-12814c1d571f", "Author": "Nasreddine Bencherchali", - "Created": "2023-05-11", + "Created": "2023-05-06", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create LMIinfo binPath=C:\\windows\\temp\\LMIinfo.sys type=kernel && sc.exe start LMIinfo.sys", + "Commands": "sc.exe create ATSZIO.sys binPath=C:\\windows\\temp\\ATSZIO.sys type=kernel && sc.exe start ATSZIO.sys", "Description": [], "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -83826,413 +78914,329 @@ "Internal Research" ], "Acknowledgement": { - "Person": "Michael Alfaro", - "Handle": "@_mmpte_software" + "Person": [], + "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "LMIinfo.sys", - "MD5": "d4f7c14e92b36c341c41ae93159407dd", - "SHA1": "eac1b9e1848dc455ed780292f20cd6a0c38a3406", - "SHA256": "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233", + "FileName": "ATSZIO.sys", + "MD5": "17b97fbe2e8834d7ad30211635e1b271", + "SHA1": "e88259de797573fa515603ad3354aed0bce572f1", + "SHA256": "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c", "Authentihash": { - "MD5": "99b6f355ca0fb587ccb303e88bd73785", - "SHA1": "0ae6274d4f95b64415c6a5aefe3b5d6be8d1e4a4", - "SHA256": "e466e2bf4e190edd8717f6e8466b77a66b3304f5ae1458ca4400025a869fdfd1" + "MD5": "f1d41369bc171a32ece45fd99af06814", + "SHA1": "b3511e640bde63fcfbc22b2043a27d84824ad597", + "SHA256": "8926be6aa6df3b5d20483e0e698ea14fa0fb760844468ed69143d7f503250349" }, - "Description": "LogMeIn Kernel Information Provider", - "Company": "LogMeIn, Inc.", - "InternalName": "LMIinfo.sys", - "OriginalFilename": "LMIinfo.sys", - "FileVersion": "11.1.0.3220", - "Product": "LogMeIn", - "ProductVersion": "11.1.0.3220", - "Copyright": "Copyright © 2003-2017 LogMeIn, Inc. Patented and patents pending.", - "MachineType": "AMD64", + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.7", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "Copyright": "Copyright (C) 2012", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", "IoDeleteDevice", "IoDeleteSymbolicLink", "ObReferenceObjectByHandle", - "ObfDereferenceObject", "ZwClose", - "ZwOpenKey", - "ExFreePoolWithTag", - "ZwOpenProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "PsLookupProcessByProcessId", - "ObQueryNameString", - "ZwDuplicateObject", - "__C_specific_handler", - "KeBugCheckEx", - "RtlCopyUnicodeString", - "ExAllocatePoolWithTag", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "ZwQueryValueKey", - "RtlInitUnicodeString", - "WdfVersionBindClass", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, ??=US, ??=Delaware, serialNumber=3830661, ??=320 Summer Street, postalCode=02210, C=US, ST=Massachusetts, L=Boston, O=LogMeIn, Inc., CN=LogMeIn, Inc.", - "ValidFrom": "2015-06-18 00:00:00", - "ValidTo": "2018-06-22 12:00:00", - "Signature": "6a0e23b60625614e2b9d63745730ab1055883fd2e09d3ed78bb7723882c8f7d67be6deb473463ebbdf4996afae195462426a3f57f9d37b9d8182499f3416a24f2fd9f6da7e3cef9215dfe3c889f47cce584eaf5dd2116da627b91d4de5705951c8c9807fc21f899c05f9ed97a655ccc0ae9b311f85715ae8510c213cb05139929690950e9155386da88d1b1158ae20699db1116a988a6b0bdc98b246767e71b1ec40df7a5f2d7e3b17bb4cb4de8da18d77c58b938f4db8f197bd9d1313cf5711f222a16add8a5cb7c576bd26ec4abcff8701766a32f9bd8d89b9a9f875908cfc34a0d3d216729ebb5fee7e73b1b036caae620a80e6bd921425cc59dc3e692fc4", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "080d35880102e23d2340f69eb3c0e561", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" - } - ] - } - ] - } - ], - "Tags": [ - "LMIinfo.sys" - ] - }, - { - "Id": "bb808089-5857-4df2-8998-753a7106cb44", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create DBUtilDrv2.sys binPath=C:\\windows\\temp\\DBUtilDrv2.sys type=kernel && sc.exe start DBUtilDrv2.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "DBUtilDrv2.sys", - "MD5": "dacb62578b3ea191ea37486d15f4f83c", - "SHA1": "90a76945fd2fa45fab2b7bcfdaf6563595f94891", - "SHA256": "2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2012", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "3736439958e5533142648f0d278fe7df", - "SHA1": "6bc2ab0f03d7a58685a165b519e8fee6937526a6", - "SHA256": "d7c683ef033ac2dc4dfa0dc61f39931f91c0e8fd19e613f664cb03e14112ef6e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "WppRecorder.sys", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemorySpecifyCache", - "MmAllocateContiguousMemorySpecifyCache", - "MmUnmapIoSpace", - "MmMapIoSpace", + "ZwOpenSection", + "IofCompleteRequest", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "RtlCopyUnicodeString", - "KeSetPriorityThread", - "KeInsertQueueDpc", - "IoWMIRegistrationControl", - "RtlInitUnicodeString", - "imp_WppRecorderReplay", - "WppAutoLogStop", - "WppAutoLogStart", - "WppAutoLogTrace", - "WdfVersionUnbindClass", - "WdfVersionBindClass", - "WdfVersionUnbind", - "WdfVersionBind" + "_aullrem", + "memcpy", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "MmFreeContiguousMemory", + "MmAllocateContiguousMemory", + "ExFreePoolWithTag", + "ExAllocatePool", + "KeWaitForSingleObject", + "KeSetEvent", + "DbgPrint", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:06:32", - "ValidTo": "2020-06-03 18:06:32", - "Signature": "11f64665e99ee9a3212a8317075cf2122256a6cd5452564366da4b3e890c7a94b167d27a0cb1e962de146f371429f531349fc359cccece5f32fa84cd25231f892e44c4676b5ff4008ce6b3f3d9a2690a956a2a6a9e982ba8ebd4256971437156136a25b2e5184e11550aecb83f5ec8ae5467e866d6bbf44b9e8642c8bd5e316a4a494f676aa15eefad41893dd0a7187c881fa235b45f1a0696a8ad2d5c1531eed442d7281290b84f976f9ca241027378c241157a326739b2e8305adbfcef5005f5ccec402c1ab03d6e28c36987ae0d07cd12e41a348098d846f57c3225dbfed0c1b809ad311770854d368d150ee7767676c39a3d148f05cf7c2dcea5f1f7c6f2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000857f83dc2a6ca979b8000000000085", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "DBUtilDrv2.sys", - "MD5": "d104621c93213942b7b43d65b5d8d33e", - "SHA1": "b03b1996a40bfea72e4584b82f6b845c503a9748", - "SHA256": "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2012", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "Dell", - "Description": "DBUtil", - "Product": "DBUtil", - "ProductVersion": "2.7.0.0", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "ATSZIO.sys", + "MD5": "7ee0c884e7d282958c5b3a9e47f23e13", + "SHA1": "86e893e59352fcb220768fb758fcc5bbd91dd39e", + "SHA256": "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5", "Authentihash": { - "MD5": "1e96108c0938d4c34d7072f04bc8b951", - "SHA1": "d46ae9bcc746ca408fbb55fb0d61b638720a8f25", - "SHA256": "7bacb353363cc29f7f3815a9d01e85cd86202d92378d1ab1b11df1ab2f42f40a" + "MD5": "69a92cb6ac87c99f10b24eefa13f0b10", + "SHA1": "b66bf2b1b07f8f2bab1418131ae66b0a55265f73", + "SHA256": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a" }, - "InternalName": "", - "Copyright": "© 2021 Dell Inc. All Rights Reserved. ", + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.7", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "Copyright": "Copyright (C) 2012", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "WDFLDR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmMapIoSpace", - "MmUnmapIoSpace", - "MmAllocateContiguousMemorySpecifyCache", - "KeSetPriorityThread", + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmGetPhysicalAddress", - "KeBugCheckEx", - "KeInsertQueueDpc", - "RtlCopyUnicodeString", - "IoWMIRegistrationControl", - "MmGetSystemRoutineAddress", - "MmFreeContiguousMemorySpecifyCache", + "__C_specific_handler", + "DbgPrint", + "IoDeleteDevice", "RtlInitUnicodeString", - "WdfVersionBind", - "WdfVersionUnbind", - "WdfVersionUnbindClass", - "WdfVersionBindClass" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:33", - "ValidTo": "2021-12-02 22:15:33", - "Signature": "0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c", + "ValidFrom": "2021-09-09 19:15:59", + "ValidTo": "2022-09-01 19:15:59", + "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "33000000b5213fca1e4aa03de40000000000b5", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "330000004de597a775e3157f7b00000000004d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] - } - ], - "Tags": [ - "DBUtilDrv2.sys" - ] - }, - { - "Id": "24fb7bab-b8c3-46ea-a370-c84d2f0ff614", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create ADV64DRV.sys binPath=C:\\windows\\temp\\ADV64DRV.sys type=kernel && sc.exe start ADV64DRV.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [ - { - "type": "BlockRule", - "value": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" }, { - "type": "IOC", - "value": "Utilize Windows Event Code 7045 to monitor for new kernel driver installation." - } - ], - "KnownVulnerableSamples": [ - { - "Filename": "ADV64DRV.sys", - "MD5": "778b7feea3c750d44745d3bf294bd4ce", - "SHA1": "2261198385d62d2117f50f631652eded0ecc71db", - "SHA256": "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162", - "Signature": [ - "FUJITSU LIMITED ", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "01:30 AM 08/29/2006", - "Publisher": "FUJITSU LIMITED", - "Company": "FUJITSU LIMITED.", - "Description": "", - "Product": "MicrosoftR WindowsR Operating System", - "ProductVersion": "2, 0, 0, 0", - "FileVersion": "2, 0, 0, 0", - "MachineType": "AMD64", - "OriginalFilename": "ADV64DRV.sys", + "FileName": "ATSZIO.sys", + "MD5": "030c8432981e4d41b191624b3e07afe2", + "SHA1": "87d47340d1940eaeb788523606804855818569e3", + "SHA256": "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a", "Authentihash": { - "MD5": "e1c188570d8720f9c35e194e17a7fd36", - "SHA1": "ca6b0d932e5ac9dbe1242aca48ba93a14cf9d151", - "SHA256": "b2b37ef379ada79d2abe78375312bfcd4b518139bc525a522c2a6329ba097cc4" + "MD5": "f3a217e8c7a1c871d6588e7ef85ed660", + "SHA1": "b5407f564315cfd3eac7c7663fac575fd18f565d", + "SHA256": "028aed97e90c5a231069a3fa0853c67ea5853c4bbfea6247c6f4b53509581d05" }, - "InternalName": "ADV64DRV.sys", - "Copyright": "Copyright(C) FUJITSU LIMITED 2005", + "Description": "ATSZIO Driver", + "Company": "", + "InternalName": "ATSZIO", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0, 2, 1, 2", + "Product": "ATSZIO Driver", + "ProductVersion": "0, 2, 1, 2", + "Copyright": "Copyright (C) 2010", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlAppendUnicodeToString", + "IoCreateDevice", "RtlInitUnicodeString", - "MmUnmapIoSpace", - "MmMapIoSpace", - "IoWriteErrorLogEntry", "IoDeleteSymbolicLink", + "ZwClose", + "IofCompleteRequest", + "__C_specific_handler", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "RtlAssert", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ZwUnmapViewOfSection", "IoDeleteDevice", + "MmAllocateContiguousMemory", "IoCreateSymbolicLink", - "IoCreateDevice", - "KeBugCheckEx", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", - "HalTranslateBusAddress" + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -84243,1314 +79247,2357 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=JP, ST=Kanagawa, L=Kawasaki, O=FUJITSU LIMITED , OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Personal Systems Business Unit, CN=FUJITSU LIMITED ", - "ValidFrom": "2006-05-31 00:00:00", - "ValidTo": "2007-06-01 23:59:59", - "Signature": "78ab202d129483254db90615ecfc16a8057fe3f49f614b5d04d92d593ef3aad056d06e29f50323337adb77ef869b046e060dbc793f2142cfdf59de270f02c3d5486ddfda1456be32f76fb5047ef6eefc08c99305a9029753af10ac21b04e76ba8b0651e80d64eccec56353f1fd7082ec8d38737b2f13b6f2d8db5720fe070285bf8ab99d932b52ac8a614cdc11ed0d52b119219dea9b2eeb31a2ea229f0a9de4d770c124872fb0c1154395c8e8cc967205ece6fcc4c976744874f9409a7cab02e612f08924794f8d9f8c1f026acdd269516a43042ebc0d055cae803266e8cc70b0121d8946650c9cbe6cb7f5c359ab80174c0e9208ff07c44980930c244bfc43", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6b7f98e2e421c2f95c47f321abf1aef1", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "ADV64DRV.sys" - ] - }, - { - "Id": "2b949a0d-939f-456a-a34f-4589d7712227", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create libnicm.sys binPath=C:\\windows\\temp\\libnicm.sys type=kernel && sc.exe start libnicm.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "libnicm.sys", - "MD5": "c1fce7aac4e9dd7a730997e2979fa1e2", - "SHA1": "25d812a5ece19ea375178ef9d60415841087726e", - "SHA256": "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "Micro Focus", - "Description": "XTier COM Services Driver", - "Product": "Micro Focus XTier", - "ProductVersion": "3.1.12", - "FileVersion": "3.1.12.0", - "MachineType": "AMD64", - "OriginalFilename": "libnicm.sys", + "FileName": "ATSZIO.sys", + "MD5": "715ac0756234a203cb7ce8524b6ddc0d", + "SHA1": "d73dabcb3f55935b701542fd26875006217ebbbe", + "SHA256": "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9", "Authentihash": { - "MD5": "f4c87edbb9a270058e01fdc58f29692a", - "SHA1": "e82346880e59a3d7652896128eb91512f5ee3d53", - "SHA256": "bd1d579a15ec3c1120cc6e0c8ff6b265623980de3570a5dd2f57d0c5981334d8" + "MD5": "272a0dd6f4b32694511cadaba438aec8", + "SHA1": "584b6a0e2dc45ce2d5ee5becf3ef09e7877a619b", + "SHA256": "18bea05d56bcbc0e23663db9b6dc79d9db3a218e711415a1e420dea2e183cb5e" }, - "InternalName": "", - "Copyright": "(C) Copyright 2000-2017, Micro Focus. All Rights Reserved.", + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.6", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.6", + "Copyright": "Copyright (C) 2012", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "NicmCreateInstance", - "NicmDeregisterClassFactory", - "NicmGetVersion", - "NicmRegisterClassFactory", - "XTComCreateInstance", - "XTComDeregisterClassFactory", - "XTComFreeUnusedLibrariesEx", - "XTComGetClassObject", - "XTComGetVersion", - "XTComInitialize", - "XTComRegisterClassFactory" + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExAcquireResourceExclusiveLite", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", - "strstr", - "RtlInitAnsiString", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "RtlEqualString", - "MmUnmapLockedPages", - "ProbeForRead", - "IoDeleteSymbolicLink", - "IoRegisterShutdownNotification", - "KeInitializeMutex", - "KeLeaveCriticalRegion", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", "IoDeleteDevice", - "ProbeForWrite", - "IoFreeMdl", - "KeEnterCriticalRegion", - "KeReleaseMutex", - "ZwCreateFile", - "MmMapLockedPagesSpecifyCache", - "IoUnregisterShutdownNotification", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", "ZwClose", + "IoCreateDevice", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "memcpy", + "KeTickCount", + "RtlUnwind", "IofCompleteRequest", - "IoSetTopLevelIrp", + "MmFreeContiguousMemory", + "MmAllocateContiguousMemory", + "ExAllocatePool", "KeWaitForSingleObject", - "MmProbeAndLockPages", - "MmUnlockPages", - "ExDeleteResourceLite", - "IoGetTopLevelIrp", - "IoCreateSymbolicLink", - "IoCreateDevice", - "ExInitializeResourceLite", - "NtSetSecurityObject", - "DbgPrintEx", + "KeSetEvent", "DbgPrint", - "IoAllocateMdl", - "RtlCreateSecurityDescriptor", - "IoGetCurrentProcess", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", + "ZwOpenSection", "RtlInitUnicodeString", - "RtlAppendUnicodeToString", - "RtlUnicodeStringToAnsiString", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "RtlInitString", - "KeDelayExecutionThread", - "RtlFreeUnicodeString", - "ZwWaitForSingleObject", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "RtlAppendUnicodeStringToString", - "RtlCopyString", - "MmIsAddressValid", - "ZwOpenFile", - "ZwQueryInformationFile", - "ZwLoadDriver", - "ZwOpenKey", "KeBugCheckEx", - "__C_specific_handler" + "HalSetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2021-09-09 19:15:59", - "ValidTo": "2022-09-01 19:15:59", - "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000004de597a775e3157f7b00000000004d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "libnicm.sys" - ] - }, - { - "Id": "dfb0270d-4892-4fe5-97ed-0afd2e3fbe52", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create zamguard64.sys binPath=C:\\windows\\temp\\zamguard64.sys type=kernel && sc.exe start zamguard64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "zamguard64.sys", - "MD5": "21e13f2cb269defeae5e1d09887d47bb", - "SHA1": "16d7ecf09fc98798a6170e4cef2745e0bee3f5c7", - "SHA256": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91", - "Signature": [ - "Zemana Ltd.", - "DigiCert High Assurance Code Signing CA-1", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "Zemana Ltd.", - "Description": "ZAM", - "Product": "ZAM", - "ProductVersion": "2.21.63", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "ATSZIO.sys", + "MD5": "f84da507b3067f019c340b737cd68d32", + "SHA1": "5e9538d76b75f87f94ca5409ae3ddc363e8aba7f", + "SHA256": "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b", "Authentihash": { - "MD5": "3f2771b22553380efcee72a27dc4d96c", - "SHA1": "0d15b7de0f1129b540f48d7a3cba2c6bf5d44112", - "SHA256": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f" + "MD5": "aec83d758be98eb60b7463bc71eb1242", + "SHA1": "1ce64a20f37b9a86bd55b2ae592a5b90e6e9ea40", + "SHA256": "1631d124bd8b2917c37abfe0f7b3dfa9e309ec54f69bdab2e2b5de3929d523d7" }, - "InternalName": "", - "Copyright": "Zemana Ltd. All rights reserved.", + "Description": "ATSZIO Driver", + "Company": "", + "InternalName": "ATSZIO", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0, 2, 1, 2", + "Product": "ATSZIO Driver", + "ProductVersion": "0, 2, 1, 2", + "Copyright": "Copyright (C) 2010", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "FLTMGR.SYS" + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "FsRtlIsNameInExpression", - "PsGetProcessImageFileName", - "ZwQueryInformationProcess", - "__C_specific_handler", - "strchr", - "RtlAppendUnicodeToString", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "KeWaitForSingleObject", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "ZwQueryInformationFile", - "ZwWriteFile", - "PsGetCurrentThreadId", - "ZwDeleteFile", - "_vsnprintf", - "PsThreadType", - "PsSetCreateProcessNotifyRoutine", - "PsGetProcessSessionId", - "RtlAppendUnicodeStringToString", - "ZwDeleteValueKey", - "ZwSetValueKey", - "towupper", - "RtlIntegerToUnicodeString", - "KeInitializeEvent", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", "KeSetEvent", - "KeAcquireSpinLockAtDpcLevel", - "KeReleaseSpinLockFromDpcLevel", - "MmProbeAndLockPages", - "IoAllocateIrp", - "IoAllocateMdl", - "IofCallDriver", - "IoFreeIrp", - "IoFreeMdl", - "IoGetDeviceObjectPointer", - "IoGetRelatedDeviceObject", - "ObCloseHandle", - "ObfReferenceObject", - "ZwSetInformationFile", - "ZwReadFile", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "IoCreateFileSpecifyDeviceObjectHint", - "IoGetDeviceAttachmentBaseRef", - "FsRtlGetFileSize", - "ObQueryNameString", - "IoFileObjectType", - "KeReadStateEvent", - "ExQueueWorkItem", - "ExGetPreviousMode", - "MmGetSystemRoutineAddress", - "NtOpenProcess", - "ZwCreateEvent", - "ZwWaitForSingleObject", - "ZwSetEvent", - "NtQuerySystemInformation", - "ExEventObjectType", - "NtBuildNumber", - "ZwDeleteKey", - "ObReferenceObjectByName", - "IoDriverObjectType", - "MmIsDriverVerifying", + "KeWaitForSingleObject", + "_except_handler3", + "MmFreeContiguousMemory", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ZwUnmapViewOfSection", "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "RtlSetDaclSecurityDescriptor", - "MmMapLockedPagesSpecifyCache", - "PsGetProcessId", - "IoThreadToProcess", - "PsGetCurrentProcessSessionId", - "ZwTerminateProcess", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ZwOpenThread", - "PsProcessType", - "ExInterlockedInsertHeadList", - "ExInterlockedRemoveHeadList", - "CmRegisterCallback", - "CmUnRegisterCallback", - "RtlCreateRegistryKey", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwQueryKey", - "ZwQueryValueKey", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "ProbeForWrite", - "PsSetLoadImageNotifyRoutine", - "PsRemoveLoadImageNotifyRoutine", - "PsGetProcessSectionBaseAddress", - "MmSystemRangeStart", - "KeBugCheckEx", - "PsLookupProcessByProcessId", - "ZwOpenProcess", - "PsGetCurrentProcessId", - "RtlUpcaseUnicodeString", - "RtlUpperString", "ZwClose", - "ZwCreateFile", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ProbeForRead", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "KeDelayExecutionThread", - "RtlGetVersion", - "DbgPrint", - "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "wcsstr", - "ZwQuerySystemInformation", - "strstr", - "FltSendMessage", - "FltCloseCommunicationPort", - "FltCreateCommunicationPort", - "FltReleaseContext", - "FltGetStreamHandleContext", - "FltSetStreamHandleContext", - "FltAllocateContext", - "FltCancelFileOpen", - "FltQueryInformationFile", - "FltReadFile", - "FltParseFileNameInformation", - "FltReleaseFileNameInformation", - "FltGetFileNameInformation", - "FltFreePoolAlignedWithTag", - "FltAllocatePoolAlignedWithTag", - "FltStartFiltering", - "FltUnregisterFilter", - "FltRegisterFilter", - "FltBuildDefaultSecurityDescriptor" + "IoCreateDevice", + "IoCreateSynchronizationEvent", + "IoDeleteDevice", + "RtlAssert", + "IoCreateSymbolicLink", + "READ_PORT_ULONG", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset", + "READ_PORT_UCHAR", + "READ_PORT_USHORT", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", - "ValidFrom": "2014-12-16 00:00:00", - "ValidTo": "2017-12-20 12:00:00", - "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2009-08-03 00:00:00", + "ValidTo": "2012-08-03 23:59:59", + "Signature": "bdc1dedf888c617c55af86763028f36094aeaadb7ebe82208e02d910305a252b4156a62a7f17366536fde06c13ff2bd8891e303a1e8c5c3cdb5fb257627367e3b6446b76c8080f61feac4424c5ef89467a79dc55fcb929805b727a10b39493038f97535686250f46e169bc85a02fb1f8a2626235a540e058084d1b17dbb7c426e76a8d3c2b3e2c0c4f33b9d6cc8d7a3590f8f61358ea5380ee0af3df7197dc4a615bcef1bcd119dba007d955d1acd14b42ab89d3539047d13d3e767de04ab5aa289fa0a698a582e84a5a65a1c9fabed2f75576629e8ad1826b68f2fca2baa751745f5ec968ed91cdf9761244a80b8c0d957900297ac3523c7a20c64e35be1b0a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0210230fd364b469091b8a4440145e18", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "12d5c9e2949d48abaccd3514f0fb22ad", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "zamguard64.sys" - ] - }, - { - "Id": "f7f88ef4-ada4-4210-a40d-9d84142ef0fb", - "Author": "Michael Haag", - "Created": "2023-03-04", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create 7.sys binPath=C:\\windows\\temp\\7.sys type=kernel && sc.exe start 7.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "7.sys", - "MD5": "dc564bac7258e16627b9de0ce39fae25", - "SHA1": "0291d0457acaf0fe8ed5c3137302390469ce8b35", - "SHA256": "6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + "FileName": "ATSZIO.sys", + "MD5": "4814205270caa80d35569eee8081838e", + "SHA1": "d6de8983dbd9c4c83f514f4edf1ac7be7f68632f", + "SHA256": "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc", "Authentihash": { - "MD5": "f147f4f5f6dcaf5d0e5481418ef02c42", - "SHA1": "e31276554b012178dc6fb06c7f44b6241d48f8a7", - "SHA256": "3325f541c9930a321930853e0d7f0f4c35ba99f99a97bfe275c60248957720fb" + "MD5": "84fc06779f79be8a59caa24378db6eaf", + "SHA1": "2905cbd9b37d55b657f952ec5b5804bd3b1f4263", + "SHA256": "e5e4dc1a918e201ec2cf02a036e4dd03dd04dfd179091c8adfbc6745eb830f2f" }, - "InternalName": "", - "Copyright": "", + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.6", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.6", + "Copyright": "Copyright (C) 2012", + "MachineType": "AMD64", "Imports": [ - "NETIO.SYS", - "ntoskrnl.exe", - "WDFLDR.SYS", - "ntoskrnl.exe", - "HAL.dll", "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WskCaptureProviderNPI", - "RtlFreeAnsiString", - "WdfVersionBindClass", - "_stricmp", - "KeQueryPerformanceCounter", + "KeWaitForSingleObject", "ExAllocatePool", - "NtQuerySystemInformation", - "ExFreePoolWithTag", - "IoAllocateMdl", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnlockPages", - "IoFreeMdl", - "KeQueryActiveProcessors", - "KeSetSystemAffinityThread", - "KeRevertToUserAffinityThread", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", "DbgPrint", - "KeQueryPerformanceCounter" + "IoDeleteDevice", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "7.sys" - ] - }, - { - "Id": "22aa985b-5fdb-4e38-9382-a496220c27ec", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create TmComm.sys binPath=C:\\windows\\temp\\TmComm.sys type=kernel && sc.exe start TmComm.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "TmComm.sys", - "MD5": "2e1f8a2a80221deb93496a861693c565", - "SHA1": "a00e444120449e35641d58e62ed64bb9c9f518d2", - "SHA256": "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64", - "Signature": [ - "Trend Micro, Inc.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "Trend Micro Inc.", - "Description": "TrendMicro Common Module", - "Product": "Trend Micro Eyes", - "ProductVersion": "7.30", - "FileVersion": "7.30.0.1099", - "MachineType": "AMD64", - "OriginalFilename": "TmComm.sys", + "FileName": "ATSZIO.sys", + "MD5": "dbf11f3fad1db3eb08e2ee24b5ebfb95", + "SHA1": "cea540a2864ece0a868d841ab27680ff841fcbe6", + "SHA256": "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f", "Authentihash": { - "MD5": "2d7f04ca689981b18fb8a4488e029843", - "SHA1": "6c0af836a89234e9a69363495719b686fbad8d7d", - "SHA256": "d580349730ace5170e7c33850bdcb37cbf16b70d0d1adc2568fdd223c2a55a77" + "MD5": "2e9b394c4437948e1c27e2f39a966b6c", + "SHA1": "0ddcc3e9e7d0790007fd6e12e4554f460d2c4d9b", + "SHA256": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc" }, - "InternalName": "TmComm.sys", - "Copyright": "Copyright (C) 2018 Trend Micro Incorporated. All rights reserved.", + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.7", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "Copyright": "Copyright (C) 2012", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3@YAXPEAX_K@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "??_V@YAXPEAX_K@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "AllocFullFileName", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetBackupCommPortAPIs", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "DbgPrint", + "IoDeleteDevice", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "??=TW, ??=Private Organization, serialNumber=23638777, C=TW, ST=Taipei City, L=Beitou District, O=ASUSTeK COMPUTER INC., CN=ASUSTeK COMPUTER INC.", + "ValidFrom": "2020-10-30 00:00:00", + "ValidTo": "2023-11-02 23:59:59", + "Signature": "301a945778ef7ae17addaaa66604eba2c6dfdcb0b9db4200e8ac84b325dda0a55eec1d660fa8a409edb3f943e63b40cdb85bc2716c69a014161abc4f455a69a205f263833c8784c78592fcc004d3f99f7e81469ac6dd9e7306add663ea093ce5025330d97968167f535981948f68e02ba22f48fff4074fd8228d8ddfe3a8b363e83a8b606fba71eaac6c91b1bac39ffd8933f69d5177199519a39ba05b5e48e031a8e86bcdd2250c61192fe1ee0d9142e74c07791f25ba2f5830a7b5a892e059576b8844ce45460e7733aa2a3f5bed53a9e1d93e07f5b9eeb6b36faa4c7e2149da1326c6e5a9c9eb288989290f20d4e5b95a60cb537a098acd6dbc9b77f94878", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "068642beebecb7ddb4272ae42e83b490", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "ATSZIO.sys", + "MD5": "5a1ee9e6a177f305765f09b0ae6ac1c5", + "SHA1": "3f67a43ae174a715795e49f72bc350302de83323", + "SHA256": "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282", + "Authentihash": { + "MD5": "2e9b394c4437948e1c27e2f39a966b6c", + "SHA1": "0ddcc3e9e7d0790007fd6e12e4554f460d2c4d9b", + "SHA256": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc" + }, + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.1.7", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.1.7", + "Copyright": "Copyright (C) 2012", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "DbgPrint", + "IoDeleteDevice", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "ATSZIO.sys", + "MD5": "6682176866d6bd6b4ea3c8e398bd3aae", + "SHA1": "962e2ac84c28ed5e373d4d4ccb434eceee011974", + "SHA256": "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22", + "Authentihash": { + "MD5": "34057e393322867a580b2a72bc4b282b", + "SHA1": "439a577db1e655d7f4fde8dea0391867b081b59a", + "SHA256": "1d5ded14ba7821a1021815e70399801bf87dadf9b9eb17325e3c918d53971c8e" + }, + "Description": "ATSZIO Driver", + "Company": "ASUSTek Computer Inc.", + "InternalName": "ATSZIO.sys", + "OriginalFilename": "ATSZIO.sys", + "FileVersion": "0.2.2.3", + "Product": "ATSZIO Driver", + "ProductVersion": "0.2.2.3", + "Copyright": "Copyright (C) 2012", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeWaitForSingleObject", + "ExAllocatePool", + "ExFreePoolWithTag", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoCreateSynchronizationEvent", + "KeSetEvent", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmGetPhysicalAddress", + "__C_specific_handler", + "DbgPrint", + "IoDeleteDevice", + "RtlInitUnicodeString", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=TW, serialNumber=23638777, ??=Pei Tou District, ??=4F No. 150, Li,te Rd, postalCode=11259, C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2015-06-16 00:00:00", + "ValidTo": "2018-06-19 12:00:00", + "Signature": "62395f09957b06539614f157a39a1becf829e9b17f3620785bc445abedbf75d9018c75fdf7d2b5616f6f97ca685ed7c53b4b1e21456c94e9f6258ae51c535d69214696004d0d17d46123bfdcfadf1d03d83d70100dfa74516a74d0793ff5e2b9e5a99d172a94a521cb5902ebc205a1bf8c7f581a1a53b351460be4cb493afa23eb80020c4e9163f64112b474e454cceb4bf5d0ac7418394317a9ad3d6b7a13915309540c983f7172d19a787ce2733381cc1f32d9915a047bb3b53cae37b61870d5b3b17720bbc02c8b38538d9ab60de7b0319f3c541ac55c87df0fe344e8dd91cea16894c8a08509a3a77a817b7b6dd513079ec1b365b613d86d6fca5185dad9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "031c8403876518b80064120f1485a103", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + } + ], + "Tags": [ + "ATSZIO.sys" + ], + "yara": true + }, + { + "Id": "a9d9cbb7-b5f6-4e74-97a5-29993263280e", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create CorsairLLAccess64.sys binPath=C:\\windows\\temp\\CorsairLLAccess64.sys type=kernel && sc.exe start CorsairLLAccess64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "CorsairLLAccess64.sys", + "MD5": "b34361d151c793415ef92ee5d368c053", + "SHA1": "89656051126c3e97477a9985d363fbdde0bc159e", + "SHA256": "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6", + "Authentihash": { + "MD5": "7158180c7f219093d504d695240c2173", + "SHA1": "0302854ea87dc07a493aca60e8e7e63422932e42", + "SHA256": "b5606dc2a76350916cd77348cfdfe502256d759a4743dd4af503d2f7f348eb70" + }, + "Description": "Corsair LL Access", + "Company": "Corsair Memory, Inc.", + "InternalName": "Corsair LL Access", + "OriginalFilename": "Corsair LL Access", + "FileVersion": "1.0.16.0", + "Product": "Corsair LL Access", + "ProductVersion": "1.0.16.0", + "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "KeInitializeMutex", + "KeReleaseMutex", + "KeWaitForSingleObject", + "ExQueryDepthSList", + "ExpInterlockedPopEntrySList", + "ExpInterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "wcsncmp", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetRequestorProcessId", + "__C_specific_handler", + "KeBugCheckEx", + "wcsncat_s", + "MmUnmapLockedPages", + "wcscpy_s", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "CorsairLLAccess64.sys", + "MD5": "3b9698a9ee85f0b4edf150deef790ccd", + "SHA1": "fbfabf309680fbf7c0f6f14c5a0e4840c894e393", + "SHA256": "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36", + "Authentihash": { + "MD5": "2c91bc52c8cda89db47907b88590a2a0", + "SHA1": "2129fd9cf3839001abea6bab0bbde224abad967c", + "SHA256": "a52a6fe55bd1c294d6f26b68839770d97850e9ccd5ecfd7f96b9dc4386e0ff08" + }, + "Description": "Corsair LL Access", + "Company": "Corsair Memory, Inc.", + "InternalName": "Corsair LL Access", + "OriginalFilename": "Corsair LL Access", + "FileVersion": "1.0.16.0", + "Product": "Corsair LL Access", + "ProductVersion": "1.0.16.0", + "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_ULONG", + "KeInitializeMutex", + "KeReleaseMutex", + "KeWaitForSingleObject", + "InterlockedPopEntrySList", + "InterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "WRITE_REGISTER_USHORT", + "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetRequestorProcessId", + "KeBugCheckEx", + "WRITE_REGISTER_UCHAR", + "RtlUnwind", + "READ_REGISTER_ULONG", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "RtlInitUnicodeString", + "wcsncmp", + "wcsncat_s", + "MmMapIoSpace", + "wcscpy_s", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "CorsairLLAccess64.sys", + "MD5": "30efb7d485fc9c28fe82a97deac29626", + "SHA1": "85941b94524da181be8aad290127aa18fc71895c", + "SHA256": "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d", + "Authentihash": { + "MD5": "e5c1ddfd9df7a473d9394ec219ffaa15", + "SHA1": "c0e1d74e70c5350e23c51209aa8b5df87bdf5642", + "SHA256": "cff3fc66d54279b755ceedf89268847dbb5139227739e4689f5d9271b1d7923b" + }, + "Description": "Corsair LL Access", + "Company": "Corsair Memory, Inc.", + "InternalName": "Corsair LL Access", + "OriginalFilename": "Corsair LL Access", + "FileVersion": "1.0.18.0", + "Product": "Corsair LL Access", + "ProductVersion": "1.0.18.0", + "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_USHORT", + "WRITE_REGISTER_ULONG", + "KeInitializeMutex", + "KeReleaseMutex", + "KeWaitForSingleObject", + "InterlockedPopEntrySList", + "InterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "WRITE_REGISTER_UCHAR", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetRequestorProcessId", + "KeBugCheckEx", + "READ_REGISTER_ULONG", + "RtlUnwind", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "RtlGetVersion", + "RtlInitUnicodeString", + "wcsncmp", + "wcsncat_s", + "MmUnmapLockedPages", + "wcscpy_s", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "CorsairLLAccess64.sys", + "MD5": "f042e8318cf20957c2339d96690c3186", + "SHA1": "2871a631f36cd1ea2fd268036087d28070ef2c52", + "SHA256": "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1", + "Authentihash": { + "MD5": "0249d3e10b361ce69d1e7a44889ed8b7", + "SHA1": "fc577f0a129354623164e81fd287ebd6546c8ca3", + "SHA256": "09bc9d0606d8b96f1d9fb18741bdb43aa5c188981d298df047b8c75351d68653" + }, + "Description": "Corsair LL Access", + "Company": "Corsair Memory, Inc.", + "InternalName": "Corsair LL Access", + "OriginalFilename": "Corsair LL Access", + "FileVersion": "1.0.15.0", + "Product": "Corsair LL Access", + "ProductVersion": "1.0.15.0", + "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_ULONG", + "KeInitializeMutex", + "KeReleaseMutex", + "KeWaitForSingleObject", + "InterlockedPopEntrySList", + "InterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "WRITE_REGISTER_USHORT", + "MmUnmapIoSpace", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoGetRequestorProcessId", + "KeBugCheckEx", + "WRITE_REGISTER_UCHAR", + "RtlUnwind", + "READ_REGISTER_ULONG", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "RtlInitUnicodeString", + "wcsncmp", + "wcsncat_s", + "MmMapIoSpace", + "wcscpy_s", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + } + ], + "Tags": [ + "CorsairLLAccess64.sys" + ], + "yara": true + }, + { + "Id": "f8bddc8b-49b9-41f7-a877-d15ec3f174f9", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank4.sys binPath=C:\\windows\\temp\\daxin_blank4.sys type=kernel && sc.exe start daxin_blank4.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "daxin_blank4.sys", + "MD5": "491aec2249ad8e2020f9f9b559ab68a8", + "SHA1": "8692274681e8d10c26ddf2b993f31974b04f5bf0", + "SHA256": "8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e", + "Signature": "Unsigned", + "Date": "8:42 AM 4/20/2010", + "Publisher": "n/a", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", + "Authentihash": { + "MD5": "f66f4d6b97b9e7b0e467daed2ed69bed", + "SHA1": "c8f227b45d27c43db4b661ef610efbfacfda8a75", + "SHA256": "15b081ec83a89182b5bb0a642d56513f40810b5b0a42e904ab6d3fa8f34c0446" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "NTOSKRNL.EXE", + "HAL.DLL", + "ntoskrnl.exe", + "NDIS.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "strlen", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "ZwClose", + "IofCompleteRequest", + "KeResetEvent", + "InterlockedIncrement", + "KeSetEvent", + "InterlockedDecrement", + "RtlUnicodeStringToInteger", + "RtlInitUnicodeString", + "KeInitializeEvent", + "wcsncmp", + "wcscat", + "wcslen", + "wcscpy", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "strncmp", + "MmMapLockedPages", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmUnmapLockedPages", + "RtlFreeUnicodeString", + "ZwWriteFile", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "strcat", + "ZwReadFile", + "ZwQueryInformationFile", + "_wcsnicmp", + "strcmp", + "_stricmp", + "MmGetSystemRoutineAddress", + "ZwQueryValueKey", + "ZwOpenKey", + "IoCreateFile", + "KeWaitForMultipleObjects", + "strcpy", + "RtlUnwind", + "vsprintf", + "KeWaitForSingleObject", + "KeDelayExecutionThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "ObReferenceObjectByHandle", + "ExFreePool", + "KeInitializeSpinLock", + "KeTickCount", + "memset", + "memcpy", + "RtlCompareUnicodeString", + "ExAllocatePoolWithTag", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "PsGetVersion", + "ZwTerminateProcess", + "ZwOpenProcess", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwWaitForSingleObject", + "NtFsControlFile", + "NtWriteFile", + "NtReadFile", + "RtlLengthRequiredSid", + "RtlImageDirectoryEntryToData", + "ZwQueryInformationProcess", + "ZwQuerySystemInformation", + "PsLookupProcessByProcessId", + "KeAttachProcess", + "KeDetachProcess", + "PsLookupThreadByThreadId", + "KeInitializeApc", + "KeInsertQueueApc", + "ZwOpenFile", + "ZwDeviceIoControlFile", + "PsThreadType", + "NtQuerySystemInformation", + "NdisAllocateMemory", + "NdisAllocatePacket", + "NdisCopyFromPacketToPacket", + "NdisFreePacket", + "NdisAllocateBuffer", + "NdisDeregisterProtocol", + "NdisRegisterProtocol", + "NdisAllocateBufferPool", + "NdisAllocatePacketPool", + "NdisFreeBufferPool", + "NdisFreePacketPool", + "NdisFreeMemory" + ], + "Signatures": {} + } + ], + "Tags": [ + "daxin_blank4.sys" + ], + "yara": false + }, + { + "Id": "1ae6cfc4-ca70-4148-ba1c-e46cc6bfc548", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create kprocesshacker.sys binPath=C:\\windows\\temp\\kprocesshacker.sys type=kernel && sc.exe start kprocesshacker.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "kprocesshacker.sys", + "MD5": "1b5c3c458e31bede55145d0644e88d75", + "SHA1": "a21c84c6bf2e21d69fa06daaf19b4cc34b589347", + "SHA256": "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4", + "Signature": [ + "Wen Jia Liu", + "DigiCert High Assurance Code Signing CA-1", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "wj32", + "Description": "KProcessHacker", + "Product": "KProcessHacker", + "ProductVersion": "3.0", + "FileVersion": "3.0", + "MachineType": "AMD64", + "OriginalFilename": "kprocesshacker.sys", + "Authentihash": { + "MD5": "dd81d5b2343e1976d1708e7eb0649f8f", + "SHA1": "c2b8c1b34f09a91efe196f646ef7f9a11190fb8e", + "SHA256": "4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5" + }, + "InternalName": "", + "Copyright": "Licensed under the GNU GPL, v3.", + "Imports": [ + "ntoskrnl.exe", + "ksecdd.sys" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "SePrivilegeCheck", + "ZwOpenKey", + "ProbeForRead", + "RtlGetVersion", + "PsProcessType", + "ObOpenObjectByName", + "ObGetObjectType", + "PsReleaseProcessExitSynchronization", + "ZwQueryObject", + "RtlEqualUnicodeString", + "KeUnstackDetachProcess", + "ExEnumHandleTable", + "ObQueryNameString", + "IoFileObjectType", + "IoDriverObjectType", + "ExfUnblockPushLock", + "ObReferenceObjectByHandle", + "PsAcquireProcessExitSynchronization", + "PsInitialSystemProcess", + "ObSetHandleAttributes", + "ZwQueryInformationProcess", + "ObfDereferenceObject", + "ExAllocatePoolWithQuotaTag", + "ZwQueryInformationThread", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", + "PsJobType", + "PsReferencePrimaryToken", + "SeTokenObjectType", + "IoCreateDevice", + "PsGetProcessJob", + "PsLookupProcessThreadByCid", + "ZwTerminateProcess", + "PsDereferencePrimaryToken", + "IoThreadToProcess", + "RtlWalkFrameChain", + "KeInitializeApc", + "KeSetEvent", + "KeInsertQueueApc", + "KeWaitForSingleObject", + "PsThreadType", + "PsLookupThreadByThreadId", + "ZwQuerySystemInformation", + "ZwQueryVirtualMemory", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "ZwReadFile", + "MmHighestUserAddress", + "SeLocateProcessImageName", + "KeDelayExecutionThread", + "ZwCreateFile", + "RtlRandomEx", + "ZwQueryInformationFile", + "MmUnmapLockedPages", + "ExRaiseStatus", + "MmMapLockedPagesSpecifyCache", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmIsAddressValid", + "KeBugCheckEx", + "PsGetCurrentProcessId", + "IofCompleteRequest", + "ZwClose", + "ZwQueryValueKey", + "KeInitializeEvent", + "ProbeForWrite", + "IoDeleteDevice", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "IoGetCurrentProcess", + "ExAllocatePoolWithTag", + "__C_specific_handler", + "BCryptCreateHash", + "BCryptDestroyKey", + "BCryptImportKeyPair", + "BCryptCloseAlgorithmProvider", + "BCryptVerifySignature", + "BCryptFinishHash", + "BCryptHashData", + "BCryptDestroyHash", + "BCryptOpenAlgorithmProvider", + "BCryptGetProperty" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=AU, ST=New South Wales, L=Sydney, O=Wen Jia Liu, CN=Wen Jia Liu", + "ValidFrom": "2013-10-30 00:00:00", + "ValidTo": "2017-01-04 12:00:00", + "Signature": "88f1598a6a8a6c4904646770021476573d57c2f9cb88786e823a6312f7c90b578b1316b069d7670f8c5a59386aa72defedeb4187b9e58199c3c2c805b056622022c294ac38e14d5e66a7a77a4524b893fac245341155abf301ae41c91918705d4c9c291e671cea6b9c77dbede85379866ea935ddda4f28e2954a30251d1e0696bd21c948de0d4201487fb7b35faa308b78cfc81a7d51979a5c0d1fe41fc55cddffd0039e6cf49b497cbe7dc15d492da007906accf14a601e1814334045b45198650b317d09653182dd78daccef4964c457cf6d15a7b79fbf0b732ae0ac45cfba627afb622dfe9dc18064c21411f0464ede145be82db7c5124488044547eb2022", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0ff1ef66bd621c65b74b4de41425717f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + } + ], + "Tags": [ + "kprocesshacker.sys" + ], + "yara": true + }, + { + "Id": "84ccb68d-ce34-4aa2-98d5-7f473c2e1b07", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create SysInfo.sys binPath=C:\\windows\\temp\\SysInfo.sys type=kernel && sc.exe start SysInfo.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "SysInfo.sys", + "MD5": "5228b7a738dc90a06ae4f4a7412cb1e9", + "SHA1": "f0c463d29a5914b01e4607889094f1b7d95e7aaf", + "SHA256": "7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb", + "Signature": [ + "Noriyuki MIYAZAKI", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "0f56e9fddae9389425d93099ad609867", + "SHA1": "ca88f321631c1552e3e0bcd1f26ad3435cc9f1ae", + "SHA256": "a82d08ef67bdfccf0a2cf6d507c9fbb6ac42bd74bf2ade46ec07fe253deb6573" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "__C_specific_handler", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IoDisconnectInterrupt", + "IoConnectInterrupt", + "IoCreateDevice", + "KeInsertQueueDpc", + "ZwClose", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "KeInitializeDpc", + "IoCreateSymbolicLink", + "KeClearEvent", + "IoDeleteDevice", + "HalGetBusDataByOffset", + "HalSetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", + "ValidFrom": "2007-09-24 10:50:55", + "ValidTo": "2008-09-24 10:50:55", + "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", + "ValidFrom": "2003-12-16 13:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", + "ValidFrom": "2007-02-05 09:00:00", + "ValidTo": "2014-01-27 09:00:00", + "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "01000000000115372421a8", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] + } + ], + "Tags": [ + "SysInfo.sys" + ], + "yara": false + }, + { + "Id": "eef1fcf4-8c54-420b-8d38-9c5f95129dcc", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ntbios.sys binPath=C:\\windows\\temp \\n \\n \\n tbios.sys type=kernel && sc.exe start ntbios.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ntbios.sys", + "MD5": "14580bd59c55185115fd3abe73b016a2", + "SHA1": "71469dce9c2f38d0e0243a289f915131bf6dd2a8", + "SHA256": "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc", + "Signature": "Unsigned", + "Date": "10:26 AM 11/19/2009", + "Publisher": "n/a", + "Company": "Microsoft Corporation", + "Description": "ntbios driver", + "Product": " Microsoft(R) Windows (R) NT Operating System", + "ProductVersion": "5, 0, 2, 1", + "FileVersion": "5, 0, 2, 1", + "MachineType": "I386", + "OriginalFilename": "ntbios.sys", + "Authentihash": { + "MD5": "dd3f6fe14dadb95f5d8c963006dec9d7", + "SHA1": "2374491565e5798dccd4db2dc2af7e9bbefafd5b", + "SHA256": "50f9323eaf7c49cfca5890c6c46d729574d0caca89f7acc9f608c8226f54a975" + }, + "InternalName": "ntbio.sys", + "Copyright": "版权所有 (C) 2003", + "Imports": [ + "NTOSKRNL.EXE", + "HAL.DLL", + "ntoskrnl.exe", + "NDIS.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnlockPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "IoGetCurrentProcess", + "_stricmp", + "IoFreeWorkItem", + "RtlFreeUnicodeString", + "ZwClose", + "ZwWriteFile", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "_strnicmp", + "RtlUnwind", + "RtlCopyUnicodeString", + "wcsncmp", + "swprintf", + "IoCreateDevice", + "IoCreateSymbolicLink", + "KeInitializeSpinLock", + "ExfInterlockedInsertTailList", + "RtlInitUnicodeString", + "MmMapLockedPagesSpecifyCache", + "IoFreeMdl", + "InterlockedDecrement", + "InterlockedIncrement", + "InterlockedExchange", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "ExfInterlockedRemoveHeadList", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "strncmp", + "ExFreePool", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeInitializeApc", + "KeInsertQueueApc", + "KeAttachProcess", + "KeDetachProcess", + "NtQuerySystemInformation", + "NdisAllocatePacket", + "NdisCopyFromPacketToPacket", + "NdisAllocateMemory", + "NdisFreePacket", + "NdisAllocateBuffer", + "NdisSetEvent", + "NdisResetEvent", + "NdisFreeBufferPool", + "NdisFreePacketPool", + "NdisFreeMemory", + "NdisWaitEvent", + "NdisQueryAdapterInstanceName", + "NdisOpenAdapter", + "NdisInitializeEvent", + "NdisAllocatePacketPool", + "NdisRegisterProtocol", + "NdisAllocateBufferPool", + "NdisCloseAdapter", + "NdisDeregisterProtocol" + ], + "Signatures": {} + } + ], + "Tags": [ + "ntbios.sys" + ], + "yara": true + }, + { + "Id": "892292f9-b87c-40a5-80e5-8c9b02914e8b", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create wantd.sys binPath=C:\\windows\\temp\\wantd.sys type=kernel && sc.exe start wantd.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "wantd.sys", + "MD5": "b0770094c3c64250167b55e4db850c04", + "SHA1": "6abbc3003c7aa69ce79cbbcd2e3210b07f21d202", + "SHA256": "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4", + "Signature": "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.", + "Date": "11:59 PM 11/27/2013", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "WAN Transport Driver", + "Product": "Microsoft Windows Operating System", + "ProductVersion": "6.1.7600.1172", + "FileVersion": "6.1.7600.1172", + "MachineType": "AMD64", + "OriginalFilename": "wantd.sys", + "Authentihash": { + "MD5": "1ed42c05e43c14ab16d16fbe8eaed870", + "SHA1": "68cb54489a0556594a28f5f1410cc64d74a1c182", + "SHA256": "a47b9af109988e8e033886638edc84964968eecd0d24483eafaad6a6d68005ea" + }, + "InternalName": "wantd.sys", + "Copyright": "Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "NDIS.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "wcsncmp", + "IoAllocateMdl", + "_stricmp", + "sprintf", + "RtlLengthRequiredSid", + "_strnicmp", + "ExAllocatePoolWithTag", + "vsprintf", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "NtWriteFile", + "RtlCreateAcl", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "_wcsnicmp", + "ZwReadFile", + "RtlSetDaclSecurityDescriptor", + "KeInitializeApc", + "IoDeleteDevice", + "NtFsControlFile", + "KeInsertQueueApc", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "atoi", + "_snprintf", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", + "RtlAddAccessAllowedAce", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "ZwOpenFile", + "ZwCreateFile", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "ZwFreeVirtualMemory", + "KeQueryTimeIncrement", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeAttachProcess", + "PsGetVersion", + "PsThreadType", + "RtlCompareUnicodeString", + "ZwOpenProcess", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "IoCreateDevice", + "ZwTerminateProcess", + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", + "ZwWriteFile", + "NtReadFile", + "PsLookupThreadByThreadId", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "KeDelayExecutionThread", + "MmUserProbeAddress", + "MmBuildMdlForNonPagedPool", + "memchr", + "ZwWaitForSingleObject", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisMIndicateStatus", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "wantd.sys" + ], + "yara": true + }, + { + "Id": "f654ad84-c61d-477c-a0b2-d153b927dfcc", + "Author": "Michael Haag", + "Created": "2023-05-20", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create EIO.sys binPath=C:\\windows\\temp\\EIO.sys type=kernel && sc.exe start EIO.sys", + "Description": "This is a vulnerable driver per Microsoft.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "EIO.sys", + "MD5": "be9eeea2a8cac5f6cd92c97f234e2fe1", + "SHA1": "585df373a9c56072ab6074afee8f1ec3778d70f8", + "SHA256": "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "ASUSTeK Computer Inc.", + "Description": "ASUS VGA Kernel Mode Driver", + "Product": "ASUS VGA Kernel Mode Driver", + "ProductVersion": "1.96", + "FileVersion": "1.96", + "MachineType": "AMD64", + "OriginalFilename": "EIO.sys", + "Authentihash": { + "MD5": "ff6c5b1f92372186d4f9879e00e42fcf", + "SHA1": "200be5a696990ee97b4c3176234cde46c3ebc2ce", + "SHA256": "72b36c64f0b349d7816c8e5e2d1a7f59807de0c87d3f071a04dbc56bec9c00db" + }, + "InternalName": "EIO.sys", + "Copyright": "Copyright 2007 ASUSTeK Computer Inc.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "ExAllocatePoolWithTag", + "IofCallDriver", + "IoDeleteSymbolicLink", + "KeInitializeMutex", + "IoAttachDeviceToDeviceStack", + "IoDeleteDevice", + "IoDetachDevice", + "MmUnmapIoSpace", + "KeReleaseMutex", + "KeWaitForSingleObject", + "KeBugCheckEx", + "IofCompleteRequest", + "RtlInitUnicodeString", + "MmMapIoSpace", + "KeStallExecutionProcessor", + "HalTranslateBusAddress" + ], + "Signatures": {} + }, + { + "Filename": "EIO.sys", + "MD5": "343ada10d948db29251f2d9c809af204", + "SHA1": "3f17ff83dc8a5f875fb1b3a5d3b9fcbe407a99f0", + "SHA256": "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "ASUSTeK Computer Inc.", + "Description": "ASUS VGA Kernel Mode Driver", + "Product": "ASUS VGA Kernel Mode Driver", + "ProductVersion": "1.97", + "FileVersion": "1.97", + "MachineType": "AMD64", + "OriginalFilename": "EIO.sys", + "Authentihash": { + "MD5": "5af6b25eec77fec510803a229944c8ad", + "SHA1": "ed54e23998978f8124bd1f97c265f708ddba1de0", + "SHA256": "d4e7335a177e47688d68ad89940c272f82728c882623f1630e7fd2e03e16f003" + }, + "InternalName": "EIO.sys", + "Copyright": "Copyright 2004 ASUSTeK Computer Inc.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ + "KeInitializeMutex", "RtlInitUnicodeString", - "KeInitializeEvent", - "KeClearEvent", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KeWaitForSingleObject", + "IoDeleteDevice", + "IoDetachDevice", + "MmUnmapIoSpace", + "MmMapIoSpace", + "PoStartNextPowerIrp", + "IofCompleteRequest", "ExFreePoolWithTag", - "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", - "ObfDereferenceObject", - "ZwClose", - "ZwCreateSection", - "ZwOpenSection", + "PoCallDriver", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCallDriver", + "KeReleaseMutex", + "KeWaitForSingleObject", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoAttachDeviceToDeviceStack", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor", + "HalTranslateBusAddress" + ], + "Signatures": {} + } + ], + "Tags": [ + "EIO.sys" + ], + "yara": true + }, + { + "Id": "ce2d41fd-908f-414c-b6b5-338298f425b8", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create DirectIo.sys binPath=C:\\windows\\temp\\DirectIo.sys type=kernel && sc.exe start DirectIo.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "DirectIo.sys", + "MD5": "a785b3bc4309d2eb111911c1b55e793f", + "SHA1": "19f3343bfad0ef3595f41d60272d21746c92ffca", + "SHA256": "4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9", + "Signature": [ + "PassMark Software Pty Ltd", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", + "Authentihash": { + "MD5": "c6fbe703bcefd3a5a191dce9cd2bf71d", + "SHA1": "7d24a5e3a9bb0eba2a4cf19f516384c7a0c95eb7", + "SHA256": "129fa1795cffca9973f59df59f880a9f2bdb3aa9873363f8e2f598ccc6e32542" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", "ZwUnmapViewOfSection", - "ZwOpenEvent", - "KePulseEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "ZwSetEvent", - "__C_specific_handler", - "PsProcessType", - "wcslen", - "wcsncpy", - "wcsrchr", - "RtlUnicodeStringToInteger", - "ZwWaitForSingleObject", - "ZwRequestWaitReplyPort", - "ZwConnectPort", - "_stricmp", - "ExAllocatePoolWithTag", - "MmIsAddressValid", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", - "ObGetObjectSecurity", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "PsThreadType", - "MmSectionObjectType", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "KeDelayExecutionThread", - "ExGetPreviousMode", - "DbgPrint", - "swprintf", - "RtlCopyUnicodeString", + "ZwWriteFile", + "PsGetProcessId", + "NtBuildNumber", + "RtlFillMemoryUlong", + "ZwCreateFile", + "memset", + "memcpy", + "MmGetPhysicalMemoryRanges", + "IoWriteErrorLogEntry", + "memmove", + "IoAllocateErrorLogEntry", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoDeleteDevice", + "RtlAppendUnicodeStringToString", + "ObfDereferenceObject", + "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwCreateFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "towupper", - "MmGetSystemRoutineAddress", + "RtlQueryRegistryValues", + "ZwOpenKey", + "RtlWriteRegistryValue", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "KeInitializeEvent", + "IoCreateSymbolicLink", "ObReferenceObjectByPointer", - "PsGetCurrentThreadId", - "ObQueryNameString", - "PsGetVersion", - "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "wcscat", - "RtlFreeUnicodeString", - "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", - "ExSystemTimeToLocalTime", - "ZwCreateKey", - "ZwDeviceIoControlFile", - "ZwNotifyChangeKey", - "ZwOpenFile", - "ZwQueryVolumeInformationFile", - "mbstowcs", "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "IoCreateFile", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlUpcaseUnicodeChar", - "_snwprintf", - "strlen", - "_strnicmp", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "ObOpenObjectByName", - "KeSetPriorityThread", + "IoCreateDevice", + "KeQueryActiveProcessors", + "KeRevertToUserAffinityThread", + "KeSetSystemAffinityThread", + "KeTickCount", + "KeBugCheckEx", + "ZwClose", + "DbgPrint", + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ZwQueryValueKey", + "ExFreePoolWithTag", + "RtlIntegerToUnicodeString", + "RtlAssert", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "KeGetCurrentIrql", + "READ_PORT_ULONG" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", + "ValidFrom": "2009-09-22 00:00:00", + "ValidTo": "2012-10-18 23:59:59", + "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + } + ], + "Tags": [ + "DirectIo.sys" + ], + "yara": false + }, + { + "Id": "a8e999ee-746f-4788-9102-c1d3d2914f56", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create LgDCatcher.sys binPath=C:\\windows\\temp\\LgDCatcher.sys type=kernel && sc.exe start LgDCatcher.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "LgDCatcher.sys", + "MD5": "ed6348707f177629739df73b97ba1b6e", + "SHA1": "806832983bb8cb1e26001e60ea3b7c3ade4d3471", + "SHA256": "58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59", + "Signature": [ + "雷神(武汉)信息技术有限公司", + "DigiCert SHA2 Assured ID Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "0011ec462e11bd6288e1dc38def9be06", + "SHA1": "c6f2e631f12737a5fa96db2e18c8ebf950d64eb6", + "SHA256": "3ba724dd78864cd527a99673fde1bf7f9f85f2415c91708e7380fbe5e2c085dd" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "fwpkclnt.sys", + "NDIS.SYS", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExpInterlockedPushEntrySList", + "ExInitializeNPagedLookasideList", + "ExDeleteNPagedLookasideList", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmAllocatePagesForMdl", + "MmFreePagesFromMdl", "PsCreateSystemThread", "PsTerminateSystemThread", - "KeNumberProcessors", - "RtlLengthSecurityDescriptor", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoReleaseCancelSpinLock", + "ObReferenceObjectByHandle", + "ExpInterlockedPopEntrySList", + "ZwClose", "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwDuplicateObject", - "ZwQuerySecurityObject", + "PsGetCurrentProcessId", + "ZwSetInformationThread", + "RtlLengthSid", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "PsLookupProcessByProcessId", + "ObOpenObjectByPointer", "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", - "NtCreateFile", - "NtQueryInformationFile", - "NtSetInformationFile", - "IoFileObjectType", - "ObInsertObject", - "wcschr", - "wcsncmp", - "RtlQueryRegistryValues", + "__C_specific_handler", + "SeExports", + "RtlGetVersion", + "_stricmp", + "ExAllocatePool", + "ZwQuerySystemInformation", + "RtlValidSid", + "KeGetCurrentIrql", + "KeWaitForSingleObject", + "ExFreePoolWithTag", + "ExQueryDepthSList", + "KeSetEvent", + "KeInitializeEvent", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", "RtlAppendUnicodeToString", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "swprintf_s", + "ExUuidCreate", + "ExAllocatePoolWithTag", + "RtlCopyUnicodeString", + "KeReleaseInStackQueuedSpinLock", + "KeAcquireInStackQueuedSpinLock", + "ObfDereferenceObject", "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IoFreeIrp", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", - "NtClose", - "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", - "MmSystemRangeStart", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "strcpy", - "wcsstr", - "RtlCompareUnicodeString", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ExAllocatePool", - "ExpInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", - "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", - "FsRtlIsNameInExpression", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlAbsoluteToSelfRelativeSD", - "RtlAnsiStringToUnicodeString", - "_purecall", - "KeBugCheckEx" + "FwpsFreeNetBufferList0", + "NdisInitializeEvent", + "NdisAdvanceNetBufferDataStart", + "NdisGetDataBuffer", + "NdisAllocateGenericObject", + "NdisFreeNetBufferListPool", + "NdisAllocateNetBufferListPool", + "NdisWaitEvent", + "NdisFreeGenericObject", + "NdisRetreatNetBufferDataStart", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" ], "Signatures": [ { @@ -85558,45 +81605,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", + "ValidFrom": "2011-04-15 19:41:37", + "ValidTo": "2021-04-15 19:51:37", + "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=CN, ST=?????????, L=?????????, O=??????????????????????????????????????????, CN=??????????????????????????????????????????", + "ValidFrom": "2020-04-07 00:00:00", + "ValidTo": "2023-04-12 12:00:00", + "Signature": "a4c49209083ca0c02d22e42e0f174eb979220983298f1fb3ce5f14777b955ebb967d6ab384bc924776ec4d86bab81b19775efbafb8a330efd441e89b696862ab135515ae53e585fe95f42a6029af2a7dc8b2467e7ada564c0de809404746327890d06f247b5ef420978893e616ffa622e3fbdcd37c3147d04b84ce4be2af9d7408e342e39ebf2e77b111b22d824ce50b57c8c3f6adcd11cefa69f9f5d381084fa76f6531fd8c8462d9292f4ad4c0cadb0c293e350b96e847cd5af3c4a9c4d3e22c45c7dc10908af3e41a0e9fadd5fa45ffa88d413a50bd7db8f165d67df655de0e88fe8ab2d7638ebd1eef0c514a18a3e73cd0e2a5f6a56f7c7288b4f30a6673", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", + "ValidFrom": "2019-05-02 00:00:00", + "ValidTo": "2038-01-18 23:59:59", + "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #2", + "ValidFrom": "2020-10-23 00:00:00", + "ValidTo": "2032-01-22 23:59:59", + "Signature": "4a0378904233ec7b1a830936339855bb9d4006306b456af1940e1950ff5b255e3be139c45bbae995903737bddffb64ece582b795cc5755704b4ef4a887dd2285a657bbb82127d4a02a31948a07219e8abda71af50215cb4450998cec3eba0377a6820290c22e93a9be21347563b9e02d0fcf0137cb8da2fab85a9aaea17a9e139319558f09902edfea881716eb69d6e125bd45089780d75420284fca7bb3b3a5d200b0603465c4e3c5c3a5e4ba85aa7a69db75a43e79689a368b43ae36d461723c0e85620da05e70db642f01c7c1a1c72494a3b23c6eb25ea2d0faa8d1b8251c16e6c0d57f681ac46529352a2d88bceaae74d682e7c088b8e14f78f05ccac0405cc29fd5321c2cda3cac36f706529aa3403017b0291699c9aab78849f7e80b2533b53f6daf9f5f0a56df12b1c3eece9177e82013e95c24c7ea440b4ae613841c4deb0db5b886a030a78ba19fb42cccc01623c991e542034b80cee44de62a013ec05e85a024a11740d5dbdbe79810a4f1ea191b8054fa4789e89881a975c00edfd0689479a1a09e8eb6b74266cbd9d96b2f4dd8de3e321e20e4ec9c4d428d9dc73399823744d4262926408e782fb9eefa2ff1f18ffe50b878dd1496de1c0e70b02a856ab16c68e92ae4102b6e21fdd37c9d37e42a06d6c3f1d768e34f0779810813feb2645ee9b13ce6d07823b2092ce22662bf3ba99751ccc7443281b2afcfdf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0efd9bd4b4281c6522d96011df46c9c4", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" } ] } @@ -85604,395 +81651,517 @@ } ], "Tags": [ - "TmComm.sys" - ] + "LgDCatcher.sys" + ], + "yara": false }, { - "Id": "a9d9cbb7-b5f6-4e74-97a5-29993263280e", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "3277cecc-f4b4-4a00-be01-9da83e013bcd", + "Author": "Michael Haag", + "Created": "2023-02-28", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", - "Commands": "sc.exe create CorsairLLAccess64.sys binPath=C:\\windows\\temp\\CorsairLLAccess64.sys type=kernel && sc.exe start CorsairLLAccess64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create wantd_5.sys binPath=C:\\windows\\temp\\wantd_5.sys type=kernel && sc.exe start wantd_5.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "CorsairLLAccess64.sys", - "MD5": "b34361d151c793415ef92ee5d368c053", - "SHA1": "89656051126c3e97477a9985d363fbdde0bc159e", - "SHA256": "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6", + "Filename": "wantd_5.sys", + "MD5": "6d131a7462e568213b44ef69156f10a5", + "SHA1": "25bf4e30a94df9b8f8ab900d1a43fd056d285c9d", + "SHA256": "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3", + "Signature": "The digital signature of the object did not verify.", + "Date": "8:23 PM 2/28/2022", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "WAN Transport Driver", + "Product": "Microsoft Windows Operating System", + "ProductVersion": "6.1.7600.1172", + "FileVersion": "6.1.7600.1172", + "MachineType": "AMD64", + "OriginalFilename": "wantd.sys", "Authentihash": { - "MD5": "7158180c7f219093d504d695240c2173", - "SHA1": "0302854ea87dc07a493aca60e8e7e63422932e42", - "SHA256": "b5606dc2a76350916cd77348cfdfe502256d759a4743dd4af503d2f7f348eb70" + "MD5": "7c35b7a9bf59a63b84f252906732edde", + "SHA1": "ea0d2851b890d39d85bfb0dd1404c87f73aed47f", + "SHA256": "448a507774886c1745beaa86cd0867d93f142f5d2b58d452c5a8250d93359779" }, - "Description": "Corsair LL Access", - "Company": "Corsair Memory, Inc.", - "InternalName": "Corsair LL Access", - "OriginalFilename": "Corsair LL Access", - "FileVersion": "1.0.16.0", - "Product": "Corsair LL Access", - "ProductVersion": "1.0.16.0", - "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", - "MachineType": "AMD64", + "InternalName": "wantd.sys", + "Copyright": "Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "NDIS.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeInitializeMutex", - "KeReleaseMutex", - "KeWaitForSingleObject", - "ExQueryDepthSList", - "ExpInterlockedPopEntrySList", - "ExpInterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", "wcsncmp", - "MmMapIoSpace", - "MmUnmapIoSpace", "IoAllocateMdl", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", + "_stricmp", + "sprintf", + "RtlLengthRequiredSid", + "_strnicmp", + "ExAllocatePoolWithTag", + "vsprintf", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetRequestorProcessId", - "__C_specific_handler", - "KeBugCheckEx", - "wcsncat_s", - "MmUnmapLockedPages", - "wcscpy_s", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "NtWriteFile", + "RtlCreateAcl", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "_wcsnicmp", + "ZwReadFile", + "RtlSetDaclSecurityDescriptor", + "KeInitializeApc", + "IoDeleteDevice", + "NtFsControlFile", + "KeInsertQueueApc", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "atoi", + "_snprintf", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", + "RtlAddAccessAllowedAce", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "ZwOpenFile", + "ZwCreateFile", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "ZwFreeVirtualMemory", + "KeQueryTimeIncrement", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeAttachProcess", + "PsGetVersion", + "PsThreadType", + "RtlCompareUnicodeString", + "ZwOpenProcess", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "IoCreateDevice", + "ZwTerminateProcess", + "ZwQueryInformationFile", + "KeWaitForMultipleObjects", + "ZwWriteFile", + "NtReadFile", + "PsLookupThreadByThreadId", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeAcquireSpinLockRaiseToDpc", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "KeDelayExecutionThread", + "MmUserProbeAddress", + "MmBuildMdlForNonPagedPool", + "memchr", + "ZwWaitForSingleObject", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisMIndicateStatus", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "wantd_5.sys" + ], + "yara": true + }, + { + "Id": "b745b5da-9cd6-4b3a-badf-fbe487497705", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create WINIODrv.sys binPath=C:\\windows\\temp\\WINIODrv.sys type=kernel && sc.exe start WINIODrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "CorsairLLAccess64.sys", - "MD5": "3b9698a9ee85f0b4edf150deef790ccd", - "SHA1": "fbfabf309680fbf7c0f6f14c5a0e4840c894e393", - "SHA256": "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36", + "Filename": "WINIODrv.sys", + "MD5": "a86150f2e29b35369afa2cafd7aa9764", + "SHA1": "460008b1ffd31792a6deadfa6280fb2a30c8a5d2", + "SHA256": "3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099", + "Signature": [ + "Partner Tech(Shanghai)Co.,Ltd", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "2c91bc52c8cda89db47907b88590a2a0", - "SHA1": "2129fd9cf3839001abea6bab0bbde224abad967c", - "SHA256": "a52a6fe55bd1c294d6f26b68839770d97850e9ccd5ecfd7f96b9dc4386e0ff08" + "MD5": "83510d09c4d0f9f56c0d6caf40ee63cb", + "SHA1": "40cc2318ffffd458023c8cd1e285a5ad51adf538", + "SHA256": "b3cbb2b364a494f096e68dc48cca89799ed27e6b97b17633036e363a98fd4421" }, - "Description": "Corsair LL Access", - "Company": "Corsair Memory, Inc.", - "InternalName": "Corsair LL Access", - "OriginalFilename": "Corsair LL Access", - "FileVersion": "1.0.16.0", - "Product": "Corsair LL Access", - "ProductVersion": "1.0.16.0", - "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_ULONG", - "KeInitializeMutex", - "KeReleaseMutex", - "KeWaitForSingleObject", - "InterlockedPopEntrySList", - "InterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "WRITE_REGISTER_USHORT", - "MmUnmapIoSpace", - "IoAllocateMdl", - "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetRequestorProcessId", - "KeBugCheckEx", - "WRITE_REGISTER_UCHAR", - "RtlUnwind", - "READ_REGISTER_ULONG", - "READ_REGISTER_USHORT", - "READ_REGISTER_UCHAR", + "ObReferenceObjectByHandle", + "IofCompleteRequest", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ObfDereferenceObject", "RtlInitUnicodeString", - "wcsncmp", - "wcsncat_s", - "MmMapIoSpace", - "wcscpy_s", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", + "ValidFrom": "2013-07-29 00:00:00", + "ValidTo": "2014-07-29 23:59:59", + "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "CorsairLLAccess64.sys", - "MD5": "30efb7d485fc9c28fe82a97deac29626", - "SHA1": "85941b94524da181be8aad290127aa18fc71895c", - "SHA256": "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d", + "Filename": "WINIODrv.sys", + "MD5": "ad22a7b010de6f9c6f39c350a471a440", + "SHA1": "738b7918d85e5cb4395df9e3f6fc94ddad90e939", + "SHA256": "7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c", + "Signature": [ + "Partner Tech(Shanghai)Co.,Ltd", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "e5c1ddfd9df7a473d9394ec219ffaa15", - "SHA1": "c0e1d74e70c5350e23c51209aa8b5df87bdf5642", - "SHA256": "cff3fc66d54279b755ceedf89268847dbb5139227739e4689f5d9271b1d7923b" + "MD5": "792b743c370ad28281edd4801b22a31e", + "SHA1": "80ca9c9cce4b5e6afb92a56b5bfd954eca0ff690", + "SHA256": "9199979b9f3ea2108299d028373a6effcc41c81a46eecb430cc6653211d2913d" }, - "Description": "Corsair LL Access", - "Company": "Corsair Memory, Inc.", - "InternalName": "Corsair LL Access", - "OriginalFilename": "Corsair LL Access", - "FileVersion": "1.0.18.0", - "Product": "Corsair LL Access", - "ProductVersion": "1.0.18.0", - "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_USHORT", - "WRITE_REGISTER_ULONG", - "KeInitializeMutex", - "KeReleaseMutex", - "KeWaitForSingleObject", - "InterlockedPopEntrySList", - "InterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "WRITE_REGISTER_UCHAR", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateMdl", - "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetRequestorProcessId", - "KeBugCheckEx", - "READ_REGISTER_ULONG", - "RtlUnwind", - "READ_REGISTER_USHORT", - "READ_REGISTER_UCHAR", - "RtlGetVersion", - "RtlInitUnicodeString", - "wcsncmp", - "wcsncat_s", - "MmUnmapLockedPages", - "wcscpy_s", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ObReferenceObjectByHandle", + "IofCompleteRequest", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ObfDereferenceObject", + "RtlInitUnicodeString", + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", + "ValidFrom": "2013-07-29 00:00:00", + "ValidTo": "2014-07-29 23:59:59", + "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "CorsairLLAccess64.sys", - "MD5": "f042e8318cf20957c2339d96690c3186", - "SHA1": "2871a631f36cd1ea2fd268036087d28070ef2c52", - "SHA256": "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1", + "Filename": "WINIODrv.sys", + "MD5": "0761c357aed5f591142edaefdf0c89c8", + "SHA1": "43419df1f9a07430a18c5f3b3cc74de621be0f8e", + "SHA256": "c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e", + "Signature": [ + "Partner Tech(Shanghai)Co.,Ltd", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", "Authentihash": { - "MD5": "0249d3e10b361ce69d1e7a44889ed8b7", - "SHA1": "fc577f0a129354623164e81fd287ebd6546c8ca3", - "SHA256": "09bc9d0606d8b96f1d9fb18741bdb43aa5c188981d298df047b8c75351d68653" + "MD5": "b2fc995c9a92965a53437c30b53d7096", + "SHA1": "c21043466942961203e751c9cebcd159e661fa1a", + "SHA256": "961012d06eeaabd9eff9b36173e566bf148a5c8f743f3329c70d8918eba26093" }, - "Description": "Corsair LL Access", - "Company": "Corsair Memory, Inc.", - "InternalName": "Corsair LL Access", - "OriginalFilename": "Corsair LL Access", - "FileVersion": "1.0.15.0", - "Product": "Corsair LL Access", - "ProductVersion": "1.0.15.0", - "Copyright": "Corsair Memory, Inc. (c) 2019, All rights reserved", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "WRITE_REGISTER_ULONG", - "KeInitializeMutex", - "KeReleaseMutex", - "KeWaitForSingleObject", - "InterlockedPopEntrySList", - "InterlockedPushEntrySList", - "ExInitializeNPagedLookasideList", - "ExDeleteNPagedLookasideList", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "WRITE_REGISTER_USHORT", - "MmUnmapIoSpace", - "IoAllocateMdl", - "IofCompleteRequest", "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetRequestorProcessId", - "KeBugCheckEx", - "WRITE_REGISTER_UCHAR", - "RtlUnwind", - "READ_REGISTER_ULONG", - "READ_REGISTER_USHORT", - "READ_REGISTER_UCHAR", + "ObReferenceObjectByHandle", + "IofCompleteRequest", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ObfDereferenceObject", "RtlInitUnicodeString", - "wcsncmp", - "wcsncat_s", - "MmMapIoSpace", - "wcscpy_s", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "HalTranslateBusAddress" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=shanghai, L=shanghai, O=Partner Tech(Shanghai)Co.,Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Partner Tech(Shanghai)Co.,Ltd", + "ValidFrom": "2013-07-29 00:00:00", + "ValidTo": "2014-07-29 23:59:59", + "Signature": "49130d705c6ee4c56abf0457045e851ad7d1b24a5c7f06c153e69cda05eec33218fa55a997eeafa781489d0cfb4aa23424818790cd532954cdb8b273ac4a50ac56833e9b80ed09ab6126322c8fe19d8f438bbdd058327039c0def160f3f42d7298ee90462742417e42351a0122cea0818200999f5f565b95da39b87344c7fb56cedceca3a2b5780ef9fda1e98649e6acec4ea5708d8f7b98d15ee76ba56cf561452943e49e91d6ed176856eb0c823d002e452d58f9082586667854de2abe9636f9d406efead995be7e004fa59b12143d4f7831e40debf91837d81d791e80405417b51020bf71bf04efb23936b4cdfec053e6f55d6f6dedbf7dfc60c4618db8e8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "1402447b9e4c23e066ef2991f6975d79", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -86000,133 +82169,141 @@ } ], "Tags": [ - "CorsairLLAccess64.sys" - ] + "WINIODrv.sys" + ], + "yara": false }, { - "Id": "afed9dff-245e-4875-a156-3c5584beed03", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "670dc258-78b5-4552-a16b-b41917c86f8d", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create directio64.sys binPath=C:\\windows\\temp\\directio64.sys type=kernel && sc.exe start directio64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create driver7-x86.sys binPath=C:\\windows\\temp\\driver7-x86.sys type=kernel && sc.exe start driver7-x86.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "FileName": "directio64.sys", - "MD5": "537e2c3020b1d48b125da593e66508ec", - "SHA1": "e702221d059b86d49ed11395adffa82ef32a1bce", - "SHA256": "092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0", + "Filename": "driver7-x86.sys", + "MD5": "1f950cfd5ed8dd9de3de004f5416fe20", + "SHA1": "00b4e8b7644d1bf93f5ddb5740b444b445e81b02", + "SHA256": "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0", + "Signature": [ + "ASUSTeK Computer Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "ASUStek", + "Description": "The driver for the ECtool driver-based tools", + "Product": "EC tool", + "ProductVersion": "2.5", + "FileVersion": "2.5.0.2", + "MachineType": "I386", + "OriginalFilename": "Driver7", "Authentihash": { - "MD5": "e9ded101dac8161f1c3625da578d390d", - "SHA1": "e8f7e20061f9cc20583dcab3b16054d106b8aa83", - "SHA256": "b8bf3bd441ebc5814c5d39d053fdcb263e8e58476cbdee4b1226903305f547b6" + "MD5": "c5d6296b11390f68dc48dcec40990676", + "SHA1": "7a3c1908302851a032d45a73e67c4a3e699807a5", + "SHA256": "c67c6f1e03a466dc660bcad6051fc38eb6e9004a4e252abe52c6155f5768ad90" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "Driver7.sys", + "Copyright": "Copyright ", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "NtBuildNumber", - "ZwMapViewOfSection", - "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", + "MmGetPhysicalAddress", + "ExAllocatePoolWithTag", + "memcpy", + "memset", + "ObfDereferenceObject", + "IoWMIQueryAllData", + "DbgPrint", "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "IoAllocateErrorLogEntry", - "ZwCreateFile", - "wcsrchr", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", - "ZwUnmapViewOfSection", - "_snwprintf_s", - "ZwClose", - "RtlAppendUnicodeStringToString", - "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", + "IoDeleteSymbolicLink", "IoCreateSymbolicLink", - "ObfDereferenceObject", "IoCreateDevice", - "RtlAssert", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "wcscpy_s", + "KeTickCount", + "KeBugCheckEx", + "ZwUnmapViewOfSection", + "RtlInitUnicodeString", "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", - "KeBugCheckEx" + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "ZwClose", + "IoWMIOpenBlock", + "IofCompleteRequest", + "WRITE_PORT_ULONG", + "READ_PORT_USHORT", + "WRITE_PORT_USHORT", + "HalTranslateBusAddress", + "WRITE_PORT_UCHAR", + "READ_PORT_UCHAR", + "READ_PORT_ULONG" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -86135,228 +82312,215 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", + "ValidFrom": "2012-07-31 00:00:00", + "ValidTo": "2015-08-03 23:59:59", + "Signature": "03cd161c1960e13d0b06441f08fdfc9df8319f8d87a83ecc865bc20767841d4087e40dc9d770bdc5c0fe6ccb9cf3e08bee7364451b03fb3130356761cae54417e8a282ed7cd33b0becd72e8799b616a2766976a7172a1cc299e8321ebeb479f592e03f425da4b2ea6a0cd0b5cc32b9bdeec80aa3ef0a62d6e16b72765301d53ef883ab9210a4b868ff2e2724e37804feb5277d3e26da8ba9d0b6ef61769d1c0f62a78757779d7134a63320b1a692584f12162d3fa20ec6e1b038b1a8d7afc2fad7b692759c6a000159714271f40d608fed3c08213b757fa75baf4674380f5aea46b7125f17532c636876c1f3e0d4b0350822f2a640001fda794b969e2cc681c2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "7d08d9bc130726de26ee4ef28e133084", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "driver7-x86.sys" + ], + "yara": true + }, + { + "Id": "0f21a584-6ace-4242-82cb-9766cea6973a", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create CITMDRV_IA64.sys binPath=C:\\windows\\temp\\CITMDRV_IA64.sys type=kernel && sc.exe start CITMDRV_IA64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "DirectIo64.sys", - "MD5": "8fbb1ffc6f13f9d5ee8480b36baffc52", - "SHA1": "3c9c86c0b215ecbab0eeb4479c204dba65258b8e", - "SHA256": "0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135", - "Authentihash": { - "MD5": "fc4afd4ae9e72a9f117067d3b76be36c", - "SHA1": "b74246c8cb77b0364b7cece38bff5f462eec983c", - "SHA256": "40e624bf557b51775af1ca17062c4eca3693322e250b257aec7dc579e626ef07" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "c7a57cd4bea07dadba2e2fb914379910", + "SHA1": "ea877092d57373cb466b44e7dbcad4ce9a547344", + "SHA256": "1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExAllocatePoolWithTag", - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "ZwMapViewOfSection", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", - "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "IoAllocateErrorLogEntry", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "wcsrchr", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "_vsnwprintf", - "ZwClose", - "RtlAppendUnicodeStringToString", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", "IofCompleteRequest", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", "IoCreateSymbolicLink", - "ObfDereferenceObject", "IoCreateDevice", - "RtlAssert", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", + "KeTickCount", "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "76d1d4d285f74059f32b8ad19a146d0c", - "SHA1": "3f338ab65bac9550b8749bb1208edb0f7d7bcb81", - "SHA256": "4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8", - "Authentihash": { - "MD5": "333bdf3d4b1fcc9038db0cacb89b9bab", - "SHA1": "8b86e08d610bcc9ab7b7750f036dbb568f733be0", - "SHA256": "841f965977f33d621d126412032c47dd6118251623c380e5572f7553b620b0e1" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "6909b5e86e00b4033fedfca1775b0e33", + "SHA1": "205c69f078a563f54f4c0da2d02a25e284370251", + "SHA256": "22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "IoBuildSynchronousFsdRequest", - "ZwMapViewOfSection", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", - "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "IoAllocateErrorLogEntry", - "IoDriverObjectType", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "wcsrchr", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "_vsnwprintf", - "MmMapIoSpace", - "ZwClose", - "RtlAppendUnicodeStringToString", - "ExAllocatePoolWithTag", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", - "IoGetAttachedDeviceReference", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoCreateDevice", - "RtlAssert", - "IoEnumerateDeviceObjectList", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "IoGetDeviceProperty", + "MmUnlockPages", + "IoFreeMdl", "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", + "MmProbeAndLockPages", "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", - "KeBugCheckEx", - "IofCompleteRequest", - "MmUnmapLockedPages", "__C_specific_handler", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -86366,20 +82530,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2013-01-14 00:00:00", - "ValidTo": "2015-01-14 23:59:59", - "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -86388,249 +82538,183 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "f41eea88057d3dd1a56027c4174eed22", - "SHA1": "13572d36428ef32cfed3af7a8bb011ee756302b0", - "SHA256": "72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1", - "Authentihash": { - "MD5": "598c5fa89cbf0dbcdf6b252cac71aecd", - "SHA1": "02a7e085631ecfe031b76afa883a266c850ed61b", - "SHA256": "fb5e65aec819c5a91ef0ce0fec0a957826b5e1ac9bac559a1b4201a3870462a3" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "fa173832dca1b1faeba095e5c82a1559", + "SHA1": "f9feb60b23ca69072ce42264cd821fe588a186a6", + "SHA256": "405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1)" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "IoBuildSynchronousFsdRequest", - "ZwMapViewOfSection", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", - "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "IoAllocateErrorLogEntry", - "IoDriverObjectType", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "wcsrchr", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "_vsnwprintf", - "MmMapIoSpace", - "ZwClose", - "RtlAppendUnicodeStringToString", - "ExAllocatePoolWithTag", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", - "IoGetAttachedDeviceReference", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoCreateDevice", - "RtlAssert", - "IoEnumerateDeviceObjectList", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "IoGetDeviceProperty", + "MmUnlockPages", + "IoFreeMdl", "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", + "MmProbeAndLockPages", "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", - "KeBugCheckEx", - "IofCompleteRequest", - "MmUnmapLockedPages", "__C_specific_handler", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2013-01-14 00:00:00", - "ValidTo": "2015-01-14 23:59:59", - "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "c4f5619ce04d4bee38024d08513c77fd", - "SHA1": "4c6ec22bc10947d089167b19d83a26bdd69f0dd1", - "SHA256": "79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463", - "Authentihash": { - "MD5": "060c97a44e53086add25404d8694d094", - "SHA1": "66941573dafd7259cba113c0fa9eaccd347355fd", - "SHA256": "a520ff5c754a1fb62ba88399a313d0c0fb99145ba2d3d91dbf4282388b77fa84" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "bbe4f5f8b0c0f32f384a83ae31f49a00", + "SHA1": "b25170e09c9fb7c0599bfba3cf617187f6a733ac", + "SHA256": "49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "IoBuildSynchronousFsdRequest", - "ZwMapViewOfSection", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", - "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "IoAllocateErrorLogEntry", - "IoDriverObjectType", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "wcsrchr", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "_vsnwprintf", - "MmMapIoSpace", - "ZwClose", - "RtlAppendUnicodeStringToString", - "ExAllocatePoolWithTag", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", - "IoGetAttachedDeviceReference", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoCreateDevice", - "RtlAssert", - "IoEnumerateDeviceObjectList", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "IoGetDeviceProperty", + "MmUnlockPages", + "IoFreeMdl", "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", + "MmProbeAndLockPages", "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", - "KeBugCheckEx", - "IofCompleteRequest", - "MmUnmapLockedPages", "__C_specific_handler", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -86641,139 +82725,100 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2013-01-14 00:00:00", - "ValidTo": "2015-01-14 23:59:59", - "Signature": "962575976d67babaeead5b02f75eb90413510ab88431e41e557b88607fdb1788cc2a92e9314ec15ad64a575e59ad1d56b393600e9821e2ba7e50a4e8c7a8bbac03da75a6aa19c5ea5a74e541a0ee96928771368dce74948facce20e2fde3165fb5f5a5aa1c7f1809fca417d1179e7f4f46ade45c1c9f1b9696337719ca36dc304a0df468908064e37f878eeddc42a4b417652d563615134bc7f52927f8f96717b63631df61403dbad145e56ad07a466c911fca193cbe2e013925287326bf7c4870c0a7564be57688769c742685822b853bcc7ef4d53e322ac619c85a90693ecf40674cd9286cdac7da899b50a13c69433cbc298e176d7dbecf178fffd66a79f3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6ec5060c23b767aa5eb4fe5ddad4af2d", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "5093f38d597532d59d4df9018056f0d1", - "SHA1": "0904b8fa4654197eefd6380c81bbb2149ffe0634", - "SHA256": "8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587", - "Authentihash": { - "MD5": "5789f4f652c129f3cfa28290ffad8672", - "SHA1": "706686f2a1ef4738a1856d01ab10eb730fc7b327", - "SHA256": "9996b31234ba736fc2c6f2b75f641e25d156f19d6ac84cf85283fde08a714842" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "c5f5d109f11aadebae94c77b27cb026f", + "SHA1": "160c96b5e5db8c96b821895582b501e3c2d5d6e7", + "SHA256": "4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlQueryRegistryValues", - "MmGetSystemRoutineAddress", - "RtlWriteRegistryValue", - "RtlAppendUnicodeStringToString", - "RtlAppendUnicodeToString", - "DbgPrintEx", - "RtlGetVersion", - "KeInitializeEvent", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExAllocatePoolWithQuotaTag", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateErrorLogEntry", - "IoAllocateMdl", - "IoBuildDeviceIoControlRequest", - "IoBuildSynchronousFsdRequest", - "IofCallDriver", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetAttachedDeviceReference", - "IoGetDeviceObjectPointer", - "IoWriteErrorLogEntry", - "RtlIntegerToUnicodeString", - "ObReferenceObjectByHandle", - "ObReferenceObjectByPointer", - "ObfDereferenceObject", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "ZwOpenKey", - "ZwQueryValueKey", - "MmGetPhysicalMemoryRanges", - "PsGetProcessId", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "IoEnumerateDeviceObjectList", - "ObQueryNameString", - "_vsnwprintf", - "ObReferenceObjectByName", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsInitialSystemProcess", - "NtBuildNumber", - "IoDriverObjectType", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KdSystemDebugControl", - "KdDebuggerEnabled", - "KeQueryActiveProcessors", - "KeBugCheckEx", - "IoGetDeviceProperty", - "wcsrchr", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -86783,13 +82828,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -86798,119 +82836,93 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2014-10-23 00:00:00", - "ValidTo": "2017-01-13 23:59:59", - "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "790ccca8341919bb8bb49262a21fca0e", - "SHA1": "61f5904e9ff0d7e83ad89f0e7a3741e7f2fbf799", - "SHA256": "9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f", - "Authentihash": { - "MD5": "7b9da0ee121248056b6ff192abd03ccb", - "SHA1": "8ec43d1def8bb20354aeba49a9084bacd2c02817", - "SHA256": "ad44cfd9c6262a6ff36ee9d03e59ba4b0524ef87f6b980ce15abb10a35d39f88" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "40bc58b7615d00eb55ad9ba700c340c1", + "SHA1": "a2e0b3162cfa336cd4ab40a2acc95abe7dc53843", + "SHA256": "4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoWriteErrorLogEntry", - "IoBuildDeviceIoControlRequest", - "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "NtBuildNumber", - "IoBuildSynchronousFsdRequest", - "ZwMapViewOfSection", + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlIntegerToUnicodeString", - "IoDeleteDevice", - "RtlAppendUnicodeToString", - "KeInitializeEvent", - "RtlQueryRegistryValues", - "MmUnmapIoSpace", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "IoAllocateErrorLogEntry", - "IoDriverObjectType", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "wcsrchr", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "ZwQueryValueKey", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "_vsnwprintf", - "MmMapIoSpace", - "ZwClose", - "RtlAppendUnicodeStringToString", - "ExAllocatePoolWithTag", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlWriteRegistryValue", - "IoGetAttachedDeviceReference", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoCreateDevice", - "RtlAssert", - "IoEnumerateDeviceObjectList", - "MmGetPhysicalMemoryRanges", - "ZwWriteFile", - "IoGetDeviceProperty", + "MmUnlockPages", + "IoFreeMdl", "ZwOpenSection", - "DbgPrintEx", - "ObReferenceObjectByPointer", - "PsGetProcessId", - "DbgPrint", + "MmProbeAndLockPages", "IoAllocateMdl", - "IofCallDriver", - "ZwOpenKey", - "KeQueryActiveProcessors", - "KeLeaveCriticalRegion", - "MmGetSystemRoutineAddress", - "KdSystemDebugControl", - "KeEnterCriticalRegion", - "KdDebuggerEnabled", - "KeBugCheckEx", - "IofCompleteRequest", - "MmUnmapLockedPages", "__C_specific_handler", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -86920,13 +82932,6 @@ "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", "ValidFrom": "2012-10-18 00:00:00", @@ -86935,447 +82940,350 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=New South Wales, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2014-10-23 00:00:00", - "ValidTo": "2017-01-13 23:59:59", - "Signature": "2a7625d379f9d98000b6a91746a285e932f9b02086b92f0f5511369a2fe6917b6b0b1f833094654288a1b282fe4057f84aa07a68c19a460d989c2935df87248a85456b058fcb53b1a5f3d037735374336fb58c1ff3d8973017b0aefac3e114f0d439239b2c7f3e1ef073bd38748dfd81ad871e50e71ece4cb43d44de9b36f13240b52c20a02a74581ba72f526f8362bf8bff2e51884cfdaf89859fe8ffd32e82d36745d05754c7161ee5945647d6fb907f347f0448761bf6dcd40ead8a425b4e575fc13ce3a74d1b99504a6db112fb1fb930c11488f702bc9fc78f278c4a987fa4de2382839206d25290cb74895c82be23d5d44002745c4e7a3cab28f42583f1", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", - "ValidFrom": "2011-02-22 19:31:57", - "ValidTo": "2021-02-22 19:41:57", - "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "5ece8cdb4d508efee821a7cfff5b8016", - "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "7978d858168fadd05c17779da5f4695a", - "SHA1": "2db49bdf8029fdcda0a2f722219ae744eae918b0", - "SHA256": "ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25", - "Authentihash": { - "MD5": "4f19a1d2166d52af3e3590d9748e91bc", - "SHA1": "f1bdd3236f43338a119d74eca730f0d464ded973", - "SHA256": "96a5b3cd7c1a6dda5b6f402e6c35ba535270467f56addc7448dbe4aa78428411" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "839cbbc86453960e9eb6db814b776a40", + "SHA1": "4e826430a1389032f3fe06e2cc292f643fb0c417", + "SHA256": "54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlQueryRegistryValues", - "MmGetSystemRoutineAddress", - "RtlWriteRegistryValue", - "RtlAppendUnicodeStringToString", - "RtlAppendUnicodeToString", - "DbgPrintEx", - "RtlGetVersion", - "KeInitializeEvent", - "KeWaitForSingleObject", - "ExAllocatePoolWithTag", - "ExAllocatePoolWithQuotaTag", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateErrorLogEntry", - "IoAllocateMdl", - "IoBuildDeviceIoControlRequest", - "IoBuildSynchronousFsdRequest", - "IofCallDriver", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetAttachedDeviceReference", - "IoGetDeviceObjectPointer", - "RtlIntegerToUnicodeString", - "IoGetDeviceProperty", - "ObReferenceObjectByHandle", - "ObReferenceObjectByPointer", - "ObfDereferenceObject", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "ZwOpenKey", - "ZwQueryValueKey", - "MmGetPhysicalMemoryRanges", - "PsGetProcessId", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "IoEnumerateDeviceObjectList", - "ObQueryNameString", - "_vsnwprintf", - "ObReferenceObjectByName", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsInitialSystemProcess", - "NtBuildNumber", - "IoDriverObjectType", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KdSystemDebugControl", - "KdDebuggerEnabled", - "KeQueryActiveProcessors", - "KeBugCheckEx", - "IoWriteErrorLogEntry", - "wcsrchr", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=AU, ??=Private Organization, serialNumber=099 321 392, C=AU, ST=New South Wales, L=Surry Hills, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", - "ValidFrom": "2018-10-18 00:00:00", - "ValidTo": "2021-02-28 12:00:00", - "Signature": "5c01ed6a6f6c302d1b2ff3c17bae241ce2fcd501196d753b285ea9d44ba291565fc97503fa50ba4b0abba54066e1b04ac66018e8eb06c8104515df0b903f432e04c1d486336929a4d637fe7e06197a75ad7199bfae0a3a66ea6e55cf1ba9b68e33ef35f5b46cef71f5c8b6230d459c2e843a09b01ebe5020852ac9948357f09a66ad78bc60d795fce62fb63288f5550bc6446acbe7fdad31f8dd76045d7ed50bb79dc6ee9333ad8c12b64e2e544f922dfea0586b0d1cb80c37f96fc68b20f95b104f11ef5fe49349829afe35ceecfd22c96b5f89263701f95364d4f0816bcd0bee9e40aa1b956cd4659181e05d0872f4838b3208138b67d9c03faad605f1b924", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "0d671c2c3c13676231329afa97b1ec2b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "d660fc7255646d5014d45c3bca9c6e20", - "SHA1": "01b95ae502aa09aabc69a0482fcc8198f7765950", - "SHA256": "b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1", - "Authentihash": { - "MD5": "21853c3ceffa008b53f1144772a6750e", - "SHA1": "4aea4fbb9a732d57643f61f1bf3b82cebb18ab72", - "SHA256": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "42f7cc4be348c3efd98b0f1233cf2d69", + "SHA1": "7ab4565ba24268f0adadb03a5506d4eb1dc7c181", + "SHA256": "5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlQueryRegistryValues", - "MmGetSystemRoutineAddress", - "RtlWriteRegistryValue", - "RtlAppendUnicodeStringToString", - "RtlAppendUnicodeToString", - "DbgPrintEx", - "RtlGetVersion", - "KeInitializeEvent", - "KeWaitForSingleObject", - "ExAllocatePool2", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateErrorLogEntry", - "IoAllocateMdl", - "IoBuildDeviceIoControlRequest", - "IoBuildSynchronousFsdRequest", - "IofCallDriver", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetAttachedDeviceReference", - "IoGetDeviceObjectPointer", - "IoWriteErrorLogEntry", - "RtlIntegerToUnicodeString", - "ObReferenceObjectByHandle", - "ObReferenceObjectByPointer", - "ObfDereferenceObject", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "ZwOpenKey", - "ZwQueryValueKey", - "MmGetPhysicalMemoryRanges", - "PsGetProcessId", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "IoEnumerateDeviceObjectList", - "ObQueryNameString", - "_vsnwprintf", - "ObReferenceObjectByName", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsInitialSystemProcess", - "NtBuildNumber", - "IoDriverObjectType", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KdSystemDebugControl", - "KdDebuggerEnabled", - "KeQueryActiveProcessors", - "KeBugCheckEx", - "IoGetDeviceProperty", - "wcsrchr", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "serialNumber=49 099 321 392, ??=AU, ??=Private Organization, C=AU, postalCode=2010, ST=New South Wales, L=Surry Hills, ??=Level 5 63 Foveaux Street, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", - "ValidFrom": "2021-01-06 00:00:00", - "ValidTo": "2024-01-06 23:59:59", - "Signature": "20b704815b2994a60f2bf8da03e3b563a506587e0796ca7707668d9138d0960576f873d06d5ac0d7a207b01f70b3610a0e518d5e4608cbe2c78bc694fbee783a1644c423892f6cea356af62dd9bdd6fcd121206601ed3e945e18588282a62bc21725563d3c14d08c20acbd8db092534053b2e83f4752089dd4c0a2ec0b738a2adf3360b328d17deb2efe66ecba0f46bba4a5fcc09e8e9638d344617c9079ae148fd3b5d1999ff464f88f20e358710270f53d3a31ac07f62c4b7396a393953b89e7ef635c872ba1a5158cd887bbe75dbe58036a736a87a696b2c82f7551c58effb02481e9f108ac9ce0c8aa893a4678883ae99f5def735d60650a98ed092b8167", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", - "ValidFrom": "2014-12-03 00:00:00", - "ValidTo": "2029-12-02 23:59:59", - "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "00c230ef10f73148fd583fc3836a573892", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo64.sys", - "MD5": "b3424a229d845a88340045c29327c529", - "SHA1": "ffabdf33635bdc1ed1714bc8bbfd7b73ef78a37c", - "SHA256": "bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961", - "Authentihash": { - "MD5": "21853c3ceffa008b53f1144772a6750e", - "SHA1": "4aea4fbb9a732d57643f61f1bf3b82cebb18ab72", - "SHA256": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1" - }, - "Description": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "2128e6c044ee86f822d952a261af0b48", + "SHA1": "dc7b022f8bd149efbcb2204a48dce75c72633526", + "SHA256": "76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", + "Description": "", "Product": "", "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", "Copyright": "", - "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlQueryRegistryValues", - "MmGetSystemRoutineAddress", - "RtlWriteRegistryValue", - "RtlAppendUnicodeStringToString", - "RtlAppendUnicodeToString", - "DbgPrintEx", - "RtlGetVersion", - "KeInitializeEvent", - "KeWaitForSingleObject", - "ExAllocatePool2", - "ExFreePoolWithTag", - "MmBuildMdlForNonPagedPool", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "MmMapIoSpace", - "MmUnmapIoSpace", - "IoAllocateErrorLogEntry", - "IoAllocateMdl", - "IoBuildDeviceIoControlRequest", - "IoBuildSynchronousFsdRequest", - "IofCallDriver", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoFreeMdl", - "IoGetAttachedDeviceReference", - "IoGetDeviceObjectPointer", - "IoWriteErrorLogEntry", - "RtlIntegerToUnicodeString", - "ObReferenceObjectByHandle", - "ObReferenceObjectByPointer", - "ObfDereferenceObject", - "ZwCreateFile", - "ZwWriteFile", - "ZwClose", - "ZwOpenSection", "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "ZwOpenKey", - "ZwQueryValueKey", - "MmGetPhysicalMemoryRanges", - "PsGetProcessId", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "IoEnumerateDeviceObjectList", - "ObQueryNameString", - "_vsnwprintf", - "ObReferenceObjectByName", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", "__C_specific_handler", - "IoFileObjectType", - "PsProcessType", - "PsInitialSystemProcess", - "NtBuildNumber", - "IoDriverObjectType", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KdSystemDebugControl", - "KdDebuggerEnabled", - "KeQueryActiveProcessors", - "KeBugCheckEx", - "IoGetDeviceProperty", - "wcsrchr", - "KeStallExecutionProcessor" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "serialNumber=49 099 321 392, ??=AU, ??=Private Organization, C=AU, postalCode=2010, ST=New South Wales, L=Surry Hills, ??=Level 5 63 Foveaux Street, O=PassMark Software Pty Ltd, CN=PassMark Software Pty Ltd", - "ValidFrom": "2021-01-06 00:00:00", - "ValidTo": "2024-01-06 23:59:59", - "Signature": "20b704815b2994a60f2bf8da03e3b563a506587e0796ca7707668d9138d0960576f873d06d5ac0d7a207b01f70b3610a0e518d5e4608cbe2c78bc694fbee783a1644c423892f6cea356af62dd9bdd6fcd121206601ed3e945e18588282a62bc21725563d3c14d08c20acbd8db092534053b2e83f4752089dd4c0a2ec0b738a2adf3360b328d17deb2efe66ecba0f46bba4a5fcc09e8e9638d344617c9079ae148fd3b5d1999ff464f88f20e358710270f53d3a31ac07f62c4b7396a393953b89e7ef635c872ba1a5158cd887bbe75dbe58036a736a87a696b2c82f7551c58effb02481e9f108ac9ce0c8aa893a4678883ae99f5def735d60650a98ed092b8167", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", - "ValidFrom": "2014-12-03 00:00:00", - "ValidTo": "2029-12-02 23:59:59", - "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "00c230ef10f73148fd583fc3836a573892", - "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] - } - ], - "Tags": [ - "directio64.sys" - ] - }, - { - "Id": "b1dd91b1-9ba3-4d68-a2d1-919039e18430", - "Author": "Michael Haag", - "Created": "2023-04-14", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create dcr.sys binPath=C:\\windows\\temp\\dcr.sys type=kernel && sc.exe start dcr.sys", - "Description": "DriveCrypt Dcr.sys vulnerability exploit for bypassing x64 DSE", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/wjcsharp/DriveCrypt" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "dcr.sys", - "MD5": "c24800c382b38707e556af957e9e94fd", - "SHA1": "b49ac8fefc6d1274d84fef44c1e5183cc7accba1", - "SHA256": "3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5", - "Signature": "", + "Filename": "CITMDRV_IA64.sys", + "MD5": "fd81af62964f5dd5eb4a828543a33dcf", + "SHA1": "0307d76750dd98d707c699aee3b626643afb6936", + "SHA256": "7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], "Date": "", - "Publisher": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "AMD64", + "MachineType": "IA64", "OriginalFilename": "", "Authentihash": { - "MD5": "accf79b751fafb101c1ce17fb7611b70", - "SHA1": "8f2f1684a7305f32015d54c402790a47c6c7a0c9", - "SHA256": "2b60228db4f3092063e115537b5731ef3487ecf55c036e812605c5149071332c" + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" }, "InternalName": "", "Copyright": "", @@ -87384,70 +83292,28 @@ ], "ExportedFunctions": "", "ImportedFunctions": [ - "ExFreePoolWithTag", - "RtlInitAnsiString", - "IoCreateSymbolicLink", - "PsTerminateSystemThread", - "PoStartNextPowerIrp", - "ObfDereferenceObject", - "KeInitializeMutex", "ZwClose", - "RtlAnsiStringToUnicodeString", - "IofCompleteRequest", - "wcsncat", - "IoCreateDevice", - "KeInitializeSemaphore", - "ZwReadFile", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "ZwSetInformationFile", - "IoSetHardErrorOrVerifyDevice", - "ZwWriteFile", - "sprintf", - "KeSetPriorityThread", - "RtlFreeUnicodeString", - "IoInitializeTimer", - "IoStartTimer", - "RtlDeleteRegistryValue", - "RtlWriteRegistryValue", - "RtlCreateRegistryKey", - "ExAllocatePoolWithTag", + "ZwOpenFile", "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", "ZwCreateFile", - "IoAttachDevice", - "ProbeForRead", + "vsprintf", "IoDeleteDevice", - "PoCallDriver", - "KeSetEvent", - "IofCallDriver", - "KeClearEvent", - "ProbeForWrite", - "PsCreateSystemThread", - "KeReleaseSemaphore", - "ExInterlockedRemoveHeadList", - "ExInterlockedInsertTailList", - "KeInitializeEvent", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "IoGetRelatedDeviceObject", - "IoSetThreadHardErrorMode", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "KeReleaseMutex", - "IoFileObjectType", - "MmMapLockedPagesSpecifyCache", - "IoGetDeviceObjectPointer", - "IoFreeIrp", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", "MmUnlockPages", - "ZwQueryInformationFile", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", "IoAllocateMdl", - "MmUnmapLockedPages", - "IoBuildDeviceIoControlRequest", - "IoAllocateIrp", - "ZwDeviceIoControlFile", - "ZwFsControlFile", "__C_specific_handler", - "__chkstk" + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { @@ -87455,867 +83321,793 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=DE, O=SecurStar GmbH, CN=SecurStar GmbH, emailAddress=contact@securstar.com", - "ValidFrom": "2007-04-13 10:29:04", - "ValidTo": "2010-04-13 10:29:04", - "Signature": "70ede326923eed24cf9fffcf121f86edcd8bcfa745f802c4fcc103bc1d14f7db3764a59088c51d10d9818c0cc5f096c90c3e69a0a96f5a1cb7e24f7af7e037d9750a6934e939cb6275aab2d5cde6c4368046624543e93cdc4f22993f130a09e0ac2b93e1cb7f84f67bd4ad1c1fc572d79b3ce6626fb9ae9bd36a2c5598629ac35ff3734387bd1984c0471e14f34f2142c8c958c2b71110995b5d672255bd12f49a9e9365dda42358ca9d80780df6095aead057d0632356da85501a92e0a610f8e247d0caa415939cf2f77a01dcc7ad79c265774c9f407b1e3c2715c99fd60ae370f891f232c7bc1228147a9d838ddec1878399b8590cd3f33c4cc3449151b751", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Comodo Time Stamping Signer", - "ValidFrom": "2005-05-17 00:00:00", - "ValidTo": "2010-05-16 23:59:59", - "Signature": "4a8ffc1e30a83c75e847e773aeb0697ab24dbc50d69a8f81b6602af702a5483a1e15c7186b1c18a4c9dffdf1cef7b82ad66da7cde57d213d1e3f74c8a2b8799628aee1fa7343f27abe802e6704da17fa9e5a96f59c6d7e7e8c6c8127507f68d889fa7d0459670f2d74e49987d7c1e15d114a26f726108067c2c3f7cf341bc47921cc6035bfa960779ecbbc5232226caddadf6dddf32e36cdc5a754e0f4a4cce3f5d4624f99060ce56f596f11c7cf5824bfaf251d4511779965ae31d45d489d8cc372722999e50af1b9cc5a3c48d3ff40cecd10033dbf339c08f310222a47b0772bee5b4e65e0d3233c03c4cf2e4562690e1bd20bf9f3200f531ad07c71f138d0", + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "01000000000111ea7d2e62", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } ] - } - ], - "Tags": [ - "dcr.sys" - ] - }, - { - "Id": "6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create kbdcap64.sys binPath=C:\\windows\\temp\\kbdcap64.sys type=kernel && sc.exe start kbdcap64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "kbdcap64.sys", - "SHA256": "72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1", - "Signature": [], + "Filename": "CITMDRV_IA64.sys", + "MD5": "010c0e5ac584e3ab97a2daf84cf436f5", + "SHA1": "5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a", + "SHA256": "845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], "Date": "", - "Publisher": "", + "Publisher": "IBM Polska Sp. z o.o.", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "kbdcap64.sys" - ] - }, - { - "Id": "d35cb48d-2aca-4d7d-a194-f4566183bcd9", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create TmComm.sys binPath=C:\\windows\\temp\\TmComm.sys type=kernel && sc.exe start TmComm.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "TmComm.sys", - "MD5": "34686a4b10f239d781772e9e94486c1a", - "SHA1": "8a922499f7a1b978555b46c30f90de1339760c74", - "SHA256": "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06", + "MachineType": "IA64", + "OriginalFilename": "", "Authentihash": { - "MD5": "ebd5f8589975be817ecd3c281055d4a7", - "SHA1": "ebd74b4fecfb48c28cdf11f123e0364c9e9852ea", - "SHA256": "66539655171ddff02d8134241c58a53de3faa6467db7be14131e04b99ef33cee" + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1106", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "ff7b31fa6e9ab923bce8af31d1be5bb2", + "SHA1": "6714380bc0b8ab09b9a0d2fa66d1b025b646b946", + "SHA256": "84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "7bd840ff7f15df79a9a71fec7db1243e", + "SHA1": "8626ab1da6bfbdf61bd327eb944b39fd9df33d1d", + "SHA256": "8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "fa222bed731713904320723b9c085b11", + "SHA1": "30a224b22592d952fbe2e6ad97eda4a8f2c734e0", + "SHA256": "a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "f778489c7105a63e9e789a02412aaa5f", + "SHA1": "c95db1e82619fb16f8eec9a8209b7b0e853a4ebe", + "SHA256": "ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "ed07f1a8038596574184e09211dfc30f", + "SHA1": "fe1d909ab38de1389a2a48352fd1c8415fd2eab0", + "SHA256": "b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2010-04-08 00:00:00", + "ValidTo": "2013-04-09 23:59:59", + "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "45595f53cb4840a48f7415305213fba6", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "14eead4d42728e9340ec8399a225c124", + "SHA1": "b4d1554ec19504215d27de0758e13c35ddd6db3e", + "SHA256": "b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObfDereferenceObject", - "ZwSetEvent", "ZwClose", - "ZwConnectPort", + "ZwOpenFile", "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", + "DbgPrint", "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", - "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeDelayExecutionThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "ZwQuerySecurityObject", - "memcpy", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "IoFreeMdl", - "_purecall", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ObQueryNameString", - "MmGetSystemRoutineAddress", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", "IofCompleteRequest", - "ExEventObjectType", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "825703c494e0d270f797f1ecf070f698", + "SHA1": "5dd2c31c4357a8b76db095364952b3d0e3935e1d", + "SHA256": "b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ZwSetSecurityObject", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "MmUnlockPages", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "KeTickCount", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { @@ -88333,761 +84125,2062 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "CITMDRV_IA64.sys", + "MD5": "9007c94c9d91ccff8d7f5d4cdddcc403", + "SHA1": "ecb4d096a9c58643b02f328d2c7742a38e017cf0", + "SHA256": "db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653", + "Signature": [ + "IBM Polska Sp. z o.o.", + "Symantec Class 3 SHA256 Code Signing CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2016-05-30 00:00:00", + "ValidTo": "2019-07-29 23:59:59", + "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "28d6b138adc174a86c0f6248d8a88275", - "SHA1": "8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb", - "SHA256": "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56", - "Authentihash": { - "MD5": "53dc04de7603508de1788cc4cfcbf35f", - "SHA1": "b9b4d64e4c97b88e7258994f542c0ac84e934554", - "SHA256": "cf0855a8517be550b08a981bfacf90f245791cd70620868a241f1b1e2d8dfd89" + "Filename": "CITMDRV_IA64.sys", + "MD5": "9b359b722ac80c4e0a5235264e1e0156", + "SHA1": "4a705af959af61bad48ef7579f839cb5ebd654d2", + "SHA256": "e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028", + "Signature": [ + "IBM Polska Sp. z o.o.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "IBM Polska Sp. z o.o.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "IA64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2be85acec4d5e36a137af7ef046e0cc8", + "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", + "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1121", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", + "InternalName": "", + "Copyright": "", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwOpenFile", + "RtlInitUnicodeString", + "ZwWriteFile", + "DbgPrint", + "ZwCreateFile", + "vsprintf", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "MmUnlockPages", + "IoFreeMdl", + "ZwOpenSection", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", + "ValidFrom": "2013-05-31 00:00:00", + "ValidTo": "2016-06-29 23:59:59", + "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "CITMDRV_IA64.sys" + ], + "yara": false + }, + { + "Id": "cfdc5cb4-be5c-4dcc-a883-825fa72115b4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create PanMonFlt.sys binPath=C:\\windows\\temp\\PanMonFlt.sys type=kernel && sc.exe start PanMonFlt.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "PanMonFlt.sys", + "MD5": "2850608430dd089f24386f3336c84729", + "SHA1": "a6816949cd469b6e5c35858d19273936fab1bef6", + "SHA256": "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7", + "Signature": [ + "PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "GlobalSign CodeSigning CA - G2", + "GlobalSign" + ], + "Date": "", + "Publisher": "", + "Company": "Pan Yazilim Bilisim Teknolojileri Tic. Ltd. Sti.", + "Description": "PanCafe Manager File Monitor", + "Product": "PanCafe Manager", + "ProductVersion": "1.0.0.0", + "FileVersion": "1.0.0.0", + "MachineType": "I386", + "OriginalFilename": "PanMonFlt.sys", + "Authentihash": { + "MD5": "850ca45e16991f9560f708bf7a186754", + "SHA1": "800256c84e09de2c001868c0ec35211f6e9ad92a", + "SHA256": "348679f0f44eb5a50601c48728a5afd2b4312c95eeb7179ce57d447c0d30f873" + }, + "InternalName": "PanMonFlt.sys", + "Copyright": "Copyright (c) 2012-2014 Pan Yazılım Bilisim Teknolojileri Tic. Ltd. Sti.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "FLTMGR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExfInterlockedInsertTailList", + "RtlEqualUnicodeString", + "KeTickCount", + "ExfInterlockedRemoveHeadList", + "IoVolumeDeviceToDosName", + "RtlAppendUnicodeStringToString", + "DbgPrint", + "RtlAppendUnicodeToString", + "RtlInitUnicodeString", + "RtlCopyUnicodeString", + "memset", + "memcpy", + "ExAllocatePoolWithTag", + "PsGetCurrentThreadId", + "ExFreePoolWithTag", + "IoQueryFileDosDeviceName", + "RtlUnwind", + "KeBugCheckEx", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "FltUnregisterFilter", + "FltQueryInformationFile", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor", + "FltCreateCommunicationPort", + "FltFreeSecurityDescriptor", + "FltStartFiltering", + "FltGetStreamHandleContext", + "FltSetInformationFile", + "FltDeleteContext", + "FltAllocateContext", + "FltSetStreamHandleContext", + "FltReleaseContext", + "FltIsDirectory", + "FltParseFileName", + "FltSendMessage", + "FltCloseClientPort", + "FltCloseCommunicationPort" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G1", + "ValidFrom": "2013-08-23 00:00:00", + "ValidTo": "2024-09-23 00:00:00", + "Signature": "0231142e5857644185e8af12753c881cc35eec2ce9a13cf5baaa531db9d12963dc436786d439dadec6c9ffbe4585f4a4d7c151ea18ee40585ee67bcca241291338c8ea21169cce90a62efba6cad994df401df902182bbef65d4f9fff9a48dbc50509ca80cea0f9dc4bc323e6038fb4b4af5b71296191181a6b7af2fd0dd1cd7d5e98ebba705ee5f4ea43de353dc514818adb3e105ebb72faa1a093ab031cc1653c91138b045d2bc4b9161bcc55c50ce8abe743c9b28328a5531347ab3964b91cea3430b176009521f1d43da8fda00032d76e983ca69c3b0b83becbb8bb2a268c59b8b9aeaf26ace234a2dc210d810b3813f745a3e3dbc4aca16d1bb7e5615cd7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TR, ST=ISTANBUL, O=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI., CN=PAN YAZILIM BILISIM TEKNOLOJILERI TICARET LTD. STI.", + "ValidFrom": "2014-04-15 15:12:40", + "ValidTo": "2015-04-15 10:41:35", + "Signature": "80c106b241d9ce3836aa7f9cace1ff4019c000e7010613722cb52e25e706045117d0fc96252e9dcea3fbc685222c39fca608d772e3f15cb43d550686265d301bbdc1e45ce75db149dff45be1adb71ee24385407afac778ede4e047359e64e06d29b5bdab18517dd5751cd255bd05600be47f4774be0c97666d5afe6aa64ee53ee9083e0587fd5a2b3767733fd5c1eb58364c4e8823db789da3d0157eb468805f3a0032103e65265ee45cd7181abfb3583d8d3b20d4f6f0a010c0bf01a2d82df1c3a22220e712d83b067aec59990117b623cda1a344a7584fb74145df822b2a709b3ca47a45fd4822d3bcd1691b18ddbb64b7daa42dd63664d796fbf2fc7474ba", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121506480253469e07e54ee8612041fbb92", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + } + ], + "Tags": [ + "PanMonFlt.sys" + ], + "yara": true + }, + { + "Id": "c98af16e-197f-4e66-bf94-14646bde32dd", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create CupFixerx64.sys binPath=C:\\windows\\temp\\CupFixerx64.sys type=kernel && sc.exe start CupFixerx64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "CupFixerx64.sys", + "MD5": "2b3e0db4f00d4b3d0b4d178234b02e72", + "SHA1": "622e7bffda8c80997e149ac11492625572e386e0", + "SHA256": "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9", + "Authentihash": { + "MD5": "94821717c66d8a47853a8db22f0616bb", + "SHA1": "550937d17cfe9662abc8bd45f6bb58e159fc505a", + "SHA256": "8aba8df5a1aa3f14551047c8c9dea2b2d5867f2ad4dec89b53530c96a13c84db" + }, + "Description": "Sincey Cup Fixer", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "CupFixerx64.sys", + "OriginalFilename": "CupFixerx64.sys", + "FileVersion": "32.0.10011.13337", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "32.0.10011.13337", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetPhysicalAddress", + "RtlInitUnicodeString", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeLowerIrql", + "MmBuildMdlForNonPagedPool", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "KfRaiseIrql", + "RtlCompareMemory", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4", + "ValidFrom": "2022-08-01 00:00:00", + "ValidTo": "2031-11-09 23:59:59", + "Signature": "70a0bf435c55e7385fa0a3741b3db616d7f7bf5707bd9aaca1872cec855ea91abb22f8871a695422eda488776dbd1a14f4134a7a2f2db738eff4ff80b9f8a1f7f272de24bc5203c84ed02adefa2d56cff9f4f7ac307a9a8bb25ed4cfd143449b4321eb9672a148b499cb9d4fa7060313772744d4e77fe859a8f0bf2f0ba6e9f2343cecf703c787a8d24c401935466a6954b0b8a1568eeca4d53de8b1dcfd1cd8f4775a5c548c6fefa1503dfc760968849f6fcadb208d35601c0203cb20b0ac58a00e4063c59822c1b259f5556bcf27ab6c76ce6f232df47e716a236b22ff12b8542d277ed83ad9f0b68796fd5bd15cac18c34d9f73b701a99f57aa5e28e2b994", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=Shanghai, L=Shanghai, O=Xinyi Electronic Technology (Shanghai) Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Xinyi Electronic Technology (Shanghai) Co., Ltd.", + "ValidFrom": "2013-11-22 00:00:00", + "ValidTo": "2014-11-22 23:59:59", + "Signature": "3a212fdcabe8c8b07e1d177f63c312e4be61e21145297d1d61a3ca8f55136d41e917ee24c4969e00f822639f568f05a422c538446d7388f5e6d7f68ef986bd7368d689396aed497a7e95a94a7d51c04353647961e720f246abc6adc059dc57b19a70abc65f974aecf2da3385d7dc5cf13564e7352c5ae293b7d37569fec77d6e7344b784db2d453b675bd5420daad30dc2caa0e0b1cf532d6f98012b0f45ce89031e6decf7a6a865ae87a2d5ac8233c2c097d8d6b700257c58a54c7c8eb309e04b43c88851f67a06f487ae2fe8c6e11ae77b3af81a40e6df4b8dd554edd2c8f3fb7338b7e03c3f50526add42ebab380a4ed5aba26336b7a97200ce9124417efd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA", + "ValidFrom": "2022-03-23 00:00:00", + "ValidTo": "2037-03-22 23:59:59", + "Signature": "7d598ec093b66f98a94422017e66d6d82142e1b0182e104d13cf3053cebf18fbc7505de24b29fb708a0daa2969fc69c1cf1d07e93e60c8d80be55c5bd76d87fa842025343167cdb612966fc4504c621d0c0882a816bda956cf15738d012225ce95693f4777fb727414d7ffab4f8a2c7aab85cd435fed60b6aa4f91669e2c9ee08aace5fd8cbc6426876c92bd9d7cd0700a7cefa8bc754fba5af7a910b25de9ff285489f0d58a717665daccf072a323fac0278244ae99271bab241e26c1b7de2aebf69eb1799981a35686ab0a45c9dfc48da0e798fbfba69d72afc4c7c1c16a71d9c6138009c4b69fcd878724bb4fa349b9776691f1729ce94b0252a7377e9353ac3b1d08490f94cd397addff256399272c3d3f6ba7f166c341cd4fb6409b212140d0b71324cddc1d783ae49eade5347192d7266be43873aba6014fbd3f3b78ad4cadfbc4957bed0a5f33398741787a38e99ce1dd23fd1d28d3c7f9e8f1985ffb2bd87ef2469d752c1e272c26db6f157b1e198b36b893d4e6f2179959ca70f037bf9800df20164f27fb606716a166badd55c03a2986b098a02bed9541b73ad5159831b462090f0abd81d913febfa4d1f357d9bc04fa82de32df0489f000cd5dc2f9d0237f000be4760226d9f0657642a6298709472be67f1aa4850ffc9896f655542b1f80fac0f20e2be5d6fba92f44154ae7130e1ddb37381aa12bf6edd67cfc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp 2022 , 2", + "ValidFrom": "2022-09-21 00:00:00", + "ValidTo": "2033-11-21 23:59:59", + "Signature": "55aa2a1af346f378573730fc75e34fd68523f1fcf995399b25e6f7728a98c377d464fc15fb36c249512c7888635509463900fc69d4ca9b29fba33fc0c9009b131db09889dc78f2cd7c85cd539daf62e26166a3142a45874a98422b50fc1bb59e083009fae42dd7098979f909e688ce7d1bb86aa29bc1536009e8a3b89dd7ad1f1cb8ec9841f0f60e80fbe4ffdf9d10a7eb00ba5f4a8f1a3a52b4eabf0949153536599a0f54d2b21b7f7e5e09ad76548a746dcad205672b76ebff98b226953819884414e50a59a26be7223e4421d23f1cc09bed7c48b2d8920c914f3c6694af5d0253eb9ee29ee4d31f8601649c00c2e95a74750d3de17988bf1c0197c9192380d7365a5f9616b1630cc646403bce5d35d4593e439a18aec3c9cbc3fb9b135f6ab5c7e0f305c359df27622bde41c953b9ff341067f62632987bfe5c42948194829dac0a8bc64b154ad3989045603380e023def803a4f64547e5ceb8034247e841367177adfda2e897744e2eda1e1d8c5ac81e9ad5c2f0c622a84f9bbdd81c9a51c42f9af65fa72797ba962e8557c060e778567f6aefc2959a4b1102c8829cc91a057cba71b54e7a996cf4e89ed45a98c89fbf8dbb185c43f5d02ae8e262ee7804dbbdd1fb5b0aa8707ef0978478e308035d472c63a825389701d23f3adae5e5f6e69bdc7e2cccff174c4d00a2d8d6010eb88beee6e07255892c271961f677018c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "484b80a0e26c94f777323859a79adec5", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "CupFixerx64.sys" + ], + "yara": true + }, + { + "Id": "75a933b4-82d8-4eb8-8ed5-a0a2178630a3", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create fiddrv.sys binPath=C:\\windows\\temp\\fiddrv.sys type=kernel && sc.exe start fiddrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "fiddrv.sys", + "SHA1": "8cc8974a05e81678e3d28acfe434e7804abd019c", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "fiddrv.sys", + "SHA1": "282bb241bda5c4c1b8eb9bf56d018896649ca0e1", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "fiddrv.sys" + ], + "yara": false + }, + { + "Id": "354a9fcf-acf1-4151-94d2-af88116f605c", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create piddrv.sys binPath=C:\\windows\\temp\\piddrv.sys type=kernel && sc.exe start piddrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "piddrv.sys", + "SHA1": "a7d827a41b2c4b7638495cd1d77926f1ba902978", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "piddrv.sys", + "SHA1": "877c6c36a155109888fe1f9797b93cb30b4957ef", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "piddrv.sys" + ], + "yara": false + }, + { + "Id": "0590655c-baa2-481a-b909-463534bd7a5e", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank5.sys binPath=C:\\windows\\temp\\daxin_blank5.sys type=kernel && sc.exe start daxin_blank5.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "daxin_blank5.sys", + "MD5": "f242cffd9926c0ccf94af3bf16b6e527", + "SHA1": "53f776d9a183c42b93960b270dddeafba74eb3fb", + "SHA256": "9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51", + "Signature": "Unsigned", + "Date": "1:29 AM 7/18/2008", + "Publisher": "n/a", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "I386", + "OriginalFilename": "", + "Authentihash": { + "MD5": "da0d70a9fd3a61a2802af4a07bed29d4", + "SHA1": "99a969b2deded8b2d403268cd49139463c06b484", + "SHA256": "954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "NDIS.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnlockPages", + "KeInsertQueueApc", + "strncmp", + "KeInitializeApc", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_except_handler3", + "IoQueueWorkItem", + "KeAttachProcess", + "KeDetachProcess", + "IoGetCurrentProcess", + "IoFreeWorkItem", + "RtlFreeUnicodeString", + "ZwClose", + "ZwWriteFile", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "IofCompleteRequest", + "ExFreePool", + "ExAllocatePoolWithTag", + "InterlockedDecrement", + "MmMapLockedPagesSpecifyCache", + "IoFreeMdl", + "InterlockedExchange", + "InterlockedIncrement", + "swprintf", + "RtlCopyUnicodeString", + "ExfInterlockedInsertTailList", + "wcsncmp", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "KeInitializeSpinLock", + "IoDeleteDevice", + "_strnicmp", + "ExfInterlockedRemoveHeadList", + "IoAllocateWorkItem", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "NdisAllocateMemory", + "NdisFreePacket", + "NdisAllocatePacket", + "NdisResetEvent", + "NdisCloseAdapter", + "NdisAllocateBuffer", + "NdisInitializeEvent", + "NdisOpenAdapter", + "NdisFreeMemory", + "NdisQueryAdapterInstanceName", + "NdisDeregisterProtocol", + "NdisSetEvent", + "NdisFreeBufferPool", + "NdisAllocatePacketPool", + "NdisFreePacketPool", + "NdisRegisterProtocol", + "NdisWaitEvent", + "NdisAllocateBufferPool", + "NdisCopyFromPacketToPacket" + ], + "Signatures": {} + } + ], + "Tags": [ + "daxin_blank5.sys" + ], + "yara": false + }, + { + "Id": "579a0516-1177-45ce-ad9e-45f53b28dcdc", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create b.sys binPath=C:\\windows\\temp\\b.sys type=kernel && sc.exe start b.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "b.sys", + "SHA256": "84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "b.sys" + ], + "yara": false + }, + { + "Id": "25d5ebe3-e827-44a4-86fc-898844595c23", + "Author": "Michael Haag", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create POORTRY.sys binPath=C:\\windows\\temp\\POORTRY.sys type=kernel && sc.exe start POORTRY.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "POORTRY.sys", + "MD5": "7f9309f5e4defec132b622fadbcad511", + "SHA1": "a3ed5cbfbc17b58243289f3cf575bf04be49591d", + "SHA256": "6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "103f3c1ce174dff5dfc79a428d4bf385", + "SHA1": "b4d007b0c6ae6b4cfd96aab617f239cd8ebc8afb", + "SHA256": "45b9eee68266d1128bc252087f4a8ae18dbb0e0b6317e28bc248b25ca2431a56" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "NETIO.SYS", + "ntoskrnl.exe", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WskCaptureProviderNPI", + "WskReleaseProviderNPI", + "WskDeregister", + "WskRegister", + "RtlDeleteElementGenericTableAvl", + "vsprintf_s", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "ObfDereferenceObject", + "IoAllocateMdl", + "ZwCreateSection", + "ExAcquireResourceExclusiveLite", + "ObCloseHandle", + "IoCreateFileEx", + "RtlInitUnicodeString", + "RtlLookupElementGenericTableAvl", + "ObReferenceObjectByHandleWithTag", + "ZwQueryVirtualMemory", + "IoFileObjectType", + "KeStackAttachProcess", + "ZwAllocateVirtualMemory", + "PsLookupProcessByProcessId", + "RtlImageNtHeader", + "ZwMapViewOfSection", + "RtlInitAnsiString", + "RtlCaptureContext", + "ExReleaseResourceLite", + "_vsnprintf_s", + "KeCapturePersistentThreadState", + "IoFreeMdl", + "wcsstr", + "RtlCompareString", + "ZwSetSystemInformation", + "MmGetSystemRoutineAddress", + "_stricmp", + "ZwDeleteFile", + "ExFreePoolWithTag", + "ZwOpenFile", + "ObReferenceObjectByName", + "MmUnmapLockedPages", + "IoDriverObjectType", + "MmFlushImageSection", + "ZwClose", + "KeUnstackDetachProcess", + "MmMapLockedPages", + "__C_specific_handler", + "MmIsAddressValid", + "MmUnlockPages", + "MmProbeAndLockPages", + "IoFreeIrp", + "KeSetEvent", + "IoAllocateIrp", + "KeInitializeEvent", + "KeWaitForSingleObject", + "ZwReadFile", + "RtlCopyUnicodeString", + "ZwUnmapViewOfSection", + "ZwQuerySystemInformation", + "ExAllocatePool", + "RtlGetVersion", + "__chkstk", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + } + ], + "Tags": [ + "POORTRY.sys" + ], + "yara": false + }, + { + "Id": "31a962ce-43ef-410f-873a-7ccc8f00332b", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create t3.sys binPath=C:\\windows\\temp\\t3.sys type=kernel && sc.exe start t3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "t3.sys", + "SHA256": "4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "t3.sys" + ], + "yara": false + }, + { + "Id": "8c2fa9d1-b2b1-4ba1-bad9-60c44c2c20eb", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create t8.sys binPath=C:\\windows\\temp\\t8.sys type=kernel && sc.exe start t8.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "t8.sys", + "SHA256": "258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "t8.sys" + ], + "yara": false + }, + { + "Id": "db666d40-c9fa-4039-bfac-a5d7afd61b67", + "Author": "Wack0", + "Created": "2023-04-22", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BEDaisy.sys binPath=C:\\windows\\temp\\BEDaisy.sys type=kernel && sc.exe start BEDaisy.sys", + "Description": "BattlEye Anti-Cheat BEDAISY.SYS PPL privesc.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/magicsword-io/LOLDrivers/issues/23", + "https://infosec.exchange/@Rairii/109310279380973806" + ], + "Acknowledgement": { + "Person": "Wack0", + "Handle": "Wack0" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "BEDAISY.SYS", + "MD5": "7475bfea6ea1cd54029208ed59b96c6b", + "SHA1": "fff7ee0febb8c93539220ca49d4206616e15c666", + "SHA256": "2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "85751ed97dcd3096b4b5ee6f66109551", + "SHA1": "7131f7da22882656c5e22ec033bb95e29273f182", + "SHA256": "35a12d81f7062a22644b500d91b1603b4f97756ad165c3ea571e7fef55c24162" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "FLTMGR.SYS", + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "FltGetRoutineAddress", + "MmGetSystemRoutineAddress", + "__C_specific_handler", + "__chkstk", + "MmMapLockedPagesSpecifyCache", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=DE, ST=Baden,W??rttemberg, L=Reutlingen, O=BattlEye Innovations e.K., CN=BattlEye Innovations e.K.", + "ValidFrom": "2018-11-09 00:00:00", + "ValidTo": "2019-12-31 12:00:00", + "Signature": "0e1391b52a7dcdcd6e5f1a2e5e98d07fea5314cc4a43b404bcd7e742cf86c6f14beeb1fa766c7c6370fb6bb0f866f43259fa5cd0921b3d094e296ef0b6d529b77b23f5fc3ffc0d7f86295542360a353fe494a90f8d98721c5c9db07d0a8e945be7460ff1a2d78946ac8be50cc85e2d3f148aa13bbba594df6ebf92ff51f22816724045dc0246d43a69393b26c0189e2139a1424a693c111ea1aa5cc6db4ff08cbf1eba10145fe6a35852a6cf1a3ccf7e15568cd62daa91bd7245def0bfb8c885f0507768e0453504403c40a2c74e20c637db0e8bb4c9d5f68153e7d6cb50bbfbd9137c3801dea2264626885501b48652bb0bd75c834f07676e14dfa3bec8ee4f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "060323c3204df4501ea15b73390dd856", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + } + ], + "Tags": [ + "bedaisy.sys" + ], + "yara": false + }, + { + "Id": "c854b612-0b9f-4fc3-a7b8-a93bed7a291e", + "Author": "Nasreddine Bencherchali", + "Created": "2023-04-15", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create SSPORT.sys binPath=C:\\windows\\temp\\SSPORT.sys type=kernel && sc.exe start SSPORT.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/ssport_v1.0" + ], + "Acknowledgement": { + "Person": "Paolo Stagno", + "Handle": "Void_Sec" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "SSPORT.sys", + "MD5": "0211ab46b73a2623b86c1cfcb30579ab", + "SHA1": "ccd547ef957189eddb6ee213e5e0136e980186f9", + "SHA256": "7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4", + "Signature": "N/A", + "Date": "N/A", + "Publisher": "N/A", + "Company": "Samsung Electronics", + "Description": "Port Contention Driver", + "Product": "Port Contention Driver", + "ProductVersion": "1.0", + "FileVersion": "1.0", + "MachineType": "AMD64", + "OriginalFilename": "SSPORT.sys", + "Authentihash": { + "MD5": "ffc522ee567368a6f98c38dd2aa57f30", + "SHA1": "06643b15efe04a2177c08d0395a2be5a910ed58c", + "SHA256": "710639fd1eb76520e8733840ad78a81e09ce03930e4d3c47998e3162ae95f90e" + }, + "InternalName": "SSPORT.sys", + "Copyright": "Copyright (C) Samsung Corp. 1998-2005", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "wcsncpy", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "wcsrchr", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "_purecall", - "ZwOpenEvent", - "ZwConnectPort", - "KeClearEvent", - "PsProcessType", - "ExFreePoolWithTag", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "RtlInitUnicodeString", - "KeSetEvent", - "ProbeForWrite", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "ZwWaitForSingleObject", - "DbgBreakPoint", - "ZwSetEvent", - "IoGetCurrentProcess", - "ZwFreeVirtualMemory", + "strncpy", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2009-07-15 23:59:59", + "Signature": "9a65f5d8d7e1a4d05dded87d7bc3eec408c256d08cdcedac228de750060d072ca0a46995cc99dfcc6331cfb0c1e496cb38ce21fb7ce7580a2321072c9097abd89604935453ba3a1048720d85ec1b0a4125cc7d6cac7b03f1f7783cf2a840d05572dbbe0b28b5c8c705fed3e0b521dcbc40b7bebc60f5b8e3d85e3b65dd66565f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=KR, ST=Kyungki,Do, L=Suwon, O=Samsung Electronics CO., LTD., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Computer System, CN=Samsung Electronics CO., LTD.", + "ValidFrom": "2005-11-08 00:00:00", + "ValidTo": "2006-12-17 23:59:59", + "Signature": "4dceac99bddd261b0cba819d675d9769f4c0b78bb6916510b1bc30653c37c6a5a7deb1448f344a0064400030008a5c4a335b81453e39bf13b05e4172ae494162f8f58ea0c1ed36701a58eff239fa8456b3a2414812e2c78bea6745689beffb6d4f8f7fa4b65b3d6b3bb69102aac1f8fd41ac6a48b4cd651a7f80f2742b4277396250e1efb948c20a44fef90a1690db36677710078c60b2886c92174c9d680a20a77f0d9fce50c22311c8f78ec6519a558fc8a51ee9fca41a7213336555bda8fade96b9dbc789754f6b6fa715487cc2be4a2405d8c7f1512f530afeeba35deb952cfa8e3264a793a089d99d74ba6c84cba3d9910e82a5c0ca84b12dc707a4feb5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "4ffbf40bae31d4c367d68e83e3e6712f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + } + ], + "Tags": [ + "SSPORT.sys" + ], + "yara": false + }, + { + "Id": "855ade1f-8a9e-4c9d-ab8e-d7e409609852", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create elbycdio.sys binPath=C:\\windows\\temp\\elbycdio.sys type=kernel && sc.exe start elbycdio.sys", + "Description": "elbycdio.sys is a vulnerable driver. CVE-2009-0824.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + " https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "elbycdio.sys", + "MD5": "ae5eb2759305402821aeddc52ba9a6d6", + "SHA1": "3599ea2ac1fa78f423423a4cf90106ea0938dde8", + "SHA256": "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b", + "Signature": [ + "Elaborate Bytes AG", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "Elaborate Bytes AG", + "Description": "ElbyCD Windows NT/2000/XP I/O driver", + "Product": "CDRTools", + "ProductVersion": "6, 0, 0, 0", + "FileVersion": "6, 0, 2, 0", + "MachineType": "I386", + "OriginalFilename": "ElbyCDIO.sys", + "Authentihash": { + "MD5": "1e7d48bdea295db001ff57b6d05d99a2", + "SHA1": "95a797b14c5718495e847f1aa7a5b554d1855893", + "SHA256": "45b7ec74cc78651975d01d88308f3231df4c96036d6c2273d79f53abdfc8888c" + }, + "InternalName": "ElbyCDIO", + "Copyright": "Copyright (C) 2000 - 2009 Elaborate Bytes AG", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwWriteFile", + "ZwCreateFile", + "RtlInitUnicodeString", + "swprintf", + "ZwQueryVolumeInformationFile", + "ZwOpenFile", "ZwClose", - "ObfReferenceObject", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "PsTerminateSystemThread", + "KeWaitForSingleObject", + "ZwSetInformationThread", + "KeSetEvent", "ObfDereferenceObject", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "KePulseEvent", - "ZwAllocateVirtualMemory", - "ObGetObjectSecurity", - "SeAccessCheck", - "SeReleaseSubjectContext", - "SeCaptureSubjectContext", - "PsThreadType", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "MmSectionObjectType", - "DbgPrint", - "ExDeleteResourceLite", - "ExInitializeResourceLite", + "ObReferenceObjectByHandle", + "PsCreateSystemThread", + "KeInitializeEvent", + "KeReleaseMutex", "ZwReadFile", - "swprintf", - "ZwSetInformationFile", - "ZwCreateFile", - "ZwQueryInformationFile", - "ZwWriteFile", - "_wcsnicmp", - "towupper", + "IofCompleteRequest", + "KeInitializeMutex", + "ExAllocatePool", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCallDriver", + "IoBuildDeviceIoControlRequest", + "_except_handler3", + "ProbeForRead", + "ProbeForWrite", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeTickCount", + "KeBugCheckEx", + "KeInitializeSpinLock", + "ExFreePool", + "PsGetCurrentProcessId", + "KfReleaseSpinLock", + "KfAcquireSpinLock", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CH, O=Elaborate Bytes AG, CN=Elaborate Bytes AG, emailAddress=admin@elby.ch", + "ValidFrom": "2008-12-23 13:26:11", + "ValidTo": "2011-12-23 13:26:11", + "Signature": "5a634dbf49c9d1dbe5ed4b484689b4f95ee13686141c393683a1decdc986cf94613342607a120df492112daaa92fd772bbbcb1c0f14cec7c0c20304c92d62508859c387138f2d145dbcc54c561f1b9dd73d3686ae3859ea986e4f539db7495a64b551b60d6f976ae6075ca3f6dbe1187b875ee267784b5baefaa850078595fb8b1c8944c9c3da355a802ebc52eacb9bdffdd57b0aae5f49c02c5ae6505b7ca1afb2b29e39374eab8bf1e643c3e1c8240dc113ceb078c70a401e92d0610538eaed48e291cad84635d6100930c8e7b9801323490e4f3e58d9f9fea04843f06633f8b8a8774d2b679be008d1d92bb31815f8f01c5e08144ed9574a605b245de2ba7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0100000000011e643e96d0", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] + } + ], + "Tags": [ + "elbycdio.sys" + ], + "yara": true + }, + { + "Id": "39f427b6-aad3-4cb8-b363-9113a6d53b07", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create BS_RCIOW1064.sys binPath=C:\\windows\\temp\\BS_RCIOW1064.sys type=kernel && sc.exe start BS_RCIOW1064.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "FileName": "BS_RCIOW1064.sys", + "MD5": "6b6dfb6d952a2e36efd4a387fdb94637", + "SHA1": "42eb220fdfb76c6e0649a3e36acccbdf36e287f1", + "SHA256": "6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc", + "Authentihash": { + "MD5": "aa8a043ec2d13570a43af8e09d4adf4f", + "SHA1": "3c8cab4c08a37a105200feb8f07dd818c8f03bff", + "SHA256": "545190e8b2a910e153b12559a9875154a1b40d6424cb4a6299a84b2dc99df700" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeInitializeSemaphore", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeSetEvent", + "MmUnmapIoSpace", + "KeDelayExecutionThread", + "PsCreateSystemThread", + "IoStartNextPacket", + "PsTerminateSystemThread", + "ExEventObjectType", + "MmMapIoSpace", + "IoDeleteDevice", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeReleaseSemaphore", + "ObfDereferenceObject", + "IoReleaseCancelSpinLock", + "IoAcquireCancelSpinLock", + "IoStartPacket", + "IofCompleteRequest", + "KeRemoveEntryDeviceQueue", + "KeBugCheckEx", + "RtlInitUnicodeString", + "ZwClose", + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=TW, serialNumber=23826200, ??=2F, NO.108,2, MIN CHUAN RD, postalCode=231, C=TW, ST=XINDIAN DIST, L=NEW TAIPEI CITY, O=Biostar Microtech Int'l Corp, CN=Biostar Microtech Int'l Corp", + "ValidFrom": "2017-03-03 00:00:00", + "ValidTo": "2018-11-21 12:00:00", + "Signature": "4bf4d2bdc69b9a5453f71bf6c52ac1fb1624d21a1bf7f195d72f2e45e91b57dcd3ad76e4acd2ca278673867cc2d3f9bfb19f0a02c28abe5972f81ac12928fe9e340a53a198a8b106f0925defe5d11f077380a467d7a529c0037d25f526e131d63cee3b64727330eacc9e2fe328912803f2449652840778c8b663102b01a6eacddd2364b85ede2696131189edeb65f2228345ff1d31b91de4763c4a91e8c643717ad09db26da7cda6b39559f5953c3172afc8c627eea22dd47b88d32f32640a4679ba84ac4434e5c53de60d802344fa066a7d7da0b109b241559013ec8c630400c2f8c631d09e49da7b025f4b91a1fae12c65682556570ca4faaca645f6d5ee69", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "0293728e6275aee2cea6efb4bac1eed6", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + } + ], + "Tags": [ + "BS_RCIOW1064.sys" + ], + "yara": false + }, + { + "Id": "f4126206-564f-49f5-a942-2138a3131e0e", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create NICM.sys binPath=C:\\windows\\temp\\NICM.SYS type=kernel && sc.exe start NICM.SYS", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "NICM.SYS", + "MD5": "52b7cd123f6d1b9ed76b08f2ee7d9433", + "SHA1": "4d6e532830058fadd861ff9eac16de8cfc6974ce", + "SHA256": "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0", + "Authentihash": { + "MD5": "cd820a2aee5e475a92f3860b20a3fc1a", + "SHA1": "db97af81d295f3f7f7777d3805635ab8cc40ab44", + "SHA256": "98636f857235fb66122296db147cd29440de681a29bbd631fc94373da31f99fa" + }, + "Description": "Novell Client Portability Layer", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "NICM.SYS", + "FileVersion": "3.1.11.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.11", + "Copyright": "(C) Copyright 2000-2013, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" + ], + "ImportedFunctions": [ + "KeWaitForSingleObject", "ExAllocatePoolWithTag", - "KeInitializeEvent", - "ZwCreateEvent", "ZwCreateKey", + "ExFreePoolWithTag", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlInitUnicodeString", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwEnumerateValueKey", + "ZwClose", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwOpenKey", + "DbgPrintEx", + "RtlUpcaseUnicodeString", "RtlAnsiStringToUnicodeString", - "ZwNotifyChangeKey", - "RtlInitAnsiString", - "_snprintf", + "RtlUnicodeStringToAnsiString", + "RtlUnicodeStringToOemString", "RtlFreeUnicodeString", - "ExSystemTimeToLocalTime", - "_vsnprintf", - "ObReferenceObjectByHandle", - "RtlTimeToTimeFields", - "ZwDeviceIoControlFile", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeWaitForMultipleObjects", - "ExGetPreviousMode", + "RtlOemStringToUnicodeString", + "RtlFreeAnsiString", + "DbgPrint", + "KeReleaseSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "RtlInitString", "RtlEqualUnicodeString", - "RtlPrefixUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "KeWaitForSingleObject", + "RtlCompareString", + "RtlCopyString", + "KeReleaseMutex", + "RtlEqualString", + "RtlUnicodeStringToInteger", + "ExAcquireResourceExclusiveLite", + "KeResetEvent", + "KeInitializeMutex", + "KeLeaveCriticalRegion", + "KeSetEvent", + "ExIsResourceAcquiredSharedLite", + "ExIsResourceAcquiredExclusiveLite", + "KeEnterCriticalRegion", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "KeWaitForMultipleObjects", "KeSetPriorityThread", + "IoDeleteDevice", + "IoCreateDevice", "PsCreateSystemThread", "PsTerminateSystemThread", - "MmIsAddressValid", + "RtlCompareMemory", + "IoUninitializeWorkItem", + "IoFreeWorkItem", + "KeInitializeDpc", + "KeInitializeTimer", "KeDelayExecutionThread", - "KeNumberProcessors", - "PsLookupProcessByProcessId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenDirectoryObject", - "ZwQueryInformationProcess", - "ZwQuerySecurityObject", - "NtSetInformationFile", - "ZwDeleteValueKey", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "NtQueryInformationFile", - "IoFileObjectType", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "NtCreateFile", - "ZwEnumerateValueKey", - "RtlLengthSecurityDescriptor", - "ZwQueryDirectoryObject", - "ZwSetSecurityObject", - "ZwDuplicateObject", - "ZwOpenProcess", - "ZwTerminateProcess", - "ExReleaseFastMutexUnsafe", + "IoAllocateWorkItem", + "KeSetTimer", + "IoInitializeWorkItem", + "IoQueueWorkItem", + "KeCancelTimer", + "KeBugCheckEx", + "RtlCompareUnicodeString", + "KeInitializeEvent", + "NicmCreateInstance" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation", + "ValidFrom": "2021-09-02 18:32:59", + "ValidTo": "2022-09-01 18:32:59", + "Signature": "164937b92c644c4061d4db4097b062bc812c0167605f5a99f847593186d029ab18e888522d744cc45d41dce29d47d2bf91c72992f35c1a5f03ed8c984b89a109430147e54bae0ddff0f523dfc03d5796a2636fc9a24ed66453809a33d134d1a7c9e83b974953893845a84fb668eb3afa179e82a01d7a51a03492911cb591ba118ab8b230e65920c7d2b2f90bd9ae7fc3762f2e4c88162a9f8c186f3163a3c1bef8e0b7d8d04a19673eb677518f01bf0cbaaf29e15c1695d15d134cbd20131ede87f2b5a3c3226abbbab3fec5caa38b7944b8bd31e1f538012f90edc4262ead76d2055b4bd458f8e3e39dffa7260bd9a6bebb62c86ef4f58dd177761d263d9fdc626aed8eca756ab441885ab4a8417a0e1fc63860d32badda0e9a3359b18cd3eb138f33e87582346bbd80c2b966e765751c386b8e59d3a02892da1fd02a8ec9312bbead188e81385e96b4fbced3fcf5545cda9fed8faa494efef4bb4b42e318478c377123e3b8dbacbcb7fd8019dc87946a33b91a0ed6160e02f2078d847ecc5e32ac0a5b003e4d58b41eb591a9f4b1da895b139ea125c1243233922b3dec46eba91425f752ba3261fe762feda2553add6bc5d67ac3c6eb63279f74fc02e2dfcde245b806df392111c7b20564ef7650fa17135b848cbe6c925d724d907732e6e0380e05f0aa11361be21401124fe9c6f1cf2e22c6d979bd3c49e61032a8d51269", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011", + "ValidFrom": "2011-07-08 20:59:09", + "ValidTo": "2026-07-08 21:09:09", + "Signature": "67f286a598e054791a2ed3d87467229b0b9611e163929942967dd2790c90c1655f2e2c3ef8c372d16d83febe3fe80aca3bbf47a9a3f369db63bf2235a5975d6584907d8b465055d80c927cd21a4b1cf33c428b52d0b0fd6be33e072e299be63d1ba5d4b51d779439e2e964c9443d787a23f3137da69074838df4cb2602462ac28a10bba4a9050c9bed68fa682e95a02a3f2a6b5849631f09696e5a9896e483f4c08ff3462bdefc3bd0bd35ef6e25aee5af27edd0ddf30eaf992897984d0e3d0bf20889d61fc33218e2f0c52dce5b9eb449390ac60ac2c6adaee5b2d9db1588514558383271271a7fb1f427f8de2c3a206998b25989686e6fa7b774c3400506a6012a283e823f134d660bc0b34df5e18f7f1c6f157d45a776e5402a65a3c35d526286c31d63369786dfdaf3f8f216a19a27e1cda597d0ee5d6341e35b079c873e067706d106b1751f14be6161b5f0dcc61b04bedf41c70e28eede652fec97f6a15c96d800d6a146bd59f397a5094b481099801fd00029c5b19ba53f45771e35c6d2a2a29f7a7a22fa48951fabfb472380f59ef8bf6bb74b97e2eb75781aecea379979184bffd6b3236875e6affafc8beb0b80ea693baffc30ed044c8edfdf756d63913dd19d564e4fbf805722a1781132217aef410ab13ffba8cca45dc1a1889b5771564e4845c042c99b765b0a80486bfd799fc1bd6d6d6ac95273130d7a50cd", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000002528b33aaf895f339db000000000252", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011" + } + ] + } + ] + }, + { + "FileName": "NICM.SYS", + "MD5": "f690bfc0799e51a626ba3931960c3173", + "SHA1": "d3a6f86245212e1ef9e0e906818027ec14a239cb", + "SHA256": "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a", + "Authentihash": { + "MD5": "2e72873429bed4886fe76aeba274283e", + "SHA1": "ab636e8ba41f37d2bcd5291ddf30024be7f3ce2f", + "SHA256": "7419b05e74733d2b7ce4c860ab74043b816a7f66a1ff7eec81fe3b35730e3bbb" + }, + "Description": "Novell Client Portability Layer", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "NICM.SYS", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" + ], + "ImportedFunctions": [ + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ZwDeleteKey", "ZwEnumerateKey", - "ZwQueryKey", + "ZwEnumerateValueKey", "ZwOpenKey", - "MmSystemRangeStart", - "_stricmp", - "_strnicmp", - "mbstowcs", - "ProbeForRead", + "ZwQueryValueKey", + "ZwSetValueKey", + "DbgBreakPoint", + "memset", + "_aulldvrm", + "DbgPrintEx", "RtlUpcaseUnicodeString", - "_snwprintf", - "ZwQuerySymbolicLinkObject", - "ZwMapViewOfSection", - "MmGetSystemRoutineAddress", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlOemStringToUnicodeString", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "RtlUnicodeStringToOemString", + "DbgPrint", "RtlAppendUnicodeToString", - "IoCreateFile", - "RtlQueryRegistryValues", - "MmBuildMdlForNonPagedPool", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "ObQueryNameString", - "ZwUnmapViewOfSection", - "NtClose", - "IoFreeIrp", - "PsGetVersion", - "IoAllocateIrp", + "RtlCompareString", + "RtlCompareUnicodeString", + "RtlCopyString", + "RtlEqualString", + "RtlEqualUnicodeString", + "RtlInitString", + "RtlIntegerToUnicodeString", + "RtlUnicodeStringToInteger", + "KeLeaveCriticalRegion", + "KeGetCurrentThread", + "ExAcquireResourceSharedLite", + "RtlAppendUnicodeStringToString", + "ExAcquireResourceExclusiveLite", + "KeInitializeMutex", + "ExInitializeResourceLite", + "KeSetEvent", + "ExDeleteResourceLite", + "ExIsResourceAcquiredSharedLite", + "ExIsResourceAcquiredExclusiveLite", + "ExReleaseResourceLite", + "KeResetEvent", + "KeWaitForMultipleObjects", + "_allmul", + "KeSetPriorityThread", + "KeQuerySystemTime", + "IoDeleteDevice", + "IoCreateDevice", + "PsCreateSystemThread", + "PsTerminateSystemThread", "RtlCompareMemory", - "MmUnlockPages", - "ZwSetInformationObject", - "ZwOpenFile", - "wcsncmp", - "RtlImageNtHeader", - "IoAllocateMdl", - "IofCallDriver", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", + "memcpy", + "memmove", + "IoInitializeWorkItem", + "IoAllocateWorkItem", + "KeCancelTimer", + "IoFreeWorkItem", + "IoUninitializeWorkItem", + "KeSetTimer", + "KeDelayExecutionThread", + "KeInitializeDpc", + "KeInitializeTimer", + "IoQueueWorkItem", + "KeTickCount", + "KeBugCheckEx", + "ZwCreateKey", + "ZwClose", + "ExFreePoolWithTag", + "KeWaitForSingleObject", + "KeReleaseMutex", + "KeEnterCriticalRegion", + "KeInitializeEvent", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "NicmCreateInstance" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "NICM.SYS", + "MD5": "3bf217f8ef018ca5ea20947bfdfc0a4d", + "SHA1": "26a8ab6ea80ab64d5736b9b72a39d90121156e76", + "SHA256": "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190", + "Authentihash": { + "MD5": "1b164cdc9dadc9944f2d3c0063cfcaa9", + "SHA1": "a13e2a1ea1c6427bc2006b1512047cc9779e480e", + "SHA256": "ea80b4a2314e44061f33a7403e0740437aa34326082e97816bb6e7693866478b" + }, + "Description": "Novell Client Portability Layer", + "Company": "Novell, Inc.", + "InternalName": "", + "OriginalFilename": "NICM.SYS", + "FileVersion": "3.1.6.0", + "Product": "Novell XTier", + "ProductVersion": "3.1.6", + "Copyright": "(C) Copyright 2000-2008, Novell, Inc. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "nicm.sys" + ], + "ExportedFunctions": [ + "DllGetClassObject", + "XTCOM_Table" + ], + "ImportedFunctions": [ + "KeWaitForSingleObject", + "ZwEnumerateKey", + "ZwOpenKey", + "ExAllocatePoolWithTag", + "ZwCreateKey", + "ExFreePoolWithTag", "ExReleaseFastMutex", "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlInitializeSid", - "RtlCreateSecurityDescriptor", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IoGetDeviceObjectPointer", - "ExEventObjectType", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "strncpy", - "NtOpenProcess", - "ObInsertObject", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", - "IoReleaseVpbSpinLock", - "wcschr", - "strncat", + "RtlInitUnicodeString", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwEnumerateValueKey", + "ZwClose", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "ZwDeleteKey", + "DbgBreakPoint", + "DbgPrintEx", + "DbgPrint", + "RtlUpcaseUnicodeString", + "RtlAnsiStringToUnicodeString", "RtlUnicodeStringToAnsiString", - "wcsncat", + "RtlUnicodeStringToOemString", + "RtlFreeUnicodeString", + "RtlOemStringToUnicodeString", "RtlFreeAnsiString", - "wcstombs", - "IoGetConfigurationInformation", - "IoRegisterPlugPlayNotification", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "FsRtlIsNameInExpression", - "wcsstr", - "ExAllocatePool", - "IoUnregisterPlugPlayNotification", - "MmProbeAndLockPages", - "RtlCompareUnicodeString", - "IoGetDeviceInterfaces", "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoCreateDevice", - "IoDeviceObjectType", - "SeCaptureSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "RtlLengthSid", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwDeleteKey", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "RtlInitString", + "RtlEqualUnicodeString", + "RtlCompareString", + "KeReleaseMutex", + "RtlCompareUnicodeString", + "RtlEqualString", + "RtlUnicodeStringToInteger", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "KeWaitForMultipleObjects", "ExAcquireResourceExclusiveLite", - "__C_specific_handler" + "KeResetEvent", + "KeInitializeMutex", + "KeLeaveCriticalRegion", + "KeSetEvent", + "ExIsResourceAcquiredSharedLite", + "ExIsResourceAcquiredExclusiveLite", + "KeEnterCriticalRegion", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "KeSetPriorityThread", + "IoDeleteDevice", + "IoCreateDevice", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "RtlCompareMemory", + "IoUninitializeWorkItem", + "IoFreeWorkItem", + "KeInitializeDpc", + "KeInitializeTimer", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "KeSetTimer", + "IoInitializeWorkItem", + "IoQueueWorkItem", + "KeCancelTimer", + "KeBugCheckEx", + "RtlCopyString", + "KeInitializeEvent", + "NicmCreateInstance" ], "Signatures": [ { @@ -89095,746 +86188,378 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", - "ValidFrom": "2019-07-12 00:00:00", - "ValidTo": "2020-07-10 12:00:00", - "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, ST=Utah, L=Provo, O=Novell, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Novell Products Group, CN=Novell, Inc.", + "ValidFrom": "2007-04-04 00:00:00", + "ValidTo": "2010-04-27 23:59:59", + "Signature": "267f71f6ee43755fd6395f85c34bb15a72a6f2a959c2074627d294395fb1aaa4c7bbeff369d735628b233bde7e5c95a0f1837e5ad03704270834ce9c1b07649a256027930f44e064568666b06e7f9dc3cd299b38b0a6766301200ab58434a05a34a369ab99bbbf2aaa6b3603481e0393a80ea09e78a7cf55317a9590c49887f02e1fd948c3b1f6d203e91782ce423d0569f45e7f074205df5f92be6ccd9836641439af4390022242e0ca84aedb0d71c5a50f2dbd1ed30e5ac9c1bda67c694f94f2fe4aa83945ed32e426afe26f44dcb6dcc8186728f86f1a1bddc1ea7dd82b76578a42d1e63bf5f8f348fbcd509094858978e375d277394529df1dd5d78abab2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "4808d93b14b8600dbfa18dab5d15310f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "NICM.SYS" + ], + "yara": true + }, + { + "Id": "72637cb1-5ca2-4ad0-a5df-20da17b231b5", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create wantd_4.sys binPath=C:\\windows\\temp\\wantd_4.sys type=kernel && sc.exe start wantd_4.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce.yara" }, { - "FileName": "TmComm.sys", - "MD5": "e3aaa0c1c3a5e99eb9970ebe4b5a3183", - "SHA1": "8fafd70bae94bbc22786c9328ee9126fed54dbae", - "SHA256": "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687", - "Authentihash": { - "MD5": "257904eecb49998ecad8b3d2acee8344", - "SHA1": "7f7110dcca30c2110d31f5a875305d52dac0db49", - "SHA256": "3847a1ed764ba25361a1748761fd9a1cbb65e42db00094f8ad6def9ac5da4116" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1124", - "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmEx@12", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "__UtilDosPathNameToNtPathName@12" + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "wantd_4.sys", + "MD5": "79df0eabbf2895e4e2dae15a4772868c", + "SHA1": "d02403f85be6f243054395a873b41ef8a17ea279", + "SHA256": "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce", + "Signature": "The digital signature of the object did not verify.", + "Date": "8:23 PM 2/28/2022", + "Publisher": "Anhua Xinda (Beijing) Technology Co., Ltd.", + "Company": "Microsoft Corporation", + "Description": "WAN Transport Driver", + "Product": "Microsoft Windows Operating System", + "ProductVersion": "6.1.7600.1172", + "FileVersion": "6.1.7600.1172", + "MachineType": "AMD64", + "OriginalFilename": "wantd.sys", + "Authentihash": { + "MD5": "00a677b8d21de4be1c7c16f2f105dbc6", + "SHA1": "a10f5c6c4d5ae78f0ca771328c74eb9fc51e593d", + "SHA256": "3f55375fb70cb355fe7de7f59904b12ef996447cbc7113fefa379995e040d678" + }, + "InternalName": "wantd.sys", + "Copyright": "Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "NDIS.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "ExAllocatePoolWithTag", + "wcsncmp", + "IoAllocateMdl", + "_stricmp", + "sprintf", "RtlLengthRequiredSid", + "_strnicmp", + "ExAllocatePoolWithTag", + "vsprintf", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "NtWriteFile", + "RtlCreateAcl", + "PsLookupProcessByProcessId", + "NtQuerySystemInformation", + "_wcsnicmp", + "ZwReadFile", "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", + "KeInitializeApc", + "IoDeleteDevice", + "NtFsControlFile", + "KeInsertQueueApc", + "MmGetSystemRoutineAddress", + "IoCreateFile", + "atoi", + "_snprintf", + "ZwQuerySystemInformation", + "KeReleaseSpinLock", "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwRequestWaitReplyPort", - "ProbeForWrite", + "RtlImageDirectoryEntryToData", + "KeDetachProcess", + "ZwOpenFile", + "ZwCreateFile", + "PsCreateSystemThread", + "ZwQueryValueKey", + "PsTerminateSystemThread", "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "ZwConnectPort", - "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "DbgBreakPoint", - "PsGetProcessExitTime", - "MmSectionObjectType", + "KeQueryTimeIncrement", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "KeAttachProcess", + "PsGetVersion", "PsThreadType", - "MmGetSystemRoutineAddress", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", + "RtlCompareUnicodeString", + "ZwOpenProcess", + "ZwQueryInformationProcess", + "IoCreateSymbolicLink", + "ObfDereferenceObject", + "IoCreateDevice", + "ZwTerminateProcess", "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "ZwCreateKey", - "ZwCreateEvent", "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "KeDelayExecutionThread", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", + "ZwWriteFile", + "NtReadFile", + "PsLookupThreadByThreadId", + "RtlLengthSid", + "RtlCreateSecurityDescriptor", + "ZwAllocateVirtualMemory", "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "memcpy", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "_purecall", - "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "RtlEqualUnicodeString", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "KeAcquireSpinLockRaiseToDpc", + "RtlUnicodeStringToInteger", + "MmIsAddressValid", + "ZwDeviceIoControlFile", + "IofCompleteRequest", + "ZwClose", + "MmMapLockedPagesSpecifyCache", + "KeDelayExecutionThread", + "MmUserProbeAddress", "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", + "memchr", + "ZwWaitForSingleObject", + "RtlInitUnicodeString", + "NdisAllocateMemoryWithTag", + "NdisAllocateNetBufferAndNetBufferList", + "NdisMSendNetBufferListsComplete", + "NdisReturnNetBufferLists", + "NdisAllocateNetBufferListPool", + "NdisFreeMemory", + "NdisMIndicateStatus", + "NdisFreeMdl", + "NdisFreeNetBufferListPool", + "NdisFreeNetBufferList", + "NdisSendNetBufferLists" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=CN, ST=Beijing, L=Beijing, O=Anhua Xinda (Beijing) Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Anhua Xinda (Beijing) Technology Co., Ltd.", + "ValidFrom": "2011-06-28 00:00:00", + "ValidTo": "2014-06-27 23:59:59", + "Signature": "75446640570a5790bb9af0f472df1738c47e362aedd568599f66a121e1c27b51008ca2e0d72ed727e61ee0c76a578dc56de22c5ee58136db144fc68aca0fd0196d70716bd8c9d19b5fdd8a147d749367a953604b24502efdd039577033df13b8d20a8cc7ca4829a303c11e7f6bf3c370d98b64b875ca3745546285bb70c204467968b1c4a416b0636c590dff6f7a3091ed00351c626e32e859bdd58d363940a5ed33d121e423d2ba1b8ad85c5c1296e23d627e0aafe9268945bce9567c38719621eecdde83a74139fb3e0920a32e558fd64c0149cfec10f4b82fdcc8cdaed4011977c2169035b71edc68fabaf43d59f989ee5d97ec94eaa05ef2a62bfc480fa9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "387c9476e28320264594846317d46540", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "wantd_4.sys" + ], + "yara": true + }, + { + "Id": "4db827b1-325b-444d-9f23-171285a4d12f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create VProEventMonitor.sys binPath=C:\\windows\\temp\\VProEventMonitor.sys type=kernel && sc.exe start VProEventMonitor.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "VProEventMonitor.sys", + "MD5": "cd9f0fcecf1664facb3671c0130dc8bb", + "SHA1": "0c26ab1299adcd9a385b541ef1653728270aa23e", + "SHA256": "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca", + "Signature": [ + "Symantec Corporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "Symantec Corporation", + "Description": "VProEventMonitor.Sys - Event Monitoring driver", + "Product": "Symantec Event Monitors Driver Development Edition", + "ProductVersion": "1.0.0", + "FileVersion": "1.0.0.45708", + "MachineType": "AMD64", + "OriginalFilename": "VProEventMonitor.Sys", + "Authentihash": { + "MD5": "ed01170d94a5e21d04b6d7212b53c994", + "SHA1": "cbaa70aac878a389c8213a5bc0df830b1d5b4e04", + "SHA256": "9994990c02c37472625cc7b2255044feef9b73c08ca3a70c06861b7d26b27a25" + }, + "InternalName": "VProEventMonitor.Sys", + "Copyright": "Copyright © 2007-2008 Symantec Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "PsGetVersion", + "strncmp", + "ZwOpenProcess", + "ExAcquireFastMutex", + "IoCreateSymbolicLink", + "PsLookupProcessByProcessId", "RtlCopyUnicodeString", - "RtlFreeUnicodeString", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "RtlImageNtHeader", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "ObQueryNameString", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExEventObjectType", - "_allmul", + "ObfDereferenceObject", + "IoCreateDevice", + "RtlInitUnicodeString", "IoDeleteDevice", + "KeSetEvent", + "IoCreateNotificationEvent", + "MmGetSystemRoutineAddress", + "KeInitializeEvent", + "PsSetCreateProcessNotifyRoutine", + "ExAllocatePoolWithTag", + "IoGetCurrentProcess", + "KeClearEvent", + "ZwClose", "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "IoDriverObjectType", - "RtlAppendUnicodeStringToString", - "NtQueryInformationProcess", - "IoThreadToProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "MmSystemRangeStart", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", + "IofCompleteRequest", + "ExFreePoolWithTag", "KeBugCheckEx", - "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "_allrem", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "IoFreeMdl", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KeGetCurrentIrql", - "ExAcquireFastMutex", + "DbgPrint", "ExReleaseFastMutex", - "KfRaiseIrql", - "ClassInitialize" + "KeQueryPerformanceCounter" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2015-05-05 00:00:00", - "ValidTo": "2015-12-31 23:59:59", - "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -89844,6 +86569,13 @@ "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, ST=Florida, L=Heathrow, O=Symantec Corporation, OU=IMG, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Symantec Corporation", + "ValidFrom": "2011-09-09 00:00:00", + "ValidTo": "2013-09-08 23:59:59", + "Signature": "b154e1c0d7231a2eff64b32a8d6c1a4eafd117d03f922e305741da6dbaeaa49c7fd79fd0b661e0f14e0d024f38593ecc05ac3496282b270e4184f922fc06598620810f7e6af35b7103a8144c00d47e2482a5be8597525c6e310a3d715130a84c4e26711432b8bac4fff03ce800e45626b6e12c2bb71dc14d97ccd6f42f14279ef1be2544769927322e0e1885cedf22b2d69f239dddb538b8aa4de3e7a5e738e71a730386665ea73c7a43342f6046e9e7e92f4c5b58f143cf18760b7ab00fe76e45ac8bacf4c8d28895ed2851d906629b97f5362ff74bd56b563c454d08b8e2fb4b2b4203b8a17b1e1479fdcddcc1245a1d0b1696da579113bd5345b011db0093", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", @@ -89851,13 +86583,6 @@ "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2015-02-20 00:00:00", - "ValidTo": "2016-05-21 23:59:59", - "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", "ValidFrom": "2010-02-08 00:00:00", @@ -89868,782 +86593,326 @@ ], "Signer": [ { - "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", + "SerialNumber": "7b00eb4233c0876e11580566d44735fe", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "VProEventMonitor.sys" + ], + "yara": true + }, + { + "Id": "3d1439e9-9a7d-497a-8c6c-74513f825d6a", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank6.sys binPath=C:\\windows\\temp\\daxin_blank6.sys type=kernel && sc.exe start daxin_blank6.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "FileName": "TmComm.sys", - "MD5": "5a615f4641287e5e88968f5455627d45", - "SHA1": "dcfeca5e883a084e89ecd734c4528b922a1099b9", - "SHA256": "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30", - "Authentihash": { - "MD5": "f9170d67a08b1a8f4e283615b4400773", - "SHA1": "e1e0a986b99795fa8c40328c5a01b5b8cbb9ca34", - "SHA256": "dd54115ef08b107691425e4c0bf94dc0ae7c522fba60a0ce3f574ebf4f5dbc5a" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1098", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", + "Filename": "daxin_blank6.sys", + "MD5": "0ae30291c6cbfa7be39320badd6e8de0", + "SHA1": "c257aa4094539719a3c7b7950598ef872dbf9518", + "SHA256": "e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217", + "Signature": "Unsigned", + "Date": "2:44 AM 3/26/2009", + "Publisher": "n/a", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", "MachineType": "I386", + "OriginalFilename": "", + "Authentihash": { + "MD5": "d59fbf4aa759286d1dd9abb40733f7b2", + "SHA1": "3c34c7c5916b987420fbfb4f3e3fef7400471831", + "SHA256": "a8c558e74ebe35a095a5b79d4bb26c10b18f8ebb449365e742f856d4e032555c" + }, + "InternalName": "", + "Copyright": "", "Imports": [ + "NTOSKRNL.EXE", + "HAL.DLL", "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "NDIS.SYS" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwConnectPort", - "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", + "MmUnlockPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IoQueueWorkItem", + "IoAllocateWorkItem", "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", + "_stricmp", + "IoFreeWorkItem", + "RtlFreeUnicodeString", + "ZwClose", "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", - "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeDelayExecutionThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "ZwQuerySecurityObject", - "memcpy", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "IoFreeMdl", - "_purecall", - "IoBuildAsynchronousFsdRequest", "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ObQueryNameString", - "MmGetSystemRoutineAddress", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "MmSystemRangeStart", + "RtlUnwind", + "RtlCopyUnicodeString", "wcsncmp", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", - "IofCompleteRequest", - "ExEventObjectType", + "swprintf", + "IoCreateDevice", + "IoCreateSymbolicLink", + "KeInitializeSpinLock", + "ExfInterlockedInsertTailList", + "RtlInitUnicodeString", + "MmMapLockedPagesSpecifyCache", + "IoFreeMdl", + "InterlockedDecrement", + "InterlockedIncrement", + "InterlockedExchange", + "IoDeleteSymbolicLink", "IoDeleteDevice", + "ExfInterlockedRemoveHeadList", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "strncmp", + "ExFreePool", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeInitializeApc", + "KeInsertQueueApc", + "KeAttachProcess", + "KeDetachProcess", + "NtQuerySystemInformation", + "NdisAllocatePacket", + "NdisCopyFromPacketToPacket", + "NdisAllocateMemory", + "NdisFreePacket", + "NdisAllocateBuffer", + "NdisSetEvent", + "NdisResetEvent", + "NdisFreeBufferPool", + "NdisFreePacketPool", + "NdisFreeMemory", + "NdisWaitEvent", + "NdisQueryAdapterInstanceName", + "NdisOpenAdapter", + "NdisInitializeEvent", + "NdisAllocatePacketPool", + "NdisRegisterProtocol", + "NdisAllocateBufferPool", + "NdisCloseAdapter", + "NdisDeregisterProtocol" + ], + "Signatures": {} + } + ], + "Tags": [ + "daxin_blank6.sys" + ], + "yara": false + }, + { + "Id": "69b924ab-2e4a-4eae-8091-4151c238136e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create b1.sys binPath=C:\\windows\\temp\\b1.sys type=kernel && sc.exe start b1.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "b1.sys", + "SHA256": "a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "b1.sys" + ], + "yara": false + }, + { + "Id": "19d16518-4aee-4983-ba89-dbbe0fa8a3e7", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrRapidStartDrv.sys binPath=C:\\windows\\temp\\AsrRapidStartDrv.sys type=kernel && sc.exe start AsrRapidStartDrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrRapidStartDrv.sys", + "MD5": "31469f1313871690e8dc2e8ee4799b22", + "SHA1": "89cd760e8cb19d29ee08c430fb17a5fd4455c741", + "SHA256": "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb", + "Signature": [ + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "ASROCK Incorporation", + "Company": "RW-Everything", + "Description": "RW-Everything Read & Write Driver", + "Product": "RW-Everything Read & Write Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "RwDrv.sys", + "Authentihash": { + "MD5": "98a9518fefaf056f5804b631e735ff73", + "SHA1": "5ac05af283a3bda3b09ce8ad292ba5c689216b7a", + "SHA256": "913ab7134ea3460e76db753cf68f336ada8f0b9c397be88c75f9567a8694f4a5" + }, + "InternalName": "RwDrv.sys", + "Copyright": "Copyright (C) 2008 RW-Everything", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", + "IofCompleteRequest", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ZwSetSecurityObject", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "MmUnlockPages", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2016-03-29 00:00:00", - "ValidTo": "2017-06-28 23:59:59", - "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -90656,745 +86925,830 @@ ], "Signer": [ { - "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "AsrRapidStartDrv.sys" + ], + "yara": true + }, + { + "Id": "9074a02a-b1ca-4bfb-8918-5b88e91c04a2", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create superbmc.sys binPath=C:\\windows\\temp\\superbmc.sys type=kernel && sc.exe start superbmc.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35.yara" }, { - "FileName": "TmComm.sys", - "MD5": "85e606523ce390f7fcd8370d5f4b812a", - "SHA1": "55c64235d223baeb8577a2445fdaa6bedcde23db", - "SHA256": "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039", - "Authentihash": { - "MD5": "438eb42132c6fb062033d6effb62813c", - "SHA1": "e6c39b401e841e2351a9daa07b85abf679636f89", - "SHA256": "3ed3d54fb8222d861785f0d7e71d6223278fbf4d0baa335a54813087d7c3674e" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "7.30.0.1065", - "Product": "Trend Micro Eyes", - "ProductVersion": "7.30", - "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "superbmc.sys", + "MD5": "3473faea65fba5d4fbe54c0898a3c044", + "SHA1": "910cb12aa49e9f35ecc4907e8304adf0dcca8cf1", + "SHA256": "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35", + "Signature": [ + "Super Micro Computer, Inc.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3@YAXPEAX_K@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "??_V@YAXPEAX_K@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "AllocFullFileName", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetBackupCommPortAPIs", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "Date": "", + "Publisher": "", + "Company": "Super Micro Computer, Inc.", + "Description": "superbmc", + "Product": "superbmc", + "ProductVersion": "2.0.0.0", + "FileVersion": "2.0.0.0", + "MachineType": "AMD64", + "OriginalFilename": "superbmc.sys", + "Authentihash": { + "MD5": "70f41d3749f4608b64902dd2c1f1e14f", + "SHA1": "c6609cad7208669e4c34f71f682af1a6bcddc11f", + "SHA256": "9c4ffe4815b5755d2609be21ba53c9157e8f71137f06fe35044406b968b80320" + }, + "InternalName": "superbmc", + "Copyright": "Copyright(c) 1993-2015 Super Micro Computer, Inc.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeClearEvent", + "IoCreateNotificationEvent", + "IoRegisterShutdownNotification", + "PsCreateSystemThread", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "KeInitializeDpc", + "KeInitializeTimer", + "KeInitializeSemaphore", + "IoCreateDevice", + "RtlAppendUnicodeToString", + "ExAllocatePool", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "ZwClose", + "IoUnregisterShutdownNotification", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IoAllocateErrorLogEntry", + "ObReferenceObjectByHandle", + "IofCompleteRequest", + "ExInterlockedInsertTailList", + "ZwUnmapViewOfSection", + "KeResetEvent", + "ExInterlockedRemoveHeadList", + "PsTerminateSystemThread", + "KeSetPriorityThread", + "KeSetTimer", + "KeCancelTimer", + "KeDelayExecutionThread", + "ExSetTimerResolution", + "KeInitializeEvent", + "KeSetEvent", + "ZwMapViewOfSection", + "ZwOpenSection", + "KeBugCheckEx", + "KeReleaseSemaphore", + "ExFreePoolWithTag", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=California, L=San Jose, O=Super Micro Computer, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=Super Micro Computer, Inc.", + "ValidFrom": "2012-09-14 00:00:00", + "ValidTo": "2015-11-13 23:59:59", + "Signature": "47334026faeeba8c5d59d4971b4bfccff0fdf0a606adfb714c7ece1a3ddc350f198097d2ba6079ca9eabe64f03f7375b78366baa8ac1e9295c31d03b9fca004b8fb5f70d9c98b7905f4b151edc16ca82731498451fcc28f31665c1850d887f0ece1ef0fad9ffd0dd7b1515fa1e121e2575e6a31f25010f0306df2b81ddf291c9f17b3d582c0af97d219c007ec03b1a38a8794ab447b5cdb8637a8f6704124f9776eda3af121ab980a2525f0f09accea3213c6fa4d606d7e48580db97aee01a048ad3420d205b99b0023b59a4f8df1b3013e4e8bc496b73cd950e297202bd09a6c77011deecb43cbffb7038344e025dad84099324518c5a2deb3c6728b4346603", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "3676642ba91b1d0bdf1d3ad0a6efaf4b", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "superbmc.sys" + ], + "yara": true + }, + { + "Id": "268e87ba-ad44-4f3c-986f-26712cac68da", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Phymemx64.sys binPath=C:\\windows\\temp\\Phymemx64.sys type=kernel && sc.exe start Phymemx64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "Phymemx64.sys", + "MD5": "715572dfe6fb10b16f980bfa242f3fa5", + "SHA1": "f42f28d164205d9f6dab9317c9fecad54c38d5d2", + "SHA256": "19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0", + "Signature": [ + "Huawei Technologies Co.,Ltd.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "4325af5c85aa7bb0339389cf54d78817", + "SHA1": "3c9f40ac72b0202cb40627fdeb7298079187193a", + "SHA256": "a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "RtlCopyUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Huawei Technologies Co.,Ltd., OU=Handset Engineer Testing Department (Dongguan), CN=Huawei Technologies Co.,Ltd.", + "ValidFrom": "2014-08-26 00:00:00", + "ValidTo": "2017-10-24 23:59:59", + "Signature": "26ae5c92dcdd43ce7bb0268607a9ae0b1a0285edaf34485ad22397a5c488a1bb50d7bdd0920096ad9607b6f14e99e5678022730b02e37d19fa3ae2570290b232b26b816cba6ed7e040a8cb194c0ae2c904c4fa2374b568435655d3491e0df8c5ab2291d0b95135b425f05d79a46f6848d57c7b500f5cd136c1c505ad2513b235f3cc70fbe8e2322515d88c7e0b00d2be887ddc85a709baccf6999097ca01aa284136d0459b6c4af18ec967796e58411af5408ef5ce0e6570cffb3b5937af9c20d58b21416ac11dc09bcb4af20ab90ae95c04fc0a47129641eb7501954aa957c03181342ceb5371257a83307b5de647054be114f91076e8effdbc8dff85ed7a4d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "4c1a3d7c5bdaef3e1166416afe8138e9", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "Phymemx64.sys", + "MD5": "e7ab83a655b0cd934a19d94ac81e4eec", + "SHA1": "6ecfc7ccc4843812bfccfb7e91594c018f0a0ff9", + "SHA256": "88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "4325af5c85aa7bb0339389cf54d78817", + "SHA1": "3c9f40ac72b0202cb40627fdeb7298079187193a", + "SHA256": "a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ObReferenceObjectByHandle", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "RtlCopyUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "HalTranslateBusAddress", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Huawei Technologies Co., Ltd., OU=Consumer Business Group, CN=Huawei Technologies Co., Ltd.", + "ValidFrom": "2017-10-30 00:00:00", + "ValidTo": "2021-01-23 23:59:59", + "Signature": "53d3330f00f18d9f5704ab37420ac867216e0cabf74f67b5da22f19db9bd3221a7f3dd478511cbe501c046d577fb2ff74393869d165bbb4d4c1c0554b73526375e69ce1cb3635070afa1998a4409090def6c19b855b690e95792d5fd469087ebd0243bebfeb0d7e61c88b6c0105f93f48f126bd20c624e547604ab1d88d2896086790ee5d63e184c27333d44d5e53b2d83de1711d3e85b550badc259f5b52f1c5c0092d2139479ec9aae77e444458fc6671111e79e401cde8e1f7cec7370e34364fa6d9dc64c4802ccf01f04af42c465fa3f05e4968c9d2ad6662f44aaa779a6ab37acd8610f1cf54609c4996a114c80c2c3d7e04946ee58e33f5bd8bdfddc04", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", + "ValidFrom": "2013-12-10 00:00:00", + "ValidTo": "2023-12-09 23:59:59", + "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "6e715e33f17ad55bcbf98c1f14d21f2f", + "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "Phymemx64.sys" + ], + "yara": false + }, + { + "Id": "34fa6ba4-dc7c-4fd6-b947-8a0bb8ebd031", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create amifldrv64.sys binPath=C:\\windows\\temp\\amifldrv64.sys type=kernel && sc.exe start amifldrv64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "amifldrv64.sys", + "MD5": "0dff47f3b14fb1c1bad47cc517f0581a", + "SHA1": "db3538f324f9e52defaba7be1ab991008e43d012", + "SHA256": "20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb", + "Authentihash": { + "MD5": "d63561be67c8adae1db28b0e503b3ba1", + "SHA1": "8e67628743959e8b73d82ae5b9ee7a387a51925d", + "SHA256": "6999caca67b37860abb5e6d95420d1b0d04966bc6674aac3bfde4e2394ad37fd" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmGetPhysicalAddress", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "ee57cbe6ec6a703678eaa6c59542ff57", + "SHA1": "c614ab686e844c7a7d2b20bc7061ab15290e2cfd", + "SHA256": "2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae", + "Authentihash": { + "MD5": "05c371cbcccf828fd3c9251ba2f61442", + "SHA1": "73265b25f043d2520b81a68ad0342baaff30e7cf", + "SHA256": "bee62b69023212a5a964d323f60e5858d7cbd767a39f3d5ef87cacb080b1dbf2" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmMapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "PsGetVersion", + "MmIsAddressValid", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "DbgPrint", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmMapLockedPagesSpecifyCache", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2014-06-24 00:00:00", + "ValidTo": "2017-08-30 12:00:00", + "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "df5f8e118a97d1b38833fcdf7127ab29", + "SHA1": "5fece994f2409810a0ad050b3ca9b633c93919e4", + "SHA256": "36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d", + "Authentihash": { + "MD5": "28f8b0bdf1fc0b1d065ed3236931fab3", + "SHA1": "b7b33ed598425c008e51ff90cf28b288f7250cdd", + "SHA256": "a4e850e7847499e7d4c2754f8a4973fc5b4adeb728e1e142d1d35d519edf3274" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ + "ZwMapViewOfSection", "RtlInitUnicodeString", - "KeInitializeEvent", - "KeClearEvent", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KeWaitForSingleObject", - "ExFreePoolWithTag", - "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", - "ObfDereferenceObject", + "ZwUnmapViewOfSection", "ZwClose", - "ZwCreateSection", + "ObReferenceObjectByHandle", "ZwOpenSection", + "MmUnmapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmGetPhysicalAddress", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "785045f8b25cd2e937ddc6b09debe01a", + "SHA1": "029c678674f482ababe8bbfdb93152392457109d", + "SHA256": "37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba", + "Authentihash": { + "MD5": "51219fe8395e9ac49d271ccf7fde2512", + "SHA1": "6aeb587edcd01289abc84316ae88959c235663fe", + "SHA256": "af20c1b4eb703083979e6f4e211327495f7a0a27ace9a52bd22dd3737be7a8b1" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "ZwMapViewOfSection", + "RtlInitUnicodeString", "ZwUnmapViewOfSection", - "ZwOpenEvent", - "KePulseEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "ZwSetEvent", - "__C_specific_handler", - "PsProcessType", - "wcslen", - "wcsncpy", - "wcsrchr", - "RtlUnicodeStringToInteger", - "ZwWaitForSingleObject", - "ZwRequestWaitReplyPort", - "ZwConnectPort", - "_stricmp", - "ExAllocatePoolWithTag", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmMapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "PsGetVersion", "MmIsAddressValid", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", - "ObGetObjectSecurity", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "PsThreadType", - "MmSectionObjectType", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "KeDelayExecutionThread", - "ExGetPreviousMode", + "IoAllocateMdl", + "MmAllocateContiguousMemory", "DbgPrint", - "swprintf", - "RtlCopyUnicodeString", + "IoDeleteSymbolicLink", + "IoDeleteDevice", "IofCompleteRequest", "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwCreateFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", - "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "PsGetCurrentThreadId", - "ObQueryNameString", - "PsGetVersion", - "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "wcscat", - "RtlFreeUnicodeString", - "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", - "ExSystemTimeToLocalTime", - "ZwCreateKey", - "ZwDeviceIoControlFile", - "ZwNotifyChangeKey", - "ZwOpenFile", - "ZwQueryVolumeInformationFile", - "mbstowcs", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "IoCreateFile", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlUpcaseUnicodeChar", - "_snwprintf", - "strlen", - "_strnicmp", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "ObOpenObjectByName", - "KeSetPriorityThread", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "KeNumberProcessors", - "RtlLengthSecurityDescriptor", - "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwDuplicateObject", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", - "NtCreateFile", - "NtQueryInformationFile", - "NtSetInformationFile", - "IoFileObjectType", - "ObInsertObject", - "wcschr", - "wcsncmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IoFreeIrp", - "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", - "NtClose", - "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", - "MmSystemRangeStart", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "strcpy", - "wcsstr", - "RtlCompareUnicodeString", - "DbgPrintEx", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ExAllocatePool", - "ExpInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", - "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", - "FsRtlIsNameInExpression", - "IoDeviceObjectType", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlAbsoluteToSelfRelativeSD", - "RtlAnsiStringToUnicodeString", - "_purecall", - "KeBugCheckEx" + "KeBugCheckEx", + "MmMapLockedPagesSpecifyCache", + "MmUnmapIoSpace", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -91402,3559 +87756,6453 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2014-06-24 00:00:00", + "ValidTo": "2017-08-30 12:00:00", + "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "6e25148bb384469f3d5386dc5217548a", - "SHA1": "dbf6e72c08824fe49c29b7660c9965c37d983e93", - "SHA256": "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f", + "FileName": "amifldrv.sys", + "MD5": "119f0656ab4bb872f79ee5d421e2b9f9", + "SHA1": "e35969966769e7760094cbcffb294d0d04a09db6", + "SHA256": "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20", "Authentihash": { - "MD5": "2778b2480e305bca99547b921a96ede5", - "SHA1": "69044e94c725b1536c4f721b5a0cd9816581c745", - "SHA256": "eb14c5db8307488809897be13c66ef02941f6020f9c34a9664db92a00d551f4a" + "MD5": "973ff01a8901563e12119ca09b427e8e", + "SHA1": "9f8870ec272933ee6f4e1eda975a6d5db5f9fbde", + "SHA256": "4f35cf1f2e0fb87a2728303091ee505a0bc546cf63dcd38178adf48477ec0f91" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1128", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", + "Description": "AMI Generic Utility Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "amifldrv.sys", + "OriginalFilename": "amifldrv.sys", + "FileVersion": "10.0.10011.16384", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "10.0.10011.16384", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetPhysicalAddress", + "RtlInitUnicodeString", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeLowerIrql", + "MmBuildMdlForNonPagedPool", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "KfRaiseIrql", + "RtlCompareMemory", + "HalTranslateBusAddress" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetFileVersionOfNtoskrnl@16", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "530feb1e37831302f58b7c219be6b844", + "SHA1": "1e09f3dd6ba9386fa9126f0116e49c2371401e01", + "SHA256": "3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134", + "Authentihash": { + "MD5": "aefe7422cfe20a6f576092d04a592311", + "SHA1": "943a16dde2e44f7bae629f62cf937cceb10ec1b4", + "SHA256": "7e8e7bc080b4c32ce703b3e8b3cc7e13fa9ef2422dc6f370a2c2b82496564aae" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeLowerIrql", + "KfRaiseIrql", + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlMoveMemory", + "IofCompleteRequest", + "RtlZeroMemory", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoAllocateMdl", + "MmMapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2006-09-30 00:00:00", + "ValidTo": "2009-11-16 23:59:59", + "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "c098f8aeb67eeb2262dbf681690a9306", + "SHA1": "7e8efd93a1dad02385ec56c8f3b1cfd23aa47977", + "SHA256": "5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa", + "Authentihash": { + "MD5": "f2a4fd2aae63ffe766a7a8d2d775a59e", + "SHA1": "52008f007e84756ba84dacb7cbb465e592dfe260", + "SHA256": "d259e9b1d04b5fa966094f15f8edbaeba5da2a14bf34bf0a5490a0e308c025d7" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoAllocateMdl", + "MmMapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2010-05-07 00:00:00", + "ValidTo": "2012-05-06 23:59:59", + "Signature": "41aa6f714033d64479b8e3492829a9435eeaaa4d4d82b4a95192c18a07ab08afe25582abe5acaea015492a737f7bdd4591fdb50b670888a4d66dae5fc240fbd68276b8264e9f438df308568bbae1a06544acd767d960475aaf62cbce8e8feea6eafd802954e28ecf016620e7686727c6b75ddfb2818317e1e333641aae42d1cf6ec8f95bcc96a647143801547c6b3857323c08b552602724268d3c35569e83368bfed55c81cee51ac4a16db9f81fff47687ad82c20ef5fb7ea9102a43de699caa0b86c1a07b4a4b6f949c28cec24892a74461a0d3f8659f2abfc58818ba2b44393970d08bde058c694a73e335eab3a17df129668db432e2ea659f1f4774a1bdc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1ecbf523c0f14748fe14841dbb88c365", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "f22740ba54a400fd2be7690bb204aa08", + "SHA1": "5812387783d61c6ab5702213bb968590a18065e3", + "SHA256": "65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9", + "Authentihash": { + "MD5": "4bb9654a5a20bc189b000d4a2fba5856", + "SHA1": "444ce1608768884d1e9742f80ccf4f53e0aa709d", + "SHA256": "d052299252f0f0bd70b5e7c46b9ca71a99a052b47f693582becb6f0d567e8245" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "PsGetVersion", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "DbgPrint", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmMapLockedPagesSpecifyCache", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "24156523b923fd9dcfdd0ac684dcdb20", + "SHA1": "ff9048c451644c9c5ff2ba1408b194a0970b49e6", + "SHA256": "6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a", + "Authentihash": { + "MD5": "229a8958720d362fab81a2b527e717a2", + "SHA1": "2cea31932e00c69e6f1bb0b0bf6b16b8c72dc3f6", + "SHA256": "aef3985caa213c9e5e0a0d5e75a9a7918a92c08690b5a04a6b14d6372c2dd71c" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmMapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "PsGetVersion", + "MmIsAddressValid", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmGetPhysicalAddress", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=US, ??=Georgia, serialNumber=780491, ??=5555 Oakbrook Parkway Suite 200, postalCode=30093, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2014-06-24 00:00:00", + "ValidTo": "2017-08-30 12:00:00", + "Signature": "7cc232dd164435ef5e3342e94757a355725f119e6888ab1d3e142039b69f3fc1f6f4b4d38a11573c592b5d99daa9d0b8cc6d0cd5da37a39a9918af563cc31d551f13f361fe68e77d311e4c94e284e49f11ee9f28a723db51bd051ebaaf62d86c07cfaa2d07e16a3b6eb3cd24fcf5d8b0f2fb231072245c32c9b2f4285bef59a6eead9887a9dc6f3ddd4acaac72ea5baff2210389c32291e9e10c05bbb91d3284dcf5ffd10eaffd2db9dd99598d947143d8a079c29f1bd98a92892645758a1321e43c99639067465a3c5018c1a9a7bb1d4c1731e84dd719e7ed4818b332a6106a4d2ee4c92046ea90ab7a9331bf399ade08d0f826e7ba7a80ab07658a03f32fe6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "09f43c81c1eb27876ee1aefeaa5a0f5d", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "7331720a5522d5cd972623326cf87a3f", + "SHA1": "456a1acacaa02664517c2f2fb854216e8e967f9d", + "SHA256": "b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441", + "Authentihash": { + "MD5": "d5816277859ccb21e901e3ce39f6e929", + "SHA1": "d240db93654ce2685d3b903db809edcc82322dfc", + "SHA256": "05e2d2f2b58da5391598d30d7f5f33ae38cfeb0d9b9ae19b4312de39c678f301" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoAllocateMdl", + "MmMapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2006-09-30 00:00:00", + "ValidTo": "2009-11-16 23:59:59", + "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "2971d4ee95f640d2818e38d8877c8984", + "SHA1": "28fa0e9429af24197134306b6c7189263e939136", + "SHA256": "bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248", + "Authentihash": { + "MD5": "fac2590714168b1e586ff99a1f2322de", + "SHA1": "2d6cd59a2df6883bfec777ddfe7d10c50555e2cb", + "SHA256": "846cc7c9bf2eab3400e66481568a010fb0dfbac01416a99258a4baabf1e10d35" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoAllocateMdl", + "MmMapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2010-05-07 00:00:00", + "ValidTo": "2012-05-06 23:59:59", + "Signature": "41aa6f714033d64479b8e3492829a9435eeaaa4d4d82b4a95192c18a07ab08afe25582abe5acaea015492a737f7bdd4591fdb50b670888a4d66dae5fc240fbd68276b8264e9f438df308568bbae1a06544acd767d960475aaf62cbce8e8feea6eafd802954e28ecf016620e7686727c6b75ddfb2818317e1e333641aae42d1cf6ec8f95bcc96a647143801547c6b3857323c08b552602724268d3c35569e83368bfed55c81cee51ac4a16db9f81fff47687ad82c20ef5fb7ea9102a43de699caa0b86c1a07b4a4b6f949c28cec24892a74461a0d3f8659f2abfc58818ba2b44393970d08bde058c694a73e335eab3a17df129668db432e2ea659f1f4774a1bdc", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1ecbf523c0f14748fe14841dbb88c365", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "2503c4cf31588f0b011eb992ca3ee7ff", + "SHA1": "e700fcfae0582275dbaee740f4f44b081703d20d", + "SHA256": "c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247", + "Authentihash": { + "MD5": "b1ea291940f1ae17794e05b8275fd130", + "SHA1": "dc0d3d244d27b85e10135fff8d34a76c17022ee1", + "SHA256": "96cb847fab0befab75a6f39080dd444d022d4bec73017c9d7187fe6282a0faa1" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "PsGetVersion", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "DbgPrint", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmMapLockedPagesSpecifyCache", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "e5e8ecb20bc5630414707295327d755e", + "SHA1": "06ecf73790f0277b8e27c8138e2c9ad0fc876438", + "SHA256": "e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f", + "Authentihash": { + "MD5": "83a8c462f323e93e725875f6e96c8727", + "SHA1": "c42feaa6c9788b7161b765f725070204f7b5e3ec", + "SHA256": "709ab95302bb44c7a7dafaf342ca933422ea03ed7b492be204a319161feb350e" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwMapViewOfSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "ZwClose", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "MmUnmapLockedPages", + "MmFreeContiguousMemory", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapIoSpace", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "MmAllocateContiguousMemory", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "KeBugCheckEx", + "MmGetPhysicalAddress", + "MmUnmapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + }, + { + "FileName": "amifldrv64.sys", + "MD5": "1f7b2a00fe0c55d17d1b04c5e0507970", + "SHA1": "eb1ecad3d37bb980f908bf1a912415cff32e79e6", + "SHA256": "fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2", + "Authentihash": { + "MD5": "9e725819820804fbf377917e9e7a3333", + "SHA1": "b0ec7d971da8ae84c0ed8f88a5d46b23996e636c", + "SHA256": "038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ZwClose", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "MmFreeContiguousMemory", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IoAllocateMdl", + "MmMapIoSpace", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2006-09-30 00:00:00", + "ValidTo": "2009-11-16 23:59:59", + "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "amifldrv.sys", + "MD5": "7b9717c608a5f5a1c816128a609e9575", + "SHA1": "ec457a53ea03287cbbd1edcd5f27835a518ef144", + "SHA256": "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f", + "Authentihash": { + "MD5": "08cac606d72411c22b1400d755a2b6e3", + "SHA1": "6055dbc453c111e57c85ec8cfad9e6e11421c8d4", + "SHA256": "5167b33a95b4db0a1244cb3b95d4024587d9a5a95222babb033210e6b111d2fb" + }, + "Description": "AMI Generic Utility Driver", + "Company": "Windows (R) Win 7 DDK provider", + "InternalName": "amifldrv.sys", + "OriginalFilename": "amifldrv.sys", + "FileVersion": "10.0.10011.16384", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "10.0.10011.16384", + "Copyright": "© Microsoft Corporation. All rights reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "IoAllocateMdl", + "IoFreeMdl", + "MmGetPhysicalAddress", + "RtlInitUnicodeString", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeLowerIrql", + "KfRaiseIrql", + "MmBuildMdlForNonPagedPool", + "MmUnmapIoSpace", + "ObReferenceObjectByHandle", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "MmMapIoSpace", + "RtlCompareMemory", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=US, ??=Georgia, ??=Private Organization, serialNumber=J912954, C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., CN=American Megatrends, Inc.", + "ValidFrom": "2017-08-30 00:00:00", + "ValidTo": "2020-09-24 12:00:00", + "Signature": "5a00ce1b66cc04a3be37c0926957fc54b1f2904c69a3555d90a15e3c7b7133e76583a0fe5c13c21cdddda40e6f0ba958964796abcfbb7fbe4de15a009f80e653556e29cac9d208645b8154f52f6045fa268f6e6b57536f21833f2cc92c5e9a51636cfeaa74f0b8ab80a8649d68c7c46f51a534c0697a426aa37337c7956268f4cdc8d88adbd1aa0cb620abeb7166172e914016c84e00824751b4f7142b54c56b74d578fd97aadda3e8e777ec22c34460a8dc7e0392a9adab018b16699d9ddd7551fd5c5924f3d1ccb9e6ef67ca0ab2107d1abf158add6d42ba18dee5ec35e3445627df4744d71f73ee3a199aaa42993ebaaa7f91f8b6d1b623350744853c1b38", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0e55cdb4e7e8eeb9dd5d89fc1d7588ca", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + } + ], + "Tags": [ + "amifldrv64.sys" + ], + "yara": false + }, + { + "Id": "33a9c9ae-5ca3-442d-9f0f-2615637c1c57", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create ntbios_2.sys binPath=C:\\windows\\temp \\n \\n \\n tbios_2.sys type=kernel && sc.exe start ntbios_2.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "ntbios_2.sys", + "MD5": "50b39072d0ee9af5ef4824eca34be6e3", + "SHA1": "064de88dbbea67c149e779aac05228e5405985c7", + "SHA256": "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c", + "Signature": "Unsigned", + "Date": "3:04 AM 5/18/2009", + "Publisher": "n/a", + "Company": "Microsoft Corporation", + "Description": "ntbios driver", + "Product": " Microsoft(R) Windows (R) NT Operating System", + "ProductVersion": "5, 0, 2, 1", + "FileVersion": "5, 0, 2, 1", + "MachineType": "I386", + "OriginalFilename": "ntbios.sys", + "Authentihash": { + "MD5": "a8e3b56b72814a842b557bfb6638b484", + "SHA1": "50231e21b8d8b2916d0fd53f3f58c6314473de1f", + "SHA256": "59177fb7a0b11837368af1cc115f0d011ea19551070bd153795204ae1bd12e52" + }, + "InternalName": "ntbio.sys", + "Copyright": "版权所有 (C) 2003", + "Imports": [ + "NTOSKRNL.EXE", + "HAL.DLL", + "ntoskrnl.exe", + "NDIS.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnlockPages", + "MmProbeAndLockPages", + "IoAllocateMdl", + "IoQueueWorkItem", + "IoAllocateWorkItem", + "IoGetCurrentProcess", + "_stricmp", + "IoFreeWorkItem", + "RtlFreeUnicodeString", + "ZwClose", + "ZwWriteFile", + "ZwCreateFile", + "RtlAnsiStringToUnicodeString", + "_strnicmp", + "RtlUnwind", + "RtlCopyUnicodeString", + "wcsncmp", + "swprintf", + "IoCreateDevice", + "IoCreateSymbolicLink", + "KeInitializeSpinLock", + "ExfInterlockedInsertTailList", + "RtlInitUnicodeString", + "MmMapLockedPagesSpecifyCache", + "IoFreeMdl", + "InterlockedDecrement", + "InterlockedIncrement", + "InterlockedExchange", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "ExfInterlockedRemoveHeadList", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "strncmp", + "ExFreePool", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeInitializeApc", + "KeInsertQueueApc", + "KeAttachProcess", + "KeDetachProcess", + "NtQuerySystemInformation", + "NdisAllocatePacket", + "NdisCopyFromPacketToPacket", + "NdisAllocateMemory", + "NdisFreePacket", + "NdisAllocateBuffer", + "NdisSetEvent", + "NdisResetEvent", + "NdisFreeBufferPool", + "NdisFreePacketPool", + "NdisFreeMemory", + "NdisWaitEvent", + "NdisQueryAdapterInstanceName", + "NdisOpenAdapter", + "NdisInitializeEvent", + "NdisAllocatePacketPool", + "NdisRegisterProtocol", + "NdisAllocateBufferPool", + "NdisCloseAdapter", + "NdisDeregisterProtocol" + ], + "Signatures": {} + } + ], + "Tags": [ + "ntbios_2.sys" + ], + "yara": true + }, + { + "Id": "29cb263b-b0b0-40d5-a97d-5ddf4ba79c1e", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create goad.sys binPath=C:\\windows\\temp\\goad.sys type=kernel && sc.exe start goad.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/jbaines-r7/dellicious", + " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "goad.sys", + "MD5": "312e31851e0fc2072dbf9a128557d6ef", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "goad.sys" + ], + "yara": false + }, + { + "Id": "a4eabc75-edf6-4b74-9a24-6a26187adabf", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create dbutil_2_3.sys binPath=C:\\windows\\temp\\dbutil_2_3.sys type=kernel && sc.exe start dbutil_2_3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "dbutil_2_3.sys", + "MD5": "c996d7971c49252c582171d9380360f2", + "SHA1": "c948ae14761095e4d76b55d9de86412258be7afd", + "SHA256": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5", + "Signature": [ + "Dell Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "Dell Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "e593dd14a41fd9a6cb42fdae324c3092", + "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", + "SHA256": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeSetImportanceDpc", + "KeSetTargetProcessorDpc", + "MmFreeContiguousMemorySpecifyCache", + "KeSetPriorityThread", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeDpc", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "KeInsertQueueDpc", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Dell Inc.", + "ValidFrom": "2006-12-15 00:00:00", + "ValidTo": "2010-01-10 23:59:59", + "Signature": "964a90189bd6c008960e4aae75cdf7c5f763b0e04e8921995bb7bb7898297c7d4c84082cc6c324d5a0cc60c77f72cc04c7782416f13b04254e961796dab40b7b5726a18f4f1a1d6a02f18794758bbbc4f8664cef6cc505a5367a8ea999b3c296006dc8336d03d71bfbb5f828d14646a39714657909190d5927bbfa55aec76aad25fe4ec1c5d73b37caec576dbe1a40d13e91509e316dc512d6b07b01c08b7f59f8dbd0d65fcac246b545a91527a2e89c0d3a6603ef49ae2d5373f640ba930fcac4848ae1d1820d3b80866f4335eb9072ece3ab41e80d9d9b1338d8c0e026a11d90e96396b92bf4e4fdf5a161a526f7896a0b77357976010916e455d6bb888d67", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "18a686a1229059017a672136ac2e7265", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "Filename": "dbutil_2_3.sys", + "MD5": "c996d7971c49252c582171d9380360f2", + "SHA1": "c948ae14761095e4d76b55d9de86412258be7afd", + "SHA256": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5", + "Signature": [ + "Dell Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "Dell Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "e593dd14a41fd9a6cb42fdae324c3092", + "SHA1": "e3c1dd569aa4758552566b0213ee4d1fe6382c4b", + "SHA256": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeSetImportanceDpc", + "KeSetTargetProcessorDpc", + "MmFreeContiguousMemorySpecifyCache", + "KeSetPriorityThread", + "RtlInitUnicodeString", + "IoDeleteDevice", + "KeInitializeDpc", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "KeInsertQueueDpc", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Texas, L=Round Rock, O=Dell Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Dell Inc.", + "ValidFrom": "2006-12-15 00:00:00", + "ValidTo": "2010-01-10 23:59:59", + "Signature": "964a90189bd6c008960e4aae75cdf7c5f763b0e04e8921995bb7bb7898297c7d4c84082cc6c324d5a0cc60c77f72cc04c7782416f13b04254e961796dab40b7b5726a18f4f1a1d6a02f18794758bbbc4f8664cef6cc505a5367a8ea999b3c296006dc8336d03d71bfbb5f828d14646a39714657909190d5927bbfa55aec76aad25fe4ec1c5d73b37caec576dbe1a40d13e91509e316dc512d6b07b01c08b7f59f8dbd0d65fcac246b545a91527a2e89c0d3a6603ef49ae2d5373f640ba930fcac4848ae1d1820d3b80866f4335eb9072ece3ab41e80d9d9b1338d8c0e026a11d90e96396b92bf4e4fdf5a161a526f7896a0b77357976010916e455d6bb888d67", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "18a686a1229059017a672136ac2e7265", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + } + ], + "Tags": [ + "dbutil_2_3.sys" + ], + "yara": false + }, + { + "Id": "e9b099f6-8a12-46f0-a540-40e88cf0ce17", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create nstrwsk.sys binPath=C:\\windows\\temp \\n \\n \\n strwsk.sys type=kernel && sc.exe start nstrwsk.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "nstrwsk.sys", + "SHA256": "3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "nstrwsk.sys" + ], + "yara": false + }, + { + "Id": "a7775cbe-624b-4b04-b74f-969f77c2ac02", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create viragt64.sys binPath=C:\\windows\\temp\\viragt64.sys type=kernel && sc.exe start viragt64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "viragt64.sys", + "MD5": "43830326cd5fae66f5508e27cbec39a0", + "SHA1": "05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d", + "SHA256": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495", + "Signature": [ + "TG Soft S.a.s. Di Tonello Gianfranco e C.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "TG Soft S.a.s.", + "Description": "VirIT Agent System", + "Product": "VirIT Agent System", + "ProductVersion": "1, 0, 0, 11", + "FileVersion": "1, 0, 0, 11", + "MachineType": "AMD64", + "OriginalFilename": "viragt64.sys", + "Authentihash": { + "MD5": "68a2f77cfa5aec4556b4276852be637f", + "SHA1": "0188096c79f0cdde9233e52d4117c0f53e667e3d", + "SHA256": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78" + }, + "InternalName": "viragt.sys", + "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2016 - www.tgsoft.it", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "mbstowcs", + "ExAllocatePoolWithTag", + "KeSetTargetProcessorDpc", + "ZwCreateKey", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "KeInitializeMutex", + "RtlAnsiStringToUnicodeString", + "ZwReadFile", + "strstr", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlInitAnsiString", + "ZwSetValueKey", + "_strupr", + "KeInitializeDpc", + "ZwQuerySystemInformation", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "ZwSetInformationFile", + "KeReleaseMutex", + "KeDelayExecutionThread", + "ZwCreateFile", + "PsCreateSystemThread", + "MmMapLockedPagesSpecifyCache", + "ExSystemTimeToLocalTime", + "ZwQueryValueKey", + "PsTerminateSystemThread", + "KeInsertQueueDpc", + "ZwEnumerateValueKey", + "ZwClose", + "sprintf", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "RtlTimeToTimeFields", + "MmProbeAndLockPages", + "ZwOpenProcess", + "MmUnlockPages", + "IoCreateSymbolicLink", + "MmIsAddressValid", + "ObfDereferenceObject", + "IoCreateDevice", + "ZwTerminateProcess", + "KeNumberProcessors", + "ZwQueryInformationFile", + "MmIsNonPagedSystemAddressValid", + "ZwWriteFile", + "ZwDeleteKey", + "RtlFormatCurrentUserKeyPath", + "ZwEnumerateKey", + "IoAllocateMdl", + "ZwOpenKey", + "ObOpenObjectByName", + "swprintf", + "RtlUnicodeStringToAnsiString", + "ZwOpenDirectoryObject", + "IoFileObjectType", + "IoDriverObjectType", + "ZwQueryDirectoryObject", + "wcstombs", + "KeQueryActiveProcessors", + "KeBugCheckEx", + "IofCompleteRequest", + "ExQueueWorkItem", + "__C_specific_handler", + "__chkstk", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", + "ValidFrom": "2016-01-20 00:00:00", + "ValidTo": "2019-03-11 23:59:59", + "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "viragt64.sys" + ], + "yara": true + }, + { + "Id": "e299b0b6-e5e2-45b3-bf0b-c008068cebfa", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BS_Flash64.sys binPath=C:\\windows\\temp\\BS_Flash64.sys type=kernel && sc.exe start BS_Flash64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "BS_Flash64.sys", + "MD5": "f5051c756035ef5de9c4c48bacb0612b", + "SHA1": "e83458c4a6383223759cd8024e60c17be4e7c85f", + "SHA256": "86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219", + "Signature": [ + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "cf428ad377e1fd1a045e058b896fcee2", + "SHA1": "5107438a02164e1bcedd556a786f37f59cd04231", + "SHA256": "543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "RtlFreeUnicodeString", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlAnsiStringToUnicodeString", + "RtlInitString", + "IofCompleteRequest", + "MmMapLockedPages", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "MmUnmapIoSpace", + "MmMapIoSpace", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2006-09-25 00:00:00", + "ValidTo": "2007-10-20 23:59:59", + "Signature": "0f57cd03d7933c61e5a7149ca948f303376e3d2efe529e8255e98c48ee2dcef4506770eae209c5f308beba1c77ce9a4c0fb27eba18fa8a27911d889259e1064b66028050b2f8dfca9c3cabd33908fdd95cfc71cb64626d108260b629cbeb70d94e12294a00d0f8f040bb05c94d71279e08ce449731bdba08392e11b847d9113ccbef6f585b7f359a33cc5768e1a785c50dc515391d4e14f8123558da7e9890615e275a2348b03e46c7357ec6c0746565851ede90ded73b98607c685c79ab30e8376b5a9b900f9e9047174e6ee8819459ed01243727a9d3bb4fbfb6484a36a0693d17405c4864e60d8fbb39a297fbdf0e7dc593a227ed9929ae05a0cddeb85b26", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "49a570277854e9481d38e34c081226ee", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + } + ], + "Tags": [ + "BS_Flash64.sys" + ], + "yara": false + }, + { + "Id": "a285591e-ad3c-46a3-a648-c58589ff5efc", + "Author": "Michael Haag", + "Created": "2023-05-22", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create amsdk.sys binPath=C:\\windows\\temp\\amsdk.sys type=kernel && sc.exe start amsdk.sys", + "Description": "Vulnerable driver found in https://github.com/hfiref0x/KDU.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://github.com/magicsword-io/LOLDrivers/issues/55#issuecomment-1537161951" + ], + "Acknowledgement": { + "Person": "hfiref0x", + "Handle": "hfiref0x" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "amsdk.sys", + "MD5": "eb525d99a31eb4fff09814e83593a494", + "SHA1": "290d6376658cf0f8182de0fae40b503098fa09fd", + "SHA256": "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Copyright 2018.", + "Description": "Advanced Malware Protection", + "Product": "Advanced Malware Protection", + "ProductVersion": "3.0.0.000", + "FileVersion": "3.0.0.000", + "MachineType": "AMD64", + "OriginalFilename": "ZAM.exe", + "Authentihash": { + "MD5": "89627ebd29f4ae929d7f40fd4dabead3", + "SHA1": "084553447bdbc056bbe49bad8acfaf25eb83462a", + "SHA256": "60571dbcaec96d9517e0d116d066e70ae747aa4396d7857b2eea0f4c1a5a70b4" + }, + "InternalName": "", + "Copyright": "Copyright 2018. All rights reserved.", + "Imports": [ + "FLTMGR.SYS", + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "FltRegisterFilter", + "FltUnregisterFilter", + "FltStartFiltering", + "FltAllocatePoolAlignedWithTag", + "FltFreePoolAlignedWithTag", + "FltGetFileNameInformation", + "FltReleaseFileNameInformation", + "FltParseFileNameInformation", + "FltReadFile", + "FltQueryInformationFile", + "FltCancelFileOpen", + "FltAllocateContext", + "FltSetStreamHandleContext", + "FltGetStreamHandleContext", + "FltReleaseContext", + "FltCreateCommunicationPort", + "FltCloseCommunicationPort", + "FltSendMessage", + "FltBuildDefaultSecurityDescriptor", + "strstr", + "wcsstr", + "RtlInitUnicodeString", + "RtlCopyUnicodeString", + "DbgPrint", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ProbeForRead", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwCreateFile", + "ZwClose", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", + "ZwWriteFile", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", + "IoAllocateMdl", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "IoCreateDevice", + "ObOpenObjectByPointer", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "_wcsnicmp", + "RtlLengthSid", + "RtlAddAccessAllowedAce", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwCreateKey", + "RtlFreeUnicodeString" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2018-09-19 00:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Code Signing Root R45", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2029-03-18 00:00:00", + "Signature": "acf7cc158b3079a81d0b28881909d71c7ffe86bd7b5a336e0d670e7b62d9e1185cb0bd135d1d23ae39507637aa44fd5f01235986564cccadbc64131430a420a8e03fe89c72dc7ef3d80c23baa82daa3cf6ec9f87310765f539a7518275e1f22f97f6d1e165968364fea11d51fbb5249bf5d27769bc852c5cfa5877d1aea7b10be2d677bba9b4344aa96f3df4f30d955de6f97a45b02517312edbf70f68e6831fa9f7e5d49d988cd3614b2fc3287e7ade930eb47da00a6d92c4b4663f7da758eeacf7ecc30801ab38fc0a1ca9c597b288c8090219f65c9a1af14d6c30d4b306ab0060480d78abcf17ad9293622077756cbdc832b4dc4debd9dfc1909629bdc17f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "??=Private Organization, serialNumber=460726, ??=US, ??=Idaho, C=US, ST=Idaho, L=Boise, ??=702 W Idaho Street Suite 1100, O=WATCHDOGDEVELOPMENT.COM, LLC, CN=WATCHDOGDEVELOPMENT.COM, LLC", + "ValidFrom": "2021-04-21 14:24:27", + "ValidTo": "2022-03-25 19:57:48", + "Signature": "9ba0d9eef89f4e9a41f5cf68ac4fe0f024dac877c639b288bae6c89bdbcb5ea6c81f1b8bd62f53be6a880bcd072c82ac2dc99f32f56bc6b02946d0bba3ebefe29dcf49e118dcfd966b4fa9ca56a4845e61910c077fe7fbbbf56daa73a82be2ceff3a9e84b397fe97dfb407c7d9160dd92a371fb76a2d35c8ba04c94e5028b2e3354fb09dc8974298b654f7a2ec4b703cf36aa5dada972d076a5685b5e292e2521c0d1b6ead53911bbe887e49916dca7913ee57cb16da99537f2addeb1cef02465db1b72b4ed09dc275230eec1aba61848a07d34b4d271619a5a6230b73fe406cf6aae6c2d20cbf2ff7d18eb662804680c96b8d390713c22d80e6e84b3933bd519d9ecc0af19282a5ab7d4886da8e0ca6947135691bd2f891258e8ef8f913de42229d87985c96da4b58de561afacaa99800ffcaa2d386fc88d8f6f82e7442cbd51ba9f3f4e8e9d2d1752d467e1d95a06cafd4438ad8648dc3d552126a589b205269b05be5b181c93fedf0a20caab8a185663f56be9e86287db166eb49493a5789e4e95f455d4f032274a63b6e8ad8bf8534aef7a8ab80c73ff24cf42db5d4293f6d5f5c6b7262c211e767e87cbe196ec28ec820eb1e5b138c3604329ed5d0139cc8f2e049c7d416fb7a0c5a55dcd0cc5fcf8e566d644b5583e557f24244296762139a4ee1fd70be0b15402c7193996b25223dd05e9206e0290aa6e1f52f3097b3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020", + "ValidFrom": "2020-07-28 00:00:00", + "ValidTo": "2030-07-28 00:00:00", + "Signature": "2575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "1f7b0de3090ee13a436315a6", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign GCC R45 EV CodeSigning CA 2020" + } + ] + } + ] + } + ], + "Tags": [ + "amsdk.sys" + ], + "yara": true + }, + { + "Id": "868c6920-f6cb-4088-8277-095a1358abe1", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create GLCKIO2.sys binPath=C:\\windows\\temp\\GLCKIO2.sys type=kernel && sc.exe start GLCKIO2.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "GLCKIO2.sys", + "MD5": "e700a820f117f65e813b216fccbf78c9", + "SHA1": "2dfcb799b3c42ecb0472e27c19b24ac7532775ce", + "SHA256": "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25", + "Signature": [ + "ASUSTeK Computer Inc.", + "DigiCert SHA2 High Assurance Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "505c5b85b442f9159ba715d4867f9ac4", + "SHA1": "83644f9ece6d6ef3517e1829595c52380922ed35", + "SHA256": "25a0854ef48a4dfbc7f04e94d2b11757e3613b241d39d46a19cb389ce42887e4" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmGetSystemRoutineAddress", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "RtlInitUnicodeString", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2015-07-27 00:00:00", + "ValidTo": "2018-08-01 12:00:00", + "Signature": "2948e468e6568d1fedd506d0da7e29571b2a943cf7e9c221d7724383882eec14c491862ca1e2e56951e303305332234a0434b832e00953a239ab49df85d1fb32325a6a9a8ba53493c9d0c161cad6557aec67738ee61cbfdd01646b97c7f4a8c3f96bb76573bbec2ca86ed604cd9b6c373bf494c2b4841b2d1816b944813f3345f551bd6b22b37be6e0eb71ccfde21911624acb7d8675be96c911a67839285c5f72b991ff235d0fa7361b01ce420eed7425d7b98941b7ab278bd02e8e75f5695560c278ce556ce884921f15fb5688fca91ba4fff3bda818689671e834e37e4d4e1802e7d7e0692087fba38845fb672d5091e8e3c8af16accf318e000a89b53fe5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "081666295845159f57ae88f441bf237e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "GLCKIO2.sys", + "MD5": "d253c19194a18030296ae62a10821640", + "SHA1": "cc51be79ae56bc97211f6b73cc905c3492da8f9d", + "SHA256": "61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0", + "Signature": [ + "ASUSTeK Computer Inc.", + "DigiCert SHA2 High Assurance Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "ASUSTeK Computer Inc.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "86b5239d6b6fe0d6fad286f809d7571a", + "SHA1": "d99b80b3269d735cac43af5e43483e64ca7961c3", + "SHA256": "47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "MmGetSystemRoutineAddress", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "RtlInitUnicodeString", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=TW, ST=Taipei, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.", + "ValidFrom": "2015-07-27 00:00:00", + "ValidTo": "2018-08-01 12:00:00", + "Signature": "2948e468e6568d1fedd506d0da7e29571b2a943cf7e9c221d7724383882eec14c491862ca1e2e56951e303305332234a0434b832e00953a239ab49df85d1fb32325a6a9a8ba53493c9d0c161cad6557aec67738ee61cbfdd01646b97c7f4a8c3f96bb76573bbec2ca86ed604cd9b6c373bf494c2b4841b2d1816b944813f3345f551bd6b22b37be6e0eb71ccfde21911624acb7d8675be96c911a67839285c5f72b991ff235d0fa7361b01ce420eed7425d7b98941b7ab278bd02e8e75f5695560c278ce556ce884921f15fb5688fca91ba4fff3bda818689671e834e37e4d4e1802e7d7e0692087fba38845fb672d5091e8e3c8af16accf318e000a89b53fe5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "081666295845159f57ae88f441bf237e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "GLCKIO2.sys" + ], + "yara": false + }, + { + "Id": "142453a2-a24d-4b35-8922-6d5939f1c0fc", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create semav6msr.sys binPath=C:\\windows\\temp\\semav6msr.sys type=kernel && sc.exe start semav6msr.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "semav6msr.sys", + "MD5": "07f83829e7429e60298440cd1e601a6a", + "SHA1": "643383938d5e0d4fd30d302af3e9293a4798e392", + "SHA256": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33", + "Signature": [ + "Intel(R) Code Signing External", + "Intel External Basic Issuing CA 3B", + "Intel External Basic Policy CA", + "Sectigo (AddTrust)" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "79553d83580570e382d3b9c7e101df2b", + "SHA1": "e3dbe2aa03847df621591a4cad69a5609de5c237", + "SHA256": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeQueryActiveProcessors", + "KeQueryActiveProcessorCount", + "IoDeleteSymbolicLink", + "KeSetSystemAffinityThreadEx", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "KeRevertToUserAffinityThreadEx", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlAssert", + "DbgPrint", + "KeBugCheckEx", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Code Signing External", + "ValidFrom": "2015-04-16 17:22:30", + "ValidTo": "2016-04-15 17:22:30", + "Signature": "47ef93216b05a90df10512c9bb24dc20894c255a5943bd567c461f9d76dd3bfeebd65fa524ed3774b4894150c798d9647d64b8c45e0516cf03bdbc819185f494db80e56758fbad4b62f3aed983120533327039d23d550ee32f40d785fa8624a10bbcc4bf531db4c07f1a793be86b015098a62884970e3e58268820f7698ae23d609d2e20b4a75ebacbc98f01edb71c12049594593fd65f62c62b59ac0f269eeb113185fb7ae56cc8da9bd4a9abb7d3332d8ce732638afb3b2b786e56c256bf6211362b498b348b7e370c638b634d7fbd947b57e5c9f923612869cf1d9737fc51075ae92763045c2d2fed944763c14521521bab177c2aad1301d43a8679187077", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", + "ValidFrom": "2014-12-09 21:30:38", + "ValidTo": "2017-12-09 21:30:35", + "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000b6712f575e402cf8708400020000b671", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + } + ], + "Tags": [ + "semav6msr.sys" + ], + "yara": false + }, + { + "Id": "1068f5cc-65dd-4fd0-b3d8-1d982b37405f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create WinIO32A.sys binPath=C:\\windows\\temp\\WinIO32A.sys type=kernel && sc.exe start WinIO32A.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "WinIO32A.sys", + "SHA1": "01779ee53f999464465ed690d823d160f73f10e7", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIO32A.sys" + ], + "yara": false + }, + { + "Id": "5c45ae9e-cb6f-4eab-a070-b0187202e080", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create amigendrv64.sys binPath=C:\\windows\\temp\\amigendrv64.sys type=kernel && sc.exe start amigendrv64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "FileName": "amigendrv64.sys", + "MD5": "32365e3e64d28cc94756ac9a09b67f06", + "SHA1": "d48757b74eff02255f74614f35aa27abbe3f72c7", + "SHA256": "09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9", + "Authentihash": { + "MD5": "50ce9def1a59a6ec02ac018e8e42b9e1", + "SHA1": "64e1b960b4fd0b597e36f3986abd37cca8ebd230", + "SHA256": "e4dbc382c21b4b14b54d37b2fd86e12a7637f177ba4170e19ffde3584ec48e6c" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoAllocateMdl", + "IoFreeMdl", + "MmGetPhysicalAddress", + "RtlInitUnicodeString", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "KeLowerIrql", + "KfRaiseIrql", + "MmMapIoSpace", + "MmUnmapIoSpace", + "MmFreeContiguousMemory", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "PsGetVersion", + "ExAllocatePoolWithQuotaTag", + "ZwQuerySystemInformation", + "MmAllocateContiguousMemory", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "RtlCopyUnicodeString", + "DbgPrintEx", + "MmBuildMdlForNonPagedPool", + "RtlCompareMemory", + "ObReferenceObjectByHandle", + "RtlGetVersion", + "HalTranslateBusAddress", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass", + "WdfVersionBindClass" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "serialNumber=7155083, ??=US, ??=Delaware, ??=Private Organization, C=US, postalCode=30093, ST=Georgia, L=Norcross, ??=5555 Oakbrook Parkway Suite 200, O=AMI US HOLDINGS INC, CN=AMI US HOLDINGS INC", + "ValidFrom": "2020-09-21 00:00:00", + "ValidTo": "2023-09-21 23:59:59", + "Signature": "0aa1219fe537cf6f85a9144e7017472eed1f32156a449a50e02ed4cf73ebbf72698577f35aa306a2f80a3fe97215d89040d8ba197aa4c4fd3ae28a87b8728efc279f9685828da2d807bcdc83301fad324a131e79f26855abe6fd0e37604d5c34f27012c2d6ba21be1b268ca621fc1bd0b4bf08d7bf549653613f5b8ae6f1d2a4e34fae1a8e13cbb90f7b9e94ed50487e4d6645e29beb5fd5373e4e0ac8b48bb1566e2da8b0cf424c3ae93e4f75ab7887d8df5bb0b7cbaf623b092f69c58ea8936bbe008b66c1e1a08169893c8dee549bc847412ce9f789697109376b1cb8b7bc737f5fd522e9d330a7ecdbf9c1e4c0ac5a8368a6aa413a19084bc5bc1135ef60", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA", + "ValidFrom": "2014-12-03 00:00:00", + "ValidTo": "2029-12-02 23:59:59", + "Signature": "664eecb716776f11e81b5d6a4ed9f28b6cb15628408bc031c49948233df80ee88097ef6d200b1f13c486fb173415e18e54f7c2b8007315e028d9dabafa8254c2f7ebbfc336d0309fe5a11c94dfef7ce8f62c78a2accf266a15a11531d6313498bd534fc48483a3c4965c3dd8fed6f954ff67936df83e2b6b2ca2087c5648813218b26eac90c1dbe4de398b86e5c7184059a4df9647bab27fb1f8570f858074380e3a58621efe52e3e6ae530986fe8f9bdb5656cc07b089c104f1530b6c6f77ecb21fecf65b4043600f1bab1854b410048ef80ee9cb83b17af2344e6a544ce9832ae9b030251cce628e0eeb85e629feb14ae3f2ae3c91f54ca1bec8170e5cbb424de31a8a92cd3e207edde975b1ea1f745c9e54c29437b261dd0716597f968016e099b5d26eb0c9230615acd123f4338bce75f0c186d3ffe12efa904ffe46f9bbdb4fbbb7fed10d2b04f1d2d195852c8a2eb88556f2c38452a1e933b1eb50c8a1b09fe3c38b3a879ee755d3d36d3417300d68220bd5b9ed733572c3eda737cde343ae45cd34bf28ca8762ed43a4affacb31cb215861465eb6c67aa61e532aa8f85c511f3a5a100f28c0e4748b74c604aaf84b26280a3289db9d2a60716ac3964e16b963bf6195678c4b2ebbb04e83e94d31e58e2722f53c267b4491d3d45af0d37cf438be149a990e8bb15beae48b0f119d7742821c5c3ad4daab882f8d573054", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2011-04-11 22:06:20", + "ValidTo": "2021-04-11 22:16:20", + "Signature": "81980792fe6f325fd9d24bf57dd971e0fdfc169205b4ce67f5cc4bd4c7109854fa521b48582f73bf19d937a0ad33f351052379d9b277648aebbdc3b39db7b1e637d1d2597e41d98fb314ab15774d6cda40245bb207b8582c4b0c2b5351b3df2eb976ac69c9c2ed64377b8d217accdc9fbc172804cc2547242a85cc56e639398775181f46f6910faa46fa4de64754e2322c76eefbcdbd62e1962429064b0cfe344ae9101d74e57a2f954bcc6ebafdd7355f91e45942defb008e08f151512d62258415081911864061d52553232c297738cc58d38c5fbc19b866064c6310dbb2ac306c16bc8bbcd21bc603131546a550f49a9684bb721038db519ad4c55327cbbf28159e086b3d3f4cc00c911cbf19848b3751a0199d8555c55da56479ef10a5ebf4231cda6fe32e7d17b037761f4d8dc102411f363e067bc5b7602d416251dedde4512da7de81f4c3e0e0e9c31680dd9c497d17cfcb556307d66952f4a49d248dbe1bc98099874548cb49c5ed703500267ca70f7532f7ed088ff0bca560a022d5331efbe5022c95a607f4be14de704c8ea97e41dea9d95064866f9424f7abf683955d0d45d18c238c030a13e40eb943030a4367b3107446e46dbd65de4541867072040bbaddba591f571393b00bedb1144169d3090459c7368e7db64b9df120fcd0f18bbd68ca3eb131cf43d066f5a3ddafb1dcc3178cfa3128c73e4927ab6a1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "00b9963758ead236c6e15cd48ba5433aae", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "amigendrv64.sys" + ], + "yara": false + }, + { + "Id": "e86f7700-01c4-47be-a625-36b2dfe4bdc6", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create rtkiow10x64.sys binPath=C:\\windows\\temp\\rtkiow10x64.sys type=kernel && sc.exe start rtkiow10x64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "rtkiow10x64.sys", + "MD5": "b5ada7fd226d20ec6634fc24768f9e22", + "SHA1": "947db58d6f36a8df9fa2a1057f3a7f653ccbc42e", + "SHA256": "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993", + "Signature": [ + "Realtek Semiconductor Corp.", + "DigiCert EV Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "Realtek ", + "Description": "Realtek IO Driver", + "Product": "Realtek IO Driver ", + "ProductVersion": "1.008.0823.2017", + "FileVersion": "1.008.0823.2017", + "MachineType": "AMD64", + "OriginalFilename": "rtkiow10x64.sys ", + "Authentihash": { + "MD5": "4d01000bdb93d60aa1ff5700b4b0a9a2", + "SHA1": "5e85fc1f7ef1c3c2745c842739c0ab596f87f9f9", + "SHA256": "bc65d8ade2e72475a585307311e3058b3dbc4a7d2be6740c2c53a5902e698e7f" + }, + "InternalName": "rtkiow10x64.sys ", + "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KePulseEvent", - "KeClearEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwConnectPort", + "KfRaiseIrql", + "MmUnmapIoSpace", + "MmMapIoSpaceEx", "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "RtlPrefixUnicodeString", - "ExGetPreviousMode", - "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeDelayExecutionThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "KeSetEvent", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "_purecall", - "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ObQueryNameString", "MmGetSystemRoutineAddress", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "RtlCompareMemory", + "KeSetSystemAffinityThreadEx", + "KeQueryActiveProcessors", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExCreateCallback", + "ExRegisterCallback", + "ExUnregisterCallback", "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "KeLowerIrql", "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", - "IoGetDeviceObjectPointer", "IofCompleteRequest", - "ExEventObjectType", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "wcschr", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "wcsrchr", - "memcpy", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "_allrem", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", + "IoFreeMdl", + "IoRegisterShutdownNotification", + "IoUnregisterShutdownNotification", + "IoWMIRegistrationControl", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenKey", + "ZwQueryValueKey", + "__C_specific_handler", + "MmUnmapLockedPages", + "_vsnprintf", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2016-06-13 00:00:00", + "ValidTo": "2019-01-24 12:00:00", + "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0320be3eb866526927f999b97b04346e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "rtkiow10x64.sys" + ], + "yara": true + }, + { + "Id": "da7314dc-6cf1-4d74-a0d1-796fc08944f8", + "Author": "Michael Haag", + "Created": "2023-05-20", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create windbg.sys binPath=C:\\windows\\temp\\windbg.sys type=kernel && sc.exe start windbg.sys", + "Description": "These samples are related to CopperStealth campaign found by TrendMicro. CopperStealth’s infection chain involves dropping and loading a rootkit, which later injects its payload into explorer.exe and another system process. These payloads are responsible for downloading and running additional tasks. The rootkit also blocks access to blocklisted registry keys and prevents certain executables and drivers from running.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "windbg.sys", + "MD5": "40f35792e7565aa047796758a3ce1b77", + "SHA1": "6df35a0c2f6d7d39d24277137ea840078dafb812", + "SHA256": "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "3a2404b8c4c87facf5316e4ff16bd603", + "SHA1": "ff3d240cf0faeafb37f176b71151dd83b2177a0e", + "SHA256": "e307ebe2d43cc8e290e5ade032a6e38bc6961439f92d6e99b954bf1368a975ef" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoCreateFile", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", "IoFreeMdl", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "RtlFreeUnicodeString", + "ObQueryNameString", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "ZwDeleteFile", + "PsGetVersion", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "KeSetEvent", + "KeInitializeEvent", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "IoGetRelatedDeviceObject", + "ZwCreateFile", + "IoFreeIrp", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", - "ValidFrom": "2019-07-12 00:00:00", - "ValidTo": "2020-07-10 12:00:00", - "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", + "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Luyoudashi Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shenzhen Luyoudashi Technology Co., Ltd.", + "ValidFrom": "2014-05-06 00:00:00", + "ValidTo": "2015-05-06 23:59:59", + "Signature": "14a41c7ad5dc6309c5b0390f4dbdec058fab41138c90e8a92e5316495d46210a64a3573a304cb2d791c50f3815a2b7ed11057018158311d061080686a2bd6a0a3c9097161b98e46ab15267b3bbdbd76d43d1bc9a239a24e98a6673e1b1c6ca83230ce3862e0d422f113bb3b5fb2b9254346f40c810f6e0bbc7f137f22d0d272a150eac91baf8513472d277290dfc55c7d2b22003c0fccad9a29fbceeba1586efae4bd98de245bda466f7eca00673d4418f90609b9a6c5cbf1a25a3373f2744a3974cd0ba89f9d1b23a02058dd151c0fda03ffca6a40a6d91c7678b675996b5c0c63f491428684be2367b5a60048f3543b5ddf6ba5270bbe376f5e2b62b14fe6a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", + "ValidFrom": "2019-05-02 00:00:00", + "ValidTo": "2038-01-18 23:59:59", + "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=GB, ST=Manchester, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #3", + "ValidFrom": "2022-05-11 00:00:00", + "ValidTo": "2033-08-10 23:59:59", + "Signature": "73daed6872cbc2b940a131bbb403a32d147b24e7b45b157da8e9fdadd1920d7c3d36a069d9f39a30daac69d67457243f7e0f3cd9f5c379256c26e88d6893cef17789397fa80405da34c314ea9f0854abffc47e966c2bd394ebb46ce0454d2cb2f73b3b5ab5c1fbd789756d987272f6f70728f3d3b2d0eb19be152c78efcd45a000e4f80476bb57c590be775490749e0b4f4dc4aa138f97af01352bcb9b1178e9f2f989043c4ee3821262ebb4440c7541c20f34b8889dc822f1136adb182f6e78adc405b4e884089307f97d83fe689834e477e5b1ce8c946cdb036d2805477e9b2ef064fbdba40331107c1afb3c1980d10b70b9555f47be3964ceb7da235432e346b232d8d22986c9155d8095af02fbb4d12e9d387c35e00f1ced1b47489c226a5582d9f2ba086503e5f129f3488a09014ca679f2a2b61a9994eb9728e1be7d1ba17ced5680a6f4223390e48453fc2afac0a797a8eab58d7acee4e04ba133ab0b76a0d56916b78e66bf5ffa1fc4a87fa7a14814910d82fcbd4d99edc9e66c36fe774399b8692d7c612feda3b049fe5bbe692491ff93fc5769924bd9053f6d8672d3a2d0c064d23a42c11a03fbd0ed9a21b83fafa6b25154d54cc5ca1f128d57c639ed5cffec9f2676ad646667e8aa30e0d2adb77db16a41276e038aa374e08a09826ebfe3f6b7bc9e0b29186881a19c3f6e16594b1409099ae6aebf6015dd86f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "5f9e06262d2eed425c886a4709350426", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "ad866d83b4f0391aecceb4e507011831", - "SHA1": "2cc70b772b42e0208f345c7c70d78f7536812f99", - "SHA256": "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272", - "Authentihash": { - "MD5": "9242d88e9b533ca214638aadacfb515a", - "SHA1": "9892893a2a7d2a458ee795eeee065f64d4f6e3c4", - "SHA256": "6ad7bdf11a7ce7296a06eb4f14091df84fafdb04413e714f09f9ea6c686a1323" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "5.0.0.1113", - "Product": "Trend Micro Eyes", - "ProductVersion": "5.0", - "Copyright": "Copyright (C) 2005-2011 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS", - "SCSIPORT.SYS" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForReady@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_KmCallUm@8", - "_KmCallUmEx@12", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "__UtilDosPathNameToNtPathName@12" + "Filename": "windbg.sys", + "MD5": "093a2a635c3a27aac50efd6463f4efa1", + "SHA1": "b34a012887ddab761b2298f882858fa1ff4d99f1", + "SHA256": "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "dab51577c44fda1574532847f4deb56c", + "SHA1": "c7cb92f60ffe07d1c9bfa43ea1213f8c8f766022", + "SHA256": "6ee267fc3d0ac2662a9cfdb0ed5a2354ee09ef4c218303f20350177cae125cf7" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", - "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", "ZwClose", - "ZwRequestWaitReplyPort", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", "ObOpenObjectByPointer", "PsProcessType", - "memmove", - "ZwConnectPort", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "DbgBreakPoint", - "PsGetProcessExitTime", - "MmSectionObjectType", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", "ZwReadFile", "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", + "IoCreateFile", + "_wcsicmp", "_wcsnicmp", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", "KeQuerySystemTime", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", - "KeSetPriorityThread", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", "PsTerminateSystemThread", + "PsThreadType", "PsCreateSystemThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "844af8c877f5da723c1b82cf6e213fc1", + "SHA1": "4f2d9a70ea24121ae01df8a76ffba1f9cc0fde4a", + "SHA256": "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "98a3ab2b723de48256701b417ff87a65", + "SHA1": "ff80d6663a92ff454526e88847cbb4d9bd00e21e", + "SHA256": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", "KeDelayExecutionThread", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", "ZwSetValueKey", - "MmHighestUserAddress", - "IoFreeIrp", - "IoFreeMdl", - "MmUnlockPages", - "KeInitializeSemaphore", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", "RtlEqualUnicodeString", - "IoFileObjectType", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCopyUnicodeString", - "RtlCompareMemory", - "_snwprintf", - "RtlImageNtHeader", + "IoFreeMdl", "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", "ObQueryNameString", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExEventObjectType", - "_allmul", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "IoDriverObjectType", - "RtlAppendUnicodeStringToString", - "NtQueryInformationProcess", - "PsIsThreadTerminating", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", "PsThreadType", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "RtlUpcaseUnicodeString", - "ObCreateObject", - "_allshr", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmFreeContiguousMemory", - "MmAllocateContiguousMemory", - "MmMapIoSpace", - "KeTickCount", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", "KeBugCheckEx", - "RtlUnwind", - "KeClearEvent", - "KePulseEvent", - "KeSetEvent", - "wcsrchr", - "memcpy", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" + ], + "Signatures": {} + }, + { + "Filename": "windbg.sys", + "MD5": "2ec877e425bd7eddb663627216e3491e", + "SHA1": "d4f5323da704ff2f25d6b97f38763c147f2a0e6f", + "SHA256": "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "75c70824590d4db183418c7fd9e47d2d", + "SHA1": "1ccd8bc3104fe1654806752e1e6730d3ee0b4ee4", + "SHA256": "e7e7824d611527b67fc36128da1b35d9b8ce3ffdab3fb96e3dbabd6e9c9570c0" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "_purecall", - "IoBuildAsynchronousFsdRequest", - "KeGetCurrentThread", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "ClassInitialize", - "ScsiPortReadPortBufferUshort", - "ScsiPortReadPortUchar", - "ScsiPortWritePortUchar", - "ScsiPortStallExecution", - "ScsiPortWritePortBufferUshort" + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoCreateFile", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "ZwDeleteFile", + "PsGetVersion", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "KeSetEvent", + "KeInitializeEvent", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "IoGetRelatedDeviceObject", + "ZwCreateFile", + "IoFreeIrp", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=CN, ST=Shandong, L=Binzhou, O=Binzhoushi Yongyu Feed Co.,LTd., CN=Binzhoushi Yongyu Feed Co.,LTd.", + "ValidFrom": "2014-01-17 00:00:00", + "ValidTo": "2016-01-17 23:59:59", + "Signature": "565de91bd9b0bbefe729b5e1a4070c18ee9855ad678967425dd8f4284cdd54fd20affa0449eb2061c26c0720e6b64ee7323461482ad375a2223074f1d41c96b48249ef810d1dc390b89890e703a407c05c7f5d8670573f22dcf7aa210b6d35793423e62a015309d1b37bc59664c32778d78bda41c215a9db9f13c95d922b5d2c0a798b3a642f50cc1aa12db6a398ab2741ce185e65d24ecbcad0d2309cf28530ae4c2ab4207dd35168d612ba3974230fd8d6121f4a9bd47b8ccb5e431f56e7b7f31e879a0f905dc16d1b73f0aa3ef9aeef75a471c09d484c1f474f97fcae827f29cedbd9f022d3e14a1d7ed7792a62b581f58e5e74c5eae41a32b9cc1da2f889", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-01-31 00:00:00", - "ValidTo": "2012-02-16 23:59:59", - "Signature": "5ae5a2abcc8bbf832dd651a0cb396ee5af87305e67d20288d6d830699286ce0b1b3ec77c732d80564e6a482461bda52329dc301ec6286011fe60413c97f4207bf675a71460365e9d917b19d7b5e7c49ff035a5488f8fc703a61512b1588cb6fc8ceef0f6353d47c66a5edbef40e53197431ada77acef71cca7db0dbaa88d02355af0a62a7901e91bc8c59ad48b4ecfd67f137023601c308691ad14d6859c9d6b28c6a3e15314e55832cea94793436a5610bbe5f0901cedc6796c9ca53b5d55f79974cd6be7093bba119675614c1654139096e506c3fb92460d45879bdbc196bd833ae4dc31da6e14130df14a20c05615db7ea7e25aa0fe59801ec30a56501e56", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "24e3d70b86ed54d0b22c3450b960984e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "5d11784fb81765023f89a4f4243fe1a9", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "dd9596c18818288845423c68f3f39800", - "SHA1": "fb1570b4865083dfce1fcff2bd72e9e1b03cead5", - "SHA256": "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e", + "Filename": "windbg.sys", + "MD5": "0023ca0ca16a62d93ef51f3df98b2f94", + "SHA1": "97812f334a077c40e8e642bb9872ac2c49ddb9a2", + "SHA256": "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", "Authentihash": { - "MD5": "ad490c2e1c6e3f31f1cd1073b03bb866", - "SHA1": "a2c557dd6ee13783291800be7a6d28af2bc051a4", - "SHA256": "5b08743c8e1de8343ab0a0d453ca76487c6a438608c68c2b2921ea2c2a92821c" + "MD5": "c12f9f4027088d2ca69b2d2fec33131b", + "SHA1": "f73aa876791246fb7486214e4d3f81a0d375e649", + "SHA256": "88b901ce8ee199bc371e9cf39ab5375d31c6881a25ba5827e9b32ba7946ecda1" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "2.80.0.1077", - "Product": "Trend Micro AEGIS", - "ProductVersion": "2.80", - "Copyright": "Copyright (C) 2005-2009 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "ntoskrnl.exe", + "HAL.dll" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFBCallBackRoutine@CContext@@QAEKXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_KmCallUm@8", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilQueryKeyValue@24", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "__UtilDosPathNameToNtPathName@12" + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "f69b06ca7c34d16f26ea1c6861edf62a", + "SHA1": "fdbcebb6cafda927d384d7be2e8063a4377d884f", + "SHA256": "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "5d9b4ff04047d06a76354c7f7caa1e9e", + "SHA1": "6230645a707228e023d7fc9c5c86c340be05f9c3", + "SHA256": "28d3a5a85eef4561c4ad08fd83aca4f7a946f8dca8bfb7958a855a80197f68a6" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExReleaseFastMutexUnsafe", - "wcsncpy", - "memcpy", - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "DbgPrint", - "KeReleaseSemaphore", - "RtlSubAuthoritySid", - "RtlInitializeSid", "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", + "PsProcessType", + "IoGetLowerDeviceObject", "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "memmove", - "KeStackAttachProcess", - "ZwConnectPort", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", "RtlInitUnicodeString", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "memset", - "MmIsAddressValid", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "KeInitializeEvent", - "_snprintf", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeNumberProcessors", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "ObOpenObjectByPointer", - "PsProcessType", - "KeLeaveCriticalRegion", - "ZwQueryKey", "ZwSetValueKey", - "MmHighestUserAddress", - "IoFreeIrp", - "IoFreeMdl", - "MmUnlockPages", - "_purecall", - "ProbeForWrite", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "KeDelayExecutionThread", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", "IoFileObjectType", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCompareMemory", + "IoAllocateIrp", + "CmRegisterCallback", "RtlCopyUnicodeString", - "RtlImageNtHeader", - "PsLookupProcessByProcessId", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", - "KeBugCheckEx", - "RtlAppendUnicodeStringToString", - "IofCompleteRequest", - "ExEventObjectType", - "_allmul", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "ProbeForRead", - "IoGetDeviceObjectPointer", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "RtlUpperChar", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", - "ObOpenObjectByName", - "IoDriverObjectType", - "NtQueryInformationProcess", - "_snwprintf", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", "ZwFreeVirtualMemory", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", "IoBuildDeviceIoControlRequest", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "KeTickCount", - "RtlUnwind", - "KeEnterCriticalRegion", - "ZwOpenProcess", - "ExAcquireFastMutexUnsafe", - "ZwSetSecurityObject", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "IoBuildAsynchronousFsdRequest", - "KeGetCurrentThread", - "KfLowerIrql", - "KeRaiseIrqlToDpcLevel", - "ClassInitialize" + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "e8eac6642b882a6196555539149c73f2", + "SHA1": "3825ebb0b0664b5f0789371240f65231693be37d", + "SHA256": "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "1584b06241f08d74434a452e798b2809", + "SHA1": "8eca36d54d04736f61f54285bcee8c30ed892553", + "SHA256": "ff6108dd2017f9bc7ea93c43c1afbda0f1cc7b00f5afafb4ce3cf0a193e9598b" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2008-01-16 00:00:00", - "ValidTo": "2011-02-16 23:59:59", - "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "645212f783f4d7aba3555729e99ce065", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "3e796eb95aca7e620d6a0c2118d6871b", - "SHA1": "dc6e62dbde5869a6adc92253fff6326b6af5c8d4", - "SHA256": "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0", + "Filename": "windbg.sys", + "MD5": "5ebfc0af031130ba9de1d5d3275734b3", + "SHA1": "48f03a13b0f6d3d929a86514ce48a9352ffef5ad", + "SHA256": "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", "Authentihash": { - "MD5": "3d01509bec77747dea890e23147245ca", - "SHA1": "3dab396397670007e1d04f9497a7d4d6244d0cb7", - "SHA256": "c032e2abdf4f07ba42ce4559e6413387becbebb0a43c287b6d367dbb33bde751" + "MD5": "1959eac3bb98c3032791b0dc6d662281", + "SHA1": "f8df5fd765770a56c227c66b47edcf38f868ef33", + "SHA256": "a0801ade5de44b65afb8c275e11e4d766ae64af1a5740ad4f1db1acc4e088774" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.60.0.1082", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.60", - "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetFileVersionOfNtoskrnl@16", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "40b968ecdbe9e967d92c5da51c390eee", + "SHA1": "b8b123a413b7bccfa8433deba4f88669c969b543", + "SHA256": "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "98a3ab2b723de48256701b417ff87a65", + "SHA1": "ff80d6663a92ff454526e88847cbb4d9bd00e21e", + "SHA256": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", + "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2023-01-12 19:14:52", + "ValidTo": "2023-12-15 19:14:52", + "Signature": "5548d9042f4a8d4776b5fccbacda2e58d5161fb7932287aa5da1c9afaca15c230908ed96adeb0f6a86dc3972a85de00fb4d4db0a52394116887998fd673f57a0520fa1e39806b348e555cfe5a419c501a0fbfbdb79e88d37656735fa6cd56d5c465fe3871f5157e357d73956d4586bd50508522be7e24d2357d7ab53e3ae46d2d168e52d0d15761eaab962c36ee0791cabd33869f11f9512772261cda6249f16f85772116cc0585975600e5fe949e1a2bb85820ddf901b9e48ee805aacd1c826a1304916e2180de5d3ecc2fc0375d3a877ab8a058dda7e05aa91727523e579d17ce0dce414612d9b638b1ff5ad74d654c5b7e638a3cca372c5f51db638794ed6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000f5e8773b206b1ccd610000000000f5", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "c71be7b112059d2dc84c0f952e04e6cc", + "SHA1": "9ee31f1f25f675a12b7bad386244a9fbfa786a87", + "SHA256": "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "01788e7162863cfe7aeba0f040a6cc08", + "SHA1": "ded2c02db6b5addf9d521361fd3657b2b6894a48", + "SHA256": "223b320fb86cd4a1019ce31ac6901ce6bc41792810bd995db232dad790398852" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "KeWaitForSingleObject", + "ObReferenceObjectByHandle", + "PsThreadType", + "PsCreateSystemThread", + "KeInitializeEvent", + "KeSetEvent", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "IoGetRelatedDeviceObject", + "MmProbeAndLockPages", + "IoFreeIrp", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Luyoudashi Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Shenzhen Luyoudashi Technology Co., Ltd.", + "ValidFrom": "2014-05-06 00:00:00", + "ValidTo": "2015-05-06 23:59:59", + "Signature": "14a41c7ad5dc6309c5b0390f4dbdec058fab41138c90e8a92e5316495d46210a64a3573a304cb2d791c50f3815a2b7ed11057018158311d061080686a2bd6a0a3c9097161b98e46ab15267b3bbdbd76d43d1bc9a239a24e98a6673e1b1c6ca83230ce3862e0d422f113bb3b5fb2b9254346f40c810f6e0bbc7f137f22d0d272a150eac91baf8513472d277290dfc55c7d2b22003c0fccad9a29fbceeba1586efae4bd98de245bda466f7eca00673d4418f90609b9a6c5cbf1a25a3373f2744a3974cd0ba89f9d1b23a02058dd151c0fda03ffca6a40a6d91c7678b675996b5c0c63f491428684be2367b5a60048f3543b5ddf6ba5270bbe376f5e2b62b14fe6a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Time Stamping CA", + "ValidFrom": "2019-05-02 00:00:00", + "ValidTo": "2038-01-18 23:59:59", + "Signature": "6d5481a5335d16e1b553819175df037a320b2d258411b2b0db2a7d2a05f5bc3b27f45aa0b9495990296c61cbb550dbe27df99f00ef40c3add3e2e456f95841cff142e5107dffb0741f8fc65c09f9335eeaa01c26585cf3b4110fd5d5c3e2bcd55878bf4876e144676d8fb043100f8de4f93862bf1301c585a34cc5ccb2533095a4d6f4965608b8cd5c7f0196be72526a3b42377c1678399393949bb1dcb26d416d67cdc96f903d7f4572c11b23d6c2558466e4b3c56606f6f3d64b5eada32b428a2192fea86f5a2570628173635ea0bbd8dcd74ad33daf830638121d24872de4fc02d63e7704bc0436b5e777cb9c2e8d2318b9a3c2471df05dd6a1735705689aa7c937651dbeeabcd842834305a58ba609ffd1a194a64eaa3d09f5056cb7d2645ad82a22c24b9df1395e4cde483d9b34969a095f8efdf7b15291ce3f89f61ca1b5a9751f71bf5b435d653d50816eabf0d0d3fcb2b31fb6999626f43c798b5c64cccdee279ae5a0c00c7287c16e4d5ad31eeaf044e6326f1ceb174e94c37865203b0f41aa1fe9a1419dfeb1b8a0652a34e0dea8f93ce6c130bbc0a0632cfc5c1600a8d0c47fea119d1e06c6a66d325db438092b4907aafdec30daf1a72fcfb7fdfad0a384d9279efb016677b95610e1206ec6aeb1f9b6bac8355d33768ef17c200c2a77aeb5a20286ba29eeb45a00b18cabe3f90ac9545dd4b96a749ebd48ae98", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=GB, ST=Manchester, O=Sectigo Limited, CN=Sectigo RSA Time Stamping Signer #3", + "ValidFrom": "2022-05-11 00:00:00", + "ValidTo": "2033-08-10 23:59:59", + "Signature": "73daed6872cbc2b940a131bbb403a32d147b24e7b45b157da8e9fdadd1920d7c3d36a069d9f39a30daac69d67457243f7e0f3cd9f5c379256c26e88d6893cef17789397fa80405da34c314ea9f0854abffc47e966c2bd394ebb46ce0454d2cb2f73b3b5ab5c1fbd789756d987272f6f70728f3d3b2d0eb19be152c78efcd45a000e4f80476bb57c590be775490749e0b4f4dc4aa138f97af01352bcb9b1178e9f2f989043c4ee3821262ebb4440c7541c20f34b8889dc822f1136adb182f6e78adc405b4e884089307f97d83fe689834e477e5b1ce8c946cdb036d2805477e9b2ef064fbdba40331107c1afb3c1980d10b70b9555f47be3964ceb7da235432e346b232d8d22986c9155d8095af02fbb4d12e9d387c35e00f1ced1b47489c226a5582d9f2ba086503e5f129f3488a09014ca679f2a2b61a9994eb9728e1be7d1ba17ced5680a6f4223390e48453fc2afac0a797a8eab58d7acee4e04ba133ab0b76a0d56916b78e66bf5ffa1fc4a87fa7a14814910d82fcbd4d99edc9e66c36fe774399b8692d7c612feda3b049fe5bbe692491ff93fc5769924bd9053f6d8672d3a2d0c064d23a42c11a03fbd0ed9a21b83fafa6b25154d54cc5ca1f128d57c639ed5cffec9f2676ad646667e8aa30e0d2adb77db16a41276e038aa374e08a09826ebfe3f6b7bc9e0b29186881a19c3f6e16594b1409099ae6aebf6015dd86f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "5f9e06262d2eed425c886a4709350426", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "0ea8389589c603a8b05146bd06020597", + "SHA1": "3c1c3f5f5081127229ba0019fbf0efc2a9c1d677", + "SHA256": "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "0318de365e28ee38442c92b03747b088", + "SHA1": "ff0497dbd779bd65bbb7302b360dc0738a464e9b", + "SHA256": "dd759c6b9c4222c7b19e8b0ba7288d7395594d6884b9bcdf0ccfada3e6b7a8d5" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "KeWaitForSingleObject", + "ObReferenceObjectByHandle", + "PsThreadType", + "PsCreateSystemThread", + "KeInitializeEvent", + "KeSetEvent", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "IoGetRelatedDeviceObject", + "MmProbeAndLockPages", + "IoFreeIrp", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=CN, ST=Shandong, L=Binzhou, O=Binzhoushi Yongyu Feed Co.,LTd., CN=Binzhoushi Yongyu Feed Co.,LTd.", + "ValidFrom": "2014-01-17 00:00:00", + "ValidTo": "2016-01-17 23:59:59", + "Signature": "565de91bd9b0bbefe729b5e1a4070c18ee9855ad678967425dd8f4284cdd54fd20affa0449eb2061c26c0720e6b64ee7323461482ad375a2223074f1d41c96b48249ef810d1dc390b89890e703a407c05c7f5d8670573f22dcf7aa210b6d35793423e62a015309d1b37bc59664c32778d78bda41c215a9db9f13c95d922b5d2c0a798b3a642f50cc1aa12db6a398ab2741ce185e65d24ecbcad0d2309cf28530ae4c2ab4207dd35168d612ba3974230fd8d6121f4a9bd47b8ccb5e431f56e7b7f31e879a0f905dc16d1b73f0aa3ef9aeef75a471c09d484c1f474f97fcae827f29cedbd9f022d3e14a1d7ed7792a62b581f58e5e74c5eae41a32b9cc1da2f889", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "5d11784fb81765023f89a4f4243fe1a9", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "19bdd9b799e3c2c54c0d7fff68b31c20", + "SHA1": "ea4a405445bb6e58c16b81f6d5d2c9a9edde419b", + "SHA256": "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "619b74b682d2abd190cb3e0ac5ecd6f7", + "SHA1": "ed5e61e534550b1f286d0801d4464d45f38d2739", + "SHA256": "40e0be2ed5d07d5ecf14232fe64a95c7ad6fd942a60b4a6e21fda69c75bbb78d" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe", + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "_except_handler3", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "88bea56ae9257b40063785cf47546024", + "SHA1": "b5a8e2104d76dbb04cd9ffe86784113585822375", + "SHA256": "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "265462dbda175886e0c02257f2385753", + "SHA1": "0e45b675fec76249e64f8a2d4bd5483886b91169", + "SHA256": "37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "3f11a94f1ac5efdd19767c6976da9ba4", + "SHA1": "f92faed3ef92fa5bc88ebc1725221be5d7425528", + "SHA256": "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "096f2e1d163a780fa3cb7f0870fe2b34", + "SHA1": "0e4f45b762d5c548322cde3d0e2d5ff2d81c87f1", + "SHA256": "948735962436df24baa69e58421345d4a295e0821f4f93fd9f64e11f51a9666f" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "0bdd51cc33e88b5265dfb7d88c5dc8d6", + "SHA1": "6a6fe0d69e0ea34d695c3b525e6db639f9ad6ac5", + "SHA256": "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "207e5de5c589271ee469dd33442a0bb0", + "SHA1": "34e83718226e039ebf28c4ea2284b011701710d0", + "SHA256": "aa833c9e3bcdc33eaf64fd913e80f5b9ce60618f6e3ff4c386420fea4a494380" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "b6b530dd25c5eb66499968ec82e8791e", + "SHA1": "9c1c9032aa1e33461f35dbf79b6f2d061bfc6774", + "SHA256": "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "I386", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "dbc72430b48b0ca636a84b9e5ed0d534", + "SHA1": "58ca196bfd54c6166aae0f8000fa8a1a66a0073e", + "SHA256": "45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KePulseEvent", - "KeClearEvent", + "IoDeleteDevice", + "IoDetachDevice", + "memcpy", + "memset", + "ZwClose", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "ObOpenObjectByPointer", + "PsProcessType", + "PsLookupProcessByProcessId", + "MmGetSystemRoutineAddress", + "RtlInitUnicodeString", + "IofCallDriver", + "PsGetCurrentProcessId", + "IoGetLowerDeviceObject", + "ObfDereferenceObject", + "IoGetAttachedDeviceReference", + "IoUnregisterShutdownNotification", + "KeDelayExecutionThread", + "IoAttachDeviceToDeviceStackSafe", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoRegisterShutdownNotification", + "IoUnregisterFsRegistrationChange", + "IoRegisterFsRegistrationChange", + "_vsnwprintf", + "PsGetVersion", + "ZwAllocateVirtualMemory", + "MmUnmapLockedPages", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ZwReadFile", + "ZwQueryInformationFile", + "IoCreateFile", + "_wcsicmp", + "_wcsnicmp", + "RtlEqualUnicodeString", + "ZwWriteFile", + "ZwFlushKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "RtlRandom", + "KeQuerySystemTime", + "ZwDeleteKey", + "ZwOpenKey", + "ZwEnumerateKey", + "IoFreeIrp", + "KeSetEvent", + "KeWaitForSingleObject", + "KeGetCurrentThread", + "KeInitializeEvent", + "IoAllocateIrp", + "IoGetRelatedDeviceObject", + "ObReferenceObjectByHandle", + "IoFileObjectType", + "ObQueryNameString", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "PsGetProcessPeb", + "RtlCreateUnicodeString", + "ZwDeleteValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "ZwDeleteFile", + "PsRemoveLoadImageNotifyRoutine", + "CmUnRegisterCallback", + "PsSetLoadImageNotifyRoutine", + "CmRegisterCallback", + "ObReferenceObjectByName", + "ZwFreeVirtualMemory", + "ZwWaitForSingleObject", + "KeUnstackDetachProcess", "KeStackAttachProcess", + "ZwDuplicateObject", + "PsGetProcessSessionId", + "_strnicmp", + "RtlSubAuthoritySid", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "ZwOpenProcessTokenEx", + "PsTerminateSystemThread", + "PsThreadType", + "PsCreateSystemThread", + "KeTickCount", + "KeBugCheckEx", + "_vsnprintf", + "strncmp", + "strchr", + "strncpy", + "strstr", + "ExAllocatePool", + "_stricmp", + "rand", + "ZwCreateFile", + "IoBuildDeviceIoControlRequest", + "MmProbeAndLockPages", + "IoAllocateMdl", + "_allshl", + "RtlUnwind" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2023-01-12 19:14:51", + "ValidTo": "2023-12-15 19:14:51", + "Signature": "04d1261b735b38b551b427cf9a295d4eb18edd92de14079aa33a10511ee6d262938b29ae208f96be64a80e2967fb8d7aa5750613901a9da6a82935398175482096430c9acecb55ee2c5468d119f467378c18251a8fe01e9d7b79bce903ccb7afb227e2d0abee00bd9fd6bbbbd67c014888dc46f3efa912d4576f7ca9980957609cd21fbd51815cb11bee95fa780498d905e866bc1a604e407ee0d97a105bcc8e600200b19b9c3a56cb3918047f21ba9ee2228b46b8e5c8b456ba65e6f0c40d28294b654761660e9d14948866c3f0f65f028e47641059d3f195812e871362128bcefb901d5aeace862e3d683b291d65c138138ea1335fe3552f4c46a7f7b0c6e5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000f3158ea57d1c559f290000000000f3", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + } + ] + } + ] + }, + { + "Filename": "windbg.sys", + "MD5": "77a7ed4798d02ef6636cd0fd07fc382a", + "SHA1": "76789196eebfd4203f477a5a6c75eefc12d9a837", + "SHA256": "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Microsoft Corporation", + "Description": "Windows GUI symbolic debugger", + "Product": "Microsoft? Windows? Operating System", + "ProductVersion": "10.0.19041.685", + "FileVersion": "10.0.19041.685 (WinBuild.160101.0800)", + "MachineType": "AMD64", + "OriginalFilename": "windbg.sys", + "Authentihash": { + "MD5": "ff65997d5644ff042a7e3a5cb9030af2", + "SHA1": "a1c5483d4d29d0cd9edc6e42a21d70f56de12aaf", + "SHA256": "9be868eb7e177ee6d762f2a022acf18b6b190fecbe445b3c09fc0494e8244ee8" + }, + "InternalName": "windbg.sys", + "Copyright": "? Microsoft Corporation. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "ExAllocatePoolWithTag", + "PsProcessType", + "IoGetLowerDeviceObject", + "ExFreePoolWithTag", + "IoRegisterShutdownNotification", + "IoAttachDeviceToDeviceStackSafe", + "PsLookupProcessByProcessId", + "RtlInitUnicodeString", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "IoDetachDevice", + "KeDelayExecutionThread", + "IoUnregisterShutdownNotification", + "ZwClose", + "IoGetAttachedDeviceReference", + "PsGetCurrentProcessId", + "ObfDereferenceObject", + "IoCreateDevice", + "IoEnumerateDeviceObjectList", + "IoUnregisterFsRegistrationChange", + "ObOpenObjectByPointer", + "IoRegisterFsRegistrationChange", + "IofCallDriver", + "MmUnmapLockedPages", + "_wcsicmp", + "PsGetProcessPeb", + "ZwCreateKey", + "RtlCreateUnicodeString", + "MmMapLockedPages", + "PsSetLoadImageNotifyRoutine", + "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "KeSetEvent", + "IoCreateFile", + "KeInitializeEvent", + "ZwDeleteValueKey", + "ZwSetValueKey", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "RtlFreeUnicodeString", + "ObQueryNameString", + "IoFileObjectType", + "ZwQueryValueKey", + "_vsnwprintf", + "RtlRandom", + "ObReferenceObjectByHandle", + "KeWaitForSingleObject", + "PsRemoveLoadImageNotifyRoutine", + "ZwFlushKey", + "MmCreateMdl", + "IoFreeIrp", + "ZwDeleteFile", + "PsGetVersion", + "IoAllocateIrp", + "CmRegisterCallback", + "RtlCopyUnicodeString", + "MmIsAddressValid", + "CmUnRegisterCallback", + "ZwQueryInformationFile", + "ZwWriteFile", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwAllocateVirtualMemory", + "ZwOpenKey", "KeUnstackDetachProcess", + "ZwWaitForSingleObject", + "ZwFreeVirtualMemory", + "PsGetProcessSessionId", + "ZwDuplicateObject", + "ObReferenceObjectByName", + "KeStackAttachProcess", + "RtlSubAuthoritySid", + "_strnicmp", + "ZwOpenProcessTokenEx", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsThreadType", + "RtlSubAuthorityCountSid", + "ZwQueryInformationToken", + "KeBugCheckEx", + "strncmp", + "strstr", + "strchr", + "strncpy", + "_vsnprintf", + "rand", + "_stricmp", + "ExAllocatePool", + "IoBuildDeviceIoControlRequest", + "ZwCreateFile", + "MmProbeAndLockPages", + "IoAllocateMdl", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=?????????, ??=??????????????????????????????, ??=Private Organization, serialNumber=91420100MA4KN92W72, C=CN, ST=?????????, L=?????????, O=Wuhan Jiajia Yiyong Technology Co., Ltd., CN=Wuhan Jiajia Yiyong Technology Co., Ltd.", + "ValidFrom": "2020-11-17 00:00:00", + "ValidTo": "2023-11-12 23:59:59", + "Signature": "9451eb3eee03a01f0c66d87dc537eb17f37bc157ec9037c05a55ee4a3d0c207c67b981841c2b642084bca0a3c65f8e8eb5413f3e897b267aad91044c4098319a1f703fa995afdc53896d20245af8c2829e80081d36135ac1acb414bf966fd0af157b3fc2dac8f616f2b794a76b0fb7b300db0c579f093e31dd739b43f09fb7a73c6c914d8453032ea14950246e80abfc7fbaff2597ab68b6f03d30d97edbee25c0e2786040a1770e26661867920f3b01132c4ac5dc9ef97ae59e7baad68fe1b2b12acc7ed54697e9d4025ced62ac9dca82104ac7dd8219b331fcbed72aab33b95fed0ef6a1f9831c8b68457be6b080ae3c9ae15df500a53b7b2a198ee71abd1b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "012eab44fa8853d913e7107c89406432", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "windbg.sys" + ], + "yara": true + }, + { + "Id": "57fc510a-e649-4599-b83e-8f3605e3d1d9", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create aswArPot.sys binPath=C:\\windows\\temp\\aswArPot.sys type=kernel && sc.exe start aswArPot.sys", + "Description": "Avast’s “Anti Rootkit” driver (also used by AVG) has been found to be vulnerable to two high severity attacks that could potentially lead to privilege escalation by running code in the kernel from a non-administrator user.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "CVE-2022-26522, CVE-2022-26523: Both of these vulnerabilities were fixed in version 22.1." + ], + "Acknowledgement": { + "Person": "", + "Handle": "@mattnotmax" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "aswArPot.sys", + "MD5": "a179c4093d05a3e1ee73f6ff07f994aa", + "SHA1": "5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4", + "SHA256": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1", + "Signature": [ + "Avast Software s.r.o.", + "DigiCert High Assurance Code Signing CA-1", + "DigiCert" + ], + "Date": "2021-02-01 14:09:00", + "Publisher": "", + "Company": "AVAST Software", + "Description": "Avast Anti Rootkit", + "Product": "Avast Antivirus ", + "ProductVersion": "21.1.187.0", + "FileVersion": "21.1.187.0", + "MachineType": "AMD64", + "OriginalFilename": "aswArPot.sys", + "Authentihash": { + "MD5": "66d55dcf5fe5e1b60f32880d48207105", + "SHA1": "b8b5e5951f1c4148537e9850f2b577a453e4c045", + "SHA256": "c0c131bc8d6c8b5a2be32474474b1221bce1289c174c87e743ed4a512f5571d4" + }, + "InternalName": "aswArPot", + "Copyright": "Copyright (c) 2021 AVAST Software", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "__C_specific_handler", + "KeDelayExecutionThread", + "IoAllocateWorkItem", + "MmIsAddressValid", + "MmUnlockPages", + "ExAllocatePool", + "RtlAnsiStringToUnicodeString", + "KeAcquireSpinLockRaiseToDpc", + "ZwQuerySystemInformation", + "PsRemoveLoadImageNotifyRoutine", + "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "MmProbeAndLockPages", + "RtlVolumeDeviceToDosName", + "PsSetLoadImageNotifyRoutine", + "IoGetRequestorProcessId", + "ZwReadFile", + "ObQueryNameString", + "IoDetachDevice", + "ZwOpenThreadTokenEx", + "ZwOpenProcessTokenEx", + "towlower", + "NtBuildNumber", + "ExReleaseFastMutex", + "_wcsicmp", + "_snwprintf", + "RtlConvertSidToUnicodeString", "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwConnectPort", - "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", + "IoAllocateMdl", "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", + "ZwQueryInformationProcess", + "IoAttachDeviceToDeviceStackSafe", + "PsGetProcessId", + "PsCreateSystemThread", + "ZwQueryInformationThread", + "RtlInitUnicodeString", + "ZwOpenSymbolicLinkObject", + "tolower", + "PsRemoveCreateThreadNotifyRoutine", + "IoDeleteDevice", + "IoBuildDeviceIoControlRequest", + "wcsncpy", + "IoGetDeviceObjectPointer", "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "MmGetSystemRoutineAddress", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "KeInitializeEvent", - "_snprintf", + "strncpy", + "KeReleaseSpinLock", + "_strnicmp", + "IoFileObjectType", + "KeStackAttachProcess", + "PsLookupProcessByProcessId", "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", + "KeSetEvent", + "PsThreadType", + "RtlUnicodeStringToAnsiString", + "ZwQueryInformationToken", + "ZwMapViewOfSection", + "strncmp", "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", - "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeDelayExecutionThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", - "ZwOpenKey", + "RtlGetVersion", + "PsGetThreadId", + "PsGetVersion", + "KeClearEvent", + "IoGetBaseFileSystemDeviceObject", + "wcschr", + "ZwSetInformationFile", "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "KeSetEvent", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "_purecall", - "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ObQueryNameString", - "ZwSetInformationObject", + "IoFreeMdl", + "wcsstr", + "ExAcquireFastMutex", + "MmGetSystemRoutineAddress", + "IoFreeWorkItem", "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", + "ExAllocatePoolWithTag", + "RtlInitString", + "IoCreateDevice", "IofCallDriver", - "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", - "RtlCompareUnicodeString", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", - "IoGetDeviceObjectPointer", + "IoDeviceObjectType", + "_snprintf", + "ExFreePoolWithTag", + "ZwOpenFile", + "KeSetSystemAffinityThread", + "strstr", + "KeInitializeEvent", + "ObReferenceObjectByName", + "strchr", + "_wcsnicmp", + "KeQueryActiveProcessors", + "RtlEqualSid", + "IoQueueWorkItem", + "MmUnmapLockedPages", + "MmMapLockedPagesSpecifyCache", + "PsSetCreateThreadNotifyRoutine", + "PsGetCurrentThreadId", "IofCompleteRequest", + "PsGetProcessWin32Process", "ExEventObjectType", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "ZwQueryInformationFile", + "KeWaitForSingleObject", "IoCreateSymbolicLink", - "RtlUpperChar", - "ObReferenceObjectByName", + "PsSetCreateProcessNotifyRoutine", "IoDriverObjectType", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", + "PsLookupThreadByThreadId", "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", + "ZwClose", + "PsTerminateSystemThread", "wcsrchr", - "memcpy", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ZwQuerySecurityObject", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", - "IoCreateDevice", + "strrchr", + "SeExports", + "KeUnstackDetachProcess", + "KeResetEvent", + "KeRevertToUserAffinityThread", + "ZwOpenProcess", + "wcsncmp", + "ZwOpenKey", + "PsGetThreadProcess", + "IoThreadToProcess", + "PsInitialSystemProcess", + "KeInsertQueueDpc", + "KeNumberProcessors", + "KeInitializeDpc", + "KeSetTargetProcessorDpc", + "PsProcessType", + "MmMapIoSpace", + "MmUnmapIoSpace", + "ZwDeleteFile", + "KeAttachProcess", + "KeDetachProcess", + "RtlCompareUnicodeString", + "ZwWriteFile", + "NtClose", + "ObfReferenceObject", + "IoBuildSynchronousFsdRequest", + "ZwOpenThread", + "ZwTerminateProcess", + "RtlEqualUnicodeString", + "IoFreeIrp", + "ZwQueryDirectoryObject", + "KeBugCheck", + "ZwOpenDirectoryObject", + "IoAllocateIrp", + "KdDebuggerNotPresent", + "ZwSetSecurityObject", "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", + "RtlLengthSecurityDescriptor", + "RtlCreateSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", - "IoFreeMdl", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlQueryRegistryValues", + "RtlPrefixUnicodeString", + "ExRegisterCallback", + "ExCreateCallback", + "ExUnregisterCallback", + "strcmp" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=CZ, L=Praha, O=Avast Software s.r.o., OU=RE 999, CN=Avast Software s.r.o.", + "ValidFrom": "2019-12-02 00:00:00", + "ValidTo": "2022-10-19 12:00:00", + "Signature": "874d04f17ffc50e66100207e56ecc8ae7e81c1957a7600295ead9db28842c7c05e06e8e28ccfc1e9d45d7a55d6d4a2fb74d72600a79ef5bfa53acaa4f3a4fcaf90a2554fc37742dd44c83a90880f948f5538637c0d999b03ebbf20cc001293a5639d44ad950cacfce2a337f7a24b817a5b85df89f6acf49974adee1d867373e6534a3f3558e59f87d06afe5744ec575b66c76110a595471007b209c591984f0ff20ea4c87ac405c85f42f0b105b04ec2ced11ca9cfb6aef21a3c6ae9ccd2a9cb4a9f78244751b15bfccb32ec3a52d44258bad6fc6d9f24c24700e9e1c4c0c29b9db4683c526a92934d72367620c6a89119e7a678597d7603c62b1c22f54edfad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "03f02aca051d1c9330eeabd3706e836f", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + } + ], + "Tags": [ + "aswArPot.sys" + ], + "yara": true + }, + { + "Id": "adfb015a-f453-4b9e-a247-50f146209eb0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create b3.sys binPath=C:\\windows\\temp\\b3.sys type=kernel && sc.exe start b3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "b3.sys", + "SHA256": "708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "b3.sys" + ], + "yara": false + }, + { + "Id": "0fc0563c-de9f-41d8-806a-748e04d57365", + "Author": "Michael Haag", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create gftkyj64.sys binPath=C:\\windows\\temp\\gftkyj64.sys type=kernel && sc.exe start gftkyj64.sys", + "Description": "SentinelOne has observed prominent threat actors abusing legitimately signed Microsoft drivers in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.\nInvestigations into these intrusions led to the discovery of POORTRY and STONESTOP malware, part of a small toolkit designed to terminate AV and EDR processes.\nWe first reported our discovery to Microsoft’s Security Response Center (MSRC) in October 2022 and received an official case number (75361). Today, MSRC released an associated advisory under ADV220005.\nThis research is being released alongside Mandiant, a SentinelOne technology and incident response partner. ", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "gftkyj64.sys", + "MD5": "04a88f5974caa621cee18f34300fc08a", + "SHA1": "a804ebec7e341b4d98d9e94f6e4860a55ea1638d", + "SHA256": "9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c", + "Signature": [ + "北京东方海达网络科技有限责任公司", + "Sectigo Public Code Signing CA R36", + "Sectigo Public Code Signing Root R46", + "Sectigo (AAA)" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "4252d83e18ad41f0cea7ac168218d95b", + "SHA1": "cf9cb05c9b725efca68c4b7d6f53c8e233217ac4", + "SHA256": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "rand", + "srand", + "RtlInitUnicodeString", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExSystemTimeToLocalTime", + "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoGetCurrentProcess", + "ObReferenceObjectByHandleWithTag", + "ObfDereferenceObject", + "ObfDereferenceObjectWithTag", + "MmIsAddressValid", + "PsGetProcessExitStatus", + "PsIsThreadTerminating", + "PsLookupProcessByProcessId", + "PsLookupThreadByThreadId", + "PsGetThreadProcess", + "PsIsSystemThread", + "ObOpenObjectByPointerWithTag", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", - "ValidFrom": "2019-07-12 00:00:00", - "ValidTo": "2020-07-10 12:00:00", - "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=CN, ST=guangdong, L=zhuhai, O=Zhuhai liancheng Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Zhuhai liancheng Technology Co., Ltd.", + "ValidFrom": "2013-02-04 00:00:00", + "ValidTo": "2014-02-04 23:59:59", + "Signature": "6eb0af9de955b9bd1bda967942685c5b630bf60dd0be149178bce893c7c32039076006dd75f9655b497470e44e7954cd89fe4ee04a580992f0ee9268e8129afcf0b58519158d6864e56caa6e78d66b0278a86083b751cf8a030ba0139969509259e5d1ea91dc593e1d093fb5e4ebabe1a38359d920acb85f9c02f6939096522b010158d086bc5ff52bbe2be1ab364ca496ed5a3ac72531274daf4e808d483686118d6132d2b98018074a0e989eed4f43fe28298363e05e9c3cace4a954525ac021e0b10445e09a3528eff35b525e7cca44332744aa81b41dd4244ec54da168b2f1026a23ca9b9929199f037689956b69c21ca77e6605483439670dcf9baf2991", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "627dfdf73a1455de5143a270799e6b7b", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "gftkyj64.sys" + ], + "yara": false + }, + { + "Id": "4bf4b425-10af-4cd4-88e6-beb4b947eb48", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create IObitUnlocker.sys binPath=C:\\windows\\temp\\IObitUnlocker.sys type=kernel && sc.exe start IObitUnlocker.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004.yara" }, { - "FileName": "TmComm.sys", - "MD5": "f4b7b84a6828d2f9205b55cf8cfc7742", - "SHA1": "e835776e0dc68c994dd18e8628454520156c93e3", - "SHA256": "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4", - "Authentihash": { - "MD5": "0fe42b5332d879959e93066779cac8e5", - "SHA1": "06c69146793ba18827da747ce0f0a5a13cc4399f", - "SHA256": "1f642b5e76572b80684d15bf48bb6e2b6d2743171280ab50502284808a515904" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "3.20.0.1012", - "Product": "Trend Micro AEGIS", - "ProductVersion": "3.20", - "Copyright": "Copyright (C) 2005-2010 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "IObitUnlocker.sys", + "MD5": "2391fb461b061d0e5fccb050d4af7941", + "SHA1": "7c6cad6a268230f6e08417d278dda4d66bb00d13", + "SHA256": "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004", + "Signature": [ + "IObit CO., LTD", + "DigiCert EV Code Signing CA", + "DigiCert" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_KmCallUm@8", - "_MapMem@12", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UnMapMem@8", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilQueryKeyValue@24", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "__UtilDosPathNameToNtPathName@12" + "Date": "", + "Publisher": "", + "Company": "IObit Information Technology", + "Description": "Unlocker Driver", + "Product": "Unlocker", + "ProductVersion": "1.3.0.10", + "FileVersion": "1.3.0.10", + "MachineType": "AMD64", + "OriginalFilename": "IObitUnlocker.sys", + "Authentihash": { + "MD5": "751c91ae91cb43aadaeaa1bb187c593a", + "SHA1": "dd220acea885a954085e614b94da2b5bba5c0cc3", + "SHA256": "e0aff24a54400fe9f86564b8ce9f874e7ff51e96085ff950baff05844cff2bd1" + }, + "InternalName": "IObitUnlocker.sys", + "Copyright": "© IObit. All rights reserved.", + "Imports": [ + "ntoskrnl.exe" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "ExReleaseFastMutexUnsafe", - "wcsncpy", - "memcpy", - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "RtlSubAuthoritySid", - "RtlInitializeSid", "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", + "IoDeleteSymbolicLink", "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwRequestWaitReplyPort", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "ZwConnectPort", - "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "PsGetProcessExitTime", - "DbgPrint", - "memset", - "MmIsAddressValid", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", + "IoDeleteDevice", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", "_wcsnicmp", + "ZwReadFile", + "IoGetRelatedDeviceObject", + "MmGetSystemRoutineAddress", "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", + "ExInterlockedPopEntryList", + "KeDelayExecutionThread", + "IoFileObjectType", + "ZwWaitForSingleObject", + "ZwCreateFile", + "ExAllocatePool", + "IoGetCurrentProcess", + "ZwClose", "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "MmUnmapLockedPages", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeNumberProcessors", + "KeWaitForSingleObject", + "RtlCompareUnicodeString", + "IoAllocateIrp", + "ObfDereferenceObject", + "ZwQueryInformationFile", + "ZwWriteFile", + "ObOpenObjectByPointer", + "DbgPrint", + "IofCallDriver", + "_wcsicmp", + "PsGetProcessPeb", + "PsLookupProcessByProcessId", + "ZwQuerySymbolicLinkObject", + "RtlInitUnicodeString", + "KeSetEvent", + "RtlAppendUnicodeToString", + "IoCreateFile", "ZwQuerySystemInformation", + "ZwOpenSymbolicLinkObject", + "KeUnstackDetachProcess", + "ObQueryNameString", + "wcsrchr", "ZwQueryDirectoryFile", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", + "_vsnwprintf", + "RtlAppendUnicodeStringToString", "ZwDuplicateObject", - "ZwOpenKey", - "KeLeaveCriticalRegion", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "_purecall", - "ZwQueryKey", - "ZwSetValueKey", "IoFreeIrp", - "IoFreeMdl", - "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "KeDelayExecutionThread", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "PsLookupProcessByProcessId", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "RtlEqualUnicodeString", - "IoFileObjectType", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCopyUnicodeString", - "RtlCompareMemory", - "_snwprintf", - "RtlImageNtHeader", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "MmIsAddressValid", + "ZwTerminateProcess", + "ExInterlockedPushEntryList", + "KeStackAttachProcess", "KeBugCheckEx", - "RtlAppendUnicodeStringToString", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "ObQueryNameString", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=CN, ??=Sichuan, ??=Wuhou District, Chengdu, ??=Private Organization, serialNumber=91510107072412418F, C=CN, ST=Sichuan, L=Chengdu, O=IObit CO., LTD, CN=IObit CO., LTD", + "ValidFrom": "2019-08-27 00:00:00", + "ValidTo": "2022-08-30 12:00:00", + "Signature": "89d53256ccf4b2e50a8e05d88de9ed33f6adde16e143a6f7f042ec4ed9220c7c4195b543ad1ae9c5ae5421f192140d62b28449c83a0c31759765c127fed77c447072976f2d5e8d44e07dafbbc5a0cea9e8020081c3f8a22a1519e53d8c69ff3ffbd7e090e92593a738b8bd6d583b27e5e797672294147fd1b8492683b1b3f202c3e0c571f9fad02d95f8204e054fa722ac42bf21e54ec1891942ab339f004ab57cb01838539bf5196fc1579e0add7c42206ff5e10bb0934b4a801fab12ed748a6a858af5c9601296ce6ca9b14b46f731a0485f49f142ab65dacb0103daaee13b2269f2c2b2d2bb2b04abe93642ecc988fa536170194acc1c73d48a781d3d5f0e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0d98f5df96c592c5b76bfde1cb823096", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "IObitUnlocker.sys" + ], + "yara": true + }, + { + "Id": "7f9842a0-8118-462e-8860-227265ff4379", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create NTIOLib.sys binPath=C:\\windows\\temp\\NTIOLib.sys type=kernel && sc.exe start NTIOLib.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "NTIOLib.sys", + "MD5": "4d99d02f49e027332a0a9c31c674e13b", + "SHA1": "39e57a0bb3b349c70ad5f11592f9282860bbcc0a", + "SHA256": "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805", + "Authentihash": { + "MD5": "eed041909fbbbe05f6cc68006d541b0d", + "SHA1": "d3809c4439f7828a4a76aef68627eb1e6e703d43", + "SHA256": "c84806a49da944c20a01e7dba7721e88859a5f65ec338ddb5da3a0d6895e7268" + }, + "Description": "NTIOLib", + "Company": "MSI", + "InternalName": "NTIOLib.sys", + "OriginalFilename": "NTIOLib.sys", + "FileVersion": "1.0.0.0", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_ULONG", "IofCompleteRequest", - "ExEventObjectType", - "IoDeleteDevice", + "WRITE_REGISTER_BUFFER_UCHAR", + "IoCreateDevice", + "KeTickCount", + "MmMapIoSpace", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "MmSectionObjectType", - "ObOpenObjectByName", - "IoDriverObjectType", - "NtQueryInformationProcess", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "KeTickCount", + "IoDeleteDevice", "RtlUnwind", - "KeEnterCriticalRegion", - "ZwEnumerateKey", - "ExAcquireFastMutexUnsafe", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "KeBugCheckEx", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + }, + { + "FileName": "NTIOLib.sys", + "MD5": "2e5f016ff9378be41fe98fa62f99b12d", + "SHA1": "4518758452af35d593e0cae80d9841a86af6d3de", + "SHA256": "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504", + "Authentihash": { + "MD5": "dbca419735abe58370b336d8d3da5ad8", + "SHA1": "2986d3251738a29bd73f2938545cd3ffc8e2aadc", + "SHA256": "c0fc1c1c1ff39ea9a695996482ab31cb65c74aaf9f20cba21e9ff34ef054a008" + }, + "Description": "NTIOLib", + "Company": "MSI", + "InternalName": "NTIOLib.sys", + "OriginalFilename": "NTIOLib.sys", + "FileVersion": "1.0.0.0", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_ULONG", + "IofCompleteRequest", + "WRITE_REGISTER_BUFFER_UCHAR", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "ZwOpenProcess", - "KeGetCurrentThread", - "KfLowerIrql", - "KeRaiseIrqlToDpcLevel", - "ClassInitialize" + "KeTickCount", + "MmMapIoSpace", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "RtlUnwind", + "KeBugCheckEx", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" ], "Signatures": [ { @@ -94962,10 +94210,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -94976,758 +94224,4181 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2008-01-16 00:00:00", - "ValidTo": "2011-02-16 23:59:59", - "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "645212f783f4d7aba3555729e99ce065", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "29122f970a9e766ef01a73e0616d68b3", - "SHA1": "432fa24e0ce4b3673113c90b34d6e52dc7bac471", - "SHA256": "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69", + "FileName": "NTIOLib.sys", + "MD5": "6d97ee5b3300d0f7fa359f2712834c40", + "SHA1": "8dc2097a90eb7e9d6ee31a7c7a95e7a0b2093b89", + "SHA256": "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4", "Authentihash": { - "MD5": "84cb997d2380df8ee2ac77eacdb2d9f7", - "SHA1": "c8c6a98f592d7255d12b7a6c3d7f5bf5c4a34b50", - "SHA256": "62d1ca62fb251b1eeda5d2577719414e6e26d4afdc5f3df3faf3b35de5cb9506" + "MD5": "2f6cff8603866aad75277f79179ca16e", + "SHA1": "55df6777d508865628b433631b8faaaa38dc0908", + "SHA256": "2018ad5f3695295599f756caf556722291485cd67eb9c3f7ec701b206cca4e00" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1140", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2021 Trend Micro Incorporated. All rights reserved.", + "Description": "NTIOLib", + "Company": "MSI", + "InternalName": "NTIOLib.sys", + "OriginalFilename": "NTIOLib.sys", + "FileVersion": "1.0.0.0", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetFileVersionOfNtoskrnl", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFileName1", - "NormalizeFullNtPathToDosName", - "NormalizeFullNtPathToDosName1", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + }, + { + "FileName": "NTIOLib.sys", + "MD5": "2f1ebc14bd8a29b89896737ca4076002", + "SHA1": "6bfeac43be3ebd8d95a5eba963e18d97d76d2b05", + "SHA256": "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8", + "Authentihash": { + "MD5": "00f93b0c0de351b93a4c71c3595e968e", + "SHA1": "02a53e837651d224f3c91aaf37a3067e81d2f6ac", + "SHA256": "ee15f36881b84a2da82fee37e8ad65e47f1224e64d1d6fe43f7a5ad2efe92f5d" + }, + "Description": "NTIOLib", + "Company": "MSI", + "InternalName": "NTIOLib.sys", + "OriginalFilename": "NTIOLib.sys", + "FileVersion": "1.0.0.0", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_ULONG", + "IofCompleteRequest", + "WRITE_REGISTER_BUFFER_UCHAR", + "IoCreateDevice", + "KeTickCount", + "MmMapIoSpace", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "RtlUnwind", + "KeBugCheckEx", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + }, + { + "FileName": "NTIOLib.sys", + "MD5": "1c4acf27317a2b5eaedff3ce6094794d", + "SHA1": "4a7324ca485973d514fd087699f6d759ff32743b", + "SHA256": "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2", + "Authentihash": { + "MD5": "fc7eef91aa6574643560ad954e800138", + "SHA1": "cc9c3d9b69f4a4be1f2c3dc33ab7441f41e47a55", + "SHA256": "1f5e9fc579028d5cae916743528891aa39a4eecb3f573ea522eeb8da97f95953" + }, + "Description": "NTIOLib", + "Company": "MSI", + "InternalName": "NTIOLib.sys", + "OriginalFilename": "NTIOLib.sys", + "FileVersion": "1.0.0.0", + "Product": "NTIOLib", + "ProductVersion": "1.0.0.0", + "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_ULONG", + "IofCompleteRequest", + "WRITE_REGISTER_BUFFER_UCHAR", + "IoCreateDevice", + "KeTickCount", + "MmMapIoSpace", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "RtlUnwind", + "KeBugCheckEx", + "HalGetBusDataByOffset", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "HalSetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", + "ValidFrom": "2011-08-30 06:46:09", + "ValidTo": "2014-08-30 06:46:09", + "Signature": "87bf57ab7ffd7e005076b34b14ddd924045ec7e389871661794f1ece1bef10e050893b28236cb650af1415f8cd95e86c2052d93311d73e0bbe6fb1c22ddea438a93c8b18bd4b8c0f81ad07032efb46d406bbaa730dd3ac92cbf0d9cc711a397a0e0320b213a5161e6be83ec69967a712b463129ea56d5a8ecd3ff8901be09dfaa0a0f10e879b307863e1b1c3a3149ac73bc3f3160db7012229b57bced6d47b875878663642a8cddd03da1e7f236b8cf16713a5e0f4c892aaca77a8c7dab41d84567e2bbf09b336a2824e0e18d54d199e6e024d2630bb210cd24a9ef4b377be0429e2ecc9bf8478a8c6a78c686e26f29c95925baee85e4bbb97b6eecffe44a25e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121a559b50ef9848661f0faeb7421bbdd2c", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + } + ], + "Tags": [ + "NTIOLib.sys" + ], + "yara": true + }, + { + "Id": "61514cbd-6f34-4a3e-a022-9ecbccc16feb", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create atillk64.sys binPath=C:\\windows\\temp\\atillk64.sys type=kernel && sc.exe start atillk64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "atillk64.sys", + "MD5": "62f02339fe267dc7438f603bfb5431a1", + "SHA1": "c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65", + "SHA256": "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a", + "Signature": [ + "ATI Technologies, Inc", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "\"ATI Technologies, Inc\"", + "Company": "ATI Technologies Inc.", + "Description": "ATI Diagnostics Hardware Abstraction Sys", + "Product": "ATI Diagnostics", + "ProductVersion": "5.11.9.0", + "FileVersion": "5.11.9.0", + "MachineType": "AMD64", + "OriginalFilename": "atillk64.sys", + "Authentihash": { + "MD5": "281880f5f33d1aab062ceccd237ef992", + "SHA1": "e8e533d9e8df018648ccbafbd6081507f5c0f41a", + "SHA256": "126719d008d106b7100ae47ed47666c1334701bd7ddb32d5b8e84048f258700f" + }, + "InternalName": "atillk64.sys", + "Copyright": "Copyright (C) ATI Technologies Inc., 2003", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteDevice", + "MmUnmapIoSpace", + "MmBuildMdlForNonPagedPool", + "IoFreeMdl", + "MmMapIoSpace", + "IofCompleteRequest", + "RtlInitUnicodeString", + "IoCreateDevice", + "IoAllocateMdl", + "KeBugCheckEx", + "MmMapLockedPages", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CA, ST=Ontario, L=Thornhill, O=ATI Technologies, Inc, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ATI Technologies, Inc", + "ValidFrom": "2009-02-25 00:00:00", + "ValidTo": "2012-03-20 23:59:59", + "Signature": "bbdc0c5def48ac9f4caa68f9b953d41f106bb5ac9446556fbb0779155b8fabc4c397e761dd06f401011be515c165515f7354104dae09adbd7579b82fa6125260f512a15c0540e95316a57f0d86b43322179756662043fb85c116beb763e9a1ebfec5df2927c81023b109ca9ce8826da3b45390bee26170a231ef0a73b1db7695ee43f8c329c7db23a28514665bfe290db7df6e4bb301a5edfa8c0aa3f11f2e76130684a5e0d56935c9d623ba5a466c3f3f9add1f3b0c209d1cf336fd37e201848dc574e3c0c8c77b3483700b4ddd587b4d342983d50824d50adc13e91725536b2185e973b8464de2b695bc70390bac1cba88de5a2c81e2847d84d8c81a46fc59", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "3de959ef88a52c10bc8511ef057c233f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + } + ], + "Tags": [ + "atillk64.sys" + ], + "yara": true + }, + { + "Id": "2e4fedb0-30ed-400d-b4e1-b2b2004c1607", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create OpenLibSys.sys binPath=C:\\windows\\temp\\OpenLibSys.sys type=kernel && sc.exe start OpenLibSys.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "OpenLibSys.sys", + "MD5": "ccf523b951afaa0147f22e2a7aae4976", + "SHA1": "ac600a2bc06b312d92e649b7b55e3e91e9d63451", + "SHA256": "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c", + "Signature": [ + "Noriyuki MIYAZAKI", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "OpenLibSys.org", + "Description": "OpenLibSys", + "Product": "OpenLibSys", + "ProductVersion": "1.0.0.2", + "FileVersion": "1.0.0.2", + "MachineType": "AMD64", + "OriginalFilename": "OpenLibSys.sys", + "Authentihash": { + "MD5": "1244664c7917f03f2b43b30e132f64b5", + "SHA1": "d6f015693e56a3ebba725a6591cc07443d0e1661", + "SHA256": "db68a9cbe22b22cba782592eef76e63e080ee8d30943be6da694701f44b6c33e" + }, + "InternalName": "OpenLibSys.sys", + "Copyright": "Copyright (C) 2007 OpenLibSys.org", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", + "ValidFrom": "2007-09-24 10:50:55", + "ValidTo": "2008-09-24 10:50:55", + "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", + "ValidFrom": "2003-12-16 13:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", + "ValidFrom": "2007-02-05 09:00:00", + "ValidTo": "2014-01-27 09:00:00", + "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "01000000000115372421a8", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] + }, + { + "Filename": "OpenLibSys.sys", + "MD5": "96421b56dbda73e9b965f027a3bda7ba", + "SHA1": "da9cea92f996f938f699902482ac5313d5e8b28e", + "SHA256": "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008", + "Signature": [ + "Noriyuki MIYAZAKI", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "OpenLibSys.org", + "Description": "OpenLibSys", + "Product": "OpenLibSys", + "ProductVersion": "1.0.1.3", + "FileVersion": "1.0.1.3", + "MachineType": "AMD64", + "OriginalFilename": "OpenLibSys.sys", + "Authentihash": { + "MD5": "bd94d3a0abc78f87147bf8ea41aad734", + "SHA1": "7ecbd5098c4161b95dd7e674003dd53069374f3e", + "SHA256": "6f3937451f0170a0aec3033cadceeb86ab30ee3c67add3926e116ccc20c0d9a7" + }, + "InternalName": "OpenLibSys.sys", + "Copyright": "Copyright (C) 2007 OpenLibSys.org", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", + "ValidFrom": "2007-09-24 10:50:55", + "ValidTo": "2008-09-24 10:50:55", + "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", + "ValidFrom": "2003-12-16 13:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", + "ValidFrom": "2007-02-05 09:00:00", + "ValidTo": "2014-01-27 09:00:00", + "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "01000000000115372421a8", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" + } + ] + } + ] + } + ], + "Tags": [ + "OpenLibSys.sys" + ], + "yara": true + }, + { + "Id": "3f39af20-802a-4909-a5de-7f6fe7aab350", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrOmgDrv.sys binPath=C:\\windows\\temp\\AsrOmgDrv.sys type=kernel && sc.exe start AsrOmgDrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrOmgDrv.sys", + "MD5": "4f27c09cc8680e06b04d6a9c34ca1e08", + "SHA1": "400f833dcc2ef0a122dd0e0b1ec4ec929340d90e", + "SHA256": "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9", + "Signature": [ + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "ASROCK Incorporation", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "AsrDrv.sys", + "Authentihash": { + "MD5": "b39f71ca0eb035173a7f6c3dc7a43620", + "SHA1": "045818bc05faf8fb2b7ccc60623f5a6f185d68c7", + "SHA256": "6c9dc878d9605070921338d09c6dbecbe11dec50c03fc69a0462884a07c2c442" + }, + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", + "MmUnmapIoSpace", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", + "MmMapIoSpace", + "IofCompleteRequest", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", + "KeBugCheckEx", + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "AsrOmgDrv.sys" + ], + "yara": true + }, + { + "Id": "13b2424a-d337-4bc7-ad1d-2049c79906b4", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create d3.sys binPath=C:\\windows\\temp\\d3.sys type=kernel && sc.exe start d3.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "d3.sys", + "SHA256": "36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "d3.sys" + ], + "yara": false + }, + { + "Id": "a02ee964-a21e-4b08-9c98-a730c90bfd53", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-11", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create LMIinfo binPath=C:\\windows\\temp\\LMIinfo.sys type=kernel && sc.exe start LMIinfo.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": "Michael Alfaro", + "Handle": "@_mmpte_software" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "LMIinfo.sys", + "MD5": "d4f7c14e92b36c341c41ae93159407dd", + "SHA1": "eac1b9e1848dc455ed780292f20cd6a0c38a3406", + "SHA256": "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233", + "Authentihash": { + "MD5": "99b6f355ca0fb587ccb303e88bd73785", + "SHA1": "0ae6274d4f95b64415c6a5aefe3b5d6be8d1e4a4", + "SHA256": "e466e2bf4e190edd8717f6e8466b77a66b3304f5ae1458ca4400025a869fdfd1" + }, + "Description": "LogMeIn Kernel Information Provider", + "Company": "LogMeIn, Inc.", + "InternalName": "LMIinfo.sys", + "OriginalFilename": "LMIinfo.sys", + "FileVersion": "11.1.0.3220", + "Product": "LogMeIn", + "ProductVersion": "11.1.0.3220", + "Copyright": "Copyright © 2003-2017 LogMeIn, Inc. Patented and patents pending.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenKey", + "ExFreePoolWithTag", + "ZwOpenProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "ZwDuplicateObject", + "__C_specific_handler", + "KeBugCheckEx", + "RtlCopyUnicodeString", + "ExAllocatePoolWithTag", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "ZwQueryValueKey", + "RtlInitUnicodeString", + "WdfVersionBindClass", + "WdfVersionBind", + "WdfVersionUnbind", + "WdfVersionUnbindClass" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=US, ??=Delaware, serialNumber=3830661, ??=320 Summer Street, postalCode=02210, C=US, ST=Massachusetts, L=Boston, O=LogMeIn, Inc., CN=LogMeIn, Inc.", + "ValidFrom": "2015-06-18 00:00:00", + "ValidTo": "2018-06-22 12:00:00", + "Signature": "6a0e23b60625614e2b9d63745730ab1055883fd2e09d3ed78bb7723882c8f7d67be6deb473463ebbdf4996afae195462426a3f57f9d37b9d8182499f3416a24f2fd9f6da7e3cef9215dfe3c889f47cce584eaf5dd2116da627b91d4de5705951c8c9807fc21f899c05f9ed97a655ccc0ae9b311f85715ae8510c213cb05139929690950e9155386da88d1b1158ae20699db1116a988a6b0bdc98b246767e71b1ec40df7a5f2d7e3b17bb4cb4de8da18d77c58b938f4db8f197bd9d1313cf5711f222a16add8a5cb7c576bd26ec4abcff8701766a32f9bd8d89b9a9f875908cfc34a0d3d216729ebb5fee7e73b1b036caae620a80e6bd921425cc59dc3e692fc4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "080d35880102e23d2340f69eb3c0e561", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + } + ] + } + ] + } + ], + "Tags": [ + "LMIinfo.sys" + ], + "yara": true + }, + { + "Id": "13637210-2e1c-45a4-9f76-fe38c3c34264", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create HpPortIox64.sys binPath=C:\\windows\\temp\\HpPortIox64.sys type=kernel && sc.exe start HpPortIox64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "HpPortIox64.sys", + "MD5": "7b9e1e5e8ff4f18f84108bb9f7b5d108", + "SHA1": "a59006308c4b5d33bb8f34ac6fb16701814fb8dc", + "SHA256": "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9", + "Authentihash": { + "MD5": "554fb2c6b328efeef850104fec12899c", + "SHA1": "12eb825418a932b1e4c6697dc7647e89ae52cf3f", + "SHA256": "4582adb2e67eebaff755ae740c1f24bc3af78e0f28e8e8decb99f86bf155ab23" + }, + "Description": "HpPortIo", + "Company": "HP Inc.", + "InternalName": "HpPortIox64.sys", + "OriginalFilename": "HpPortIox64.sys", + "FileVersion": "1.0.0.0", + "Product": "HpPortIo", + "ProductVersion": "1.0.0.0", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmUnmapIoSpace", + "MmMapIoSpace", + "IofCompleteRequest", + "IoDeleteDevice", + "IoCreateDevice", + "KeBugCheckEx", + "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=California, L=Palo Alto, O=HP Inc., OU=HP Cybersecurity, CN=HP Inc.", + "ValidFrom": "2019-05-07 00:00:00", + "ValidTo": "2020-05-11 12:00:00", + "Signature": "aa3f4f546b3d6b83970947632b27c00eaf66df4d21f2f3d4437fe0eca7e4c09e690bdefd378870decaac098e2733296e3a168ad24619242c1b85b97536b196c8598179c433f6cbde589199dfd0d82a0d606918b9ff243c7bc159096f1a3c06119e399744ef024d36ea40b991816f9c7816c491c2508f87165bae72cc3cfae8ee0cab40f988ca2ef7bd084fa6956b79aff39fabe0793f3456f82b3da0d077fcd80f3effb0a788509d834c347957ba0b39f61747dae3b880b9bd70f58a87ed9d0dd8a6bd9aaca12fc7f4a49fa1703209a023a7685b253d095f2377167d9a8859b9edfd8a4377d0c06eb597fb929f900d30dbd3de83101ead341cfcf5a4f500c29b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA", + "ValidFrom": "2013-10-22 12:00:00", + "ValidTo": "2028-10-22 12:00:00", + "Signature": "6a0eff7e137c06a54bc02e8cf9536409e2ba58913050eccc9fe1d3a82f4846361829d078285f9856400f1ebabdb13b875cdc5bd8200ded1a164dd51124214bf127699013eb11a101dafdb54e795975bd382a6ac3f68e412b8aa28bd72c5151d99ca0c8e34eba6ca847d24ed1681f8c02573bb3296a8e6a202ab9f2006264bac8e900f9cca4d4ba9a35d8af2c656c167c5821de4a30d0faeb245d06c99d16b7ad4a45d325e20cf040aa5c4dac7ecd0682b976466908d832b682fee3a95834431b8e6767973f6831163638953e87f7c7c3af9d7a7719d9de93b5fd6e2bfc94f93db74c12352c30bee88d9e05709a4813f48cd6e71eac38e7a8f3ad0cb77aec67ed", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "09e002ed55ebc92b8a799574f80069fd", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "HpPortIox64.sys" + ], + "yara": true + }, + { + "Id": "fdf4f85b-47f4-4c98-a0d5-a6583463f565", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create vmdrv.sys binPath=C:\\windows\\temp\\vmdrv.sys type=kernel && sc.exe start vmdrv.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "vmdrv.sys", + "MD5": "d5db81974ffda566fa821400419f59be", + "SHA1": "4c18754dca481f107f0923fb8ef5e149d128525d", + "SHA256": "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351", + "Signature": [ + "Voicemod Sociedad Limitada", + "DigiCert Global G3 Code Signing ECC SHA384 2021 CA1", + "DigiCert Global Root G3" + ], + "Date": "", + "Publisher": "", + "Company": "Windows (R) Win 7 DDK provider", + "Description": "Voicemod Virtual Audio Device (WDM)", + "Product": "Windows (R) Win 7 DDK driver", + "ProductVersion": "10.0.10011.16384", + "FileVersion": "10.0.10011.16384", + "MachineType": "AMD64", + "OriginalFilename": "vmdrv.sys", + "Authentihash": { + "MD5": "681bb8e9713477839a1ee8d87b498630", + "SHA1": "68cdcd073e57f650c5d6173cd79af3a3526052f6", + "SHA256": "99ddeba6bcdc79e52e3ff8afc63dbe4b299161cf0f5558a2d7630c2a18daf2c6" + }, + "InternalName": "vmdrv.sys", + "Copyright": "Copyright (C) Voicemod S.L.2010-2020", + "Imports": [ + "ntoskrnl.exe", + "portcls.sys" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "KeClearEvent", + "KeSetEvent", + "ExFreePool", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ExEventObjectType", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExSystemTimeToLocalTime", + "_purecall", + "KeInitializeDpc", + "KeFlushQueuedDpcs", + "KeInitializeMutex", + "KeReleaseMutex", + "KeInitializeTimerEx", + "KeCancelTimer", + "KeSetTimerEx", + "KeWaitForSingleObject", + "KeInitializeSpinLock", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "IoAllocateWorkItem", + "IoFreeWorkItem", + "IoQueueWorkItem", + "RtlIsNtDdiVersionAvailable", + "PcInitializeAdapterDriver", + "PcDispatchIrp", + "PcAddAdapterDevice", + "PcRegisterAdapterPowerManagement", + "PcNewServiceGroup", + "PcRegisterSubdevice", + "PcRegisterPhysicalConnection", + "PcNewPort" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1", + "ValidFrom": "2021-04-29 00:00:00", + "ValidTo": "2036-04-28 23:59:59", + "Signature": "3065023078bd4995657101d0465768650e68a9dc3608c1eefdd48edb40653f0dff93afc2ae6386a37ecbb4915a78ec070367077c023100e79f1ff1075bac34c638bcb5a550cee6ea387e3e7990e4a45bab020de807fc56a65a8addb350b2ddf2fa66749ed01663", + "SignatureAlgorithmOID": "1.2.840.10045.4.3.3" + }, + { + "Subject": "??=Private Organization, ??=ES, ??=Valencia, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", + "ValidFrom": "2021-10-21 00:00:00", + "ValidTo": "2023-01-19 23:59:59", + "Signature": "3066023100fd8a9d376bf4399c7cb947c5fbb2e90bb3fdbcb37cab257ef47db016f1898e2d129241a757f039f8e7112b05a48632a60231009b75d4e2623fb9f54ce9ffc6ba7a661a5d2d54b096ddf6c510b2f6063981c15846e282779e9febffa39e5c9fad429646", + "SignatureAlgorithmOID": "1.2.840.10045.4.3.3" + } + ], + "Signer": [ + { + "SerialNumber": "014d8930c6a3fceb0f4021734d5ed508", + "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1" + } + ] + } + ] + } + ], + "Tags": [ + "vmdrv.sys" + ], + "yara": true + }, + { + "Id": "9a4fb66e-9084-4b21-9d76-a7afbe330606", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AMDPowerProfiler.sys binPath=C:\\windows\\temp\\AMDPowerProfiler.sys type=kernel && sc.exe start AMDPowerProfiler.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AMDPowerProfiler.sys", + "MD5": "e4266262a77fffdea2584283f6c4f51d", + "SHA1": "b480c54391a2a2f917a44f91a5e9e4590648b332", + "SHA256": "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05", + "Signature": [ + "Advanced Micro Devices Inc.", + "Sectigo RSA Code Signing CA", + "USERTrust RSA Certification Authority", + "Sectigo (AAA)" + ], + "Date": "", + "Publisher": "", + "Company": "Advanced Micro Devices, Inc.", + "Description": "AMD Power Profiling Driver", + "Product": "AMD uProf", + "ProductVersion": "3.4.493.0", + "FileVersion": "6.1.0.0", + "MachineType": "AMD64", + "OriginalFilename": "AMDPowerProfiler.sys", + "Authentihash": { + "MD5": "7ed9c787e267b2606441010b65767771", + "SHA1": "07a5aac8abb0a85822bf792607b9e90914b454dc", + "SHA256": "e1d3963c55c7ffa96d16e47ec4bbb4e171f828650ce853eb0b83c90ae9c6265a" + }, + "InternalName": "AMDPowerProfiler.sys", + "Copyright": "© 2021 AMD Inc. All rights reserved.", + "Imports": [ + "AMDPCore.SYS", + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "PcoreRemoveAllConfigurations", + "PcoreIsLoaded", + "PcoreAddConfiguration", + "PcoreUnregister", + "PcoreVersion", + "PcoreRegister", + "PcoreGetResourceCount", + "KeGetProcessorNumberFromIndex", + "KeInitializeDpc", + "KeSetTargetProcessorDpcEx", + "MmMapIoSpace", + "MmUnmapIoSpace", + "KeQueryActiveGroupCount", + "KeSetEvent", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "KeInitializeEvent", + "KeWaitForSingleObject", + "KeQueryActiveProcessorCountEx", + "ExSystemTimeToLocalTime", + "KeGetCurrentProcessorNumberEx", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlGetVersion", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "MmUnlockPages", + "PsRemoveLoadImageNotifyRoutine", + "ZwOpenSection", + "ZwUnmapViewOfSection", + "MmProbeAndLockPages", + "PsSetLoadImageNotifyRoutine", + "ObfDereferenceObject", + "IoAllocateMdl", + "PsRemoveCreateThreadNotifyRoutine", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "IoFreeMdl", + "MmIsAddressValid", + "PsSetCreateThreadNotifyRoutine", + "PsSetCreateProcessNotifyRoutine", + "ZwClose", + "IoSizeofWorkItem", + "ZwQueryVolumeInformationFile", + "IoQueryFileDosDeviceName", + "IoInitializeWorkItem", + "IoQueueWorkItemEx", + "ObfReferenceObject", + "IoUninitializeWorkItem", + "ZwOpenFile", + "IoIs32bitProcess", + "MmGetSystemRoutineAddress", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "ObOpenObjectByPointer", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "KeInsertQueueDpc", + "KeSetImportanceDpc", + "DbgPrint", + "MmMapLockedPagesSpecifyCache", + "RtlIsNtDdiVersionAvailable", + "ZwCreateFile", + "ZwWriteFile", + "__C_specific_handler", + "strcmp", + "KeQueryPerformanceCounter", + "HalAllocateHardwareCounters", + "HalFreeHardwareCounters" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Timestamp 2021", + "ValidFrom": "2021-01-01 00:00:00", + "ValidTo": "2031-01-06 00:00:00", + "Signature": "481cdcb5e99a23bce71ae7200e8e6746fd427251740a2347a3ab92d225c47059be14a0e52781a54d1415190779f0d104c386d93bbdfe4402664ded69a40ff6b870cf62e8f5514a7879367a27b7f3e7529f93a7ed439e7be7b4dd412289fb87a246034efcf4feb76477635f2352698382fa1a53ed90cc8da117730df4f36539704bf39cd67a7bda0cbc3d32d01bcbf561fc75080076bc810ef8c0e15ccfc41172e71b6449d8229a751542f52d323881daf460a2bab452fb5ce06124254fb2dfc929a8734351dabd63d61f5b9bf72e1b4f131df74a0d717e97b7f43f84ebc1e3a349a1facea7bf56cfba597661895f7ea7b48e6778f93698e1cb28da5b87a68a2f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Timestamping CA", + "ValidFrom": "2016-01-07 12:00:00", + "ValidTo": "2031-01-07 12:00:00", + "Signature": "719512e951875669cdefddda7caa637ab378cf06374084ef4b84bfcacf0302fdc5a7c30e20422caf77f32b1f0c215a2ab705341d6aae99f827a266bf09aa60df76a43a930ff8b2d1d87c1962e85e82251ec4ba1c7b2c21e2d65b2c1435430468b2db7502e072c798d63c64e51f4810185f8938614d62462487638c91522caf2989e5781fd60b14a580d7124770b375d59385937eb69267fb536189a8f56b96c0f458690d7cc801b1b92875b7996385228c61ca79947e59fc8c0fe36fb50126b66ca5ee875121e458609bba0c2d2b6da2c47ebbc4252b4702087c49ae13b6e17c424228c61856cf4134b6665db6747bf55633222f2236b24ba24a95d8f5a68e52", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=California, L=Santa Clara, O=Advanced Micro Devices Inc., CN=Advanced Micro Devices Inc.", + "ValidFrom": "2021-05-11 00:00:00", + "ValidTo": "2024-05-10 23:59:59", + "Signature": "8444e268ff381c9148985f408e5cc1453a560c9dd94d2a6cfa01dd7f2adc8af633053d2c79027db4f185f477b0d5db8b362b37dbd0d258823831ace7058baf3feb80a9eb2de9dd886bcf390fae9b586fc833e63db5c6a07019f35a9fce6899502852737b32d25ea7832c3786df0642d21622e56c0b0171e96f9520d07f73950376ff555bcf9c8a55bf4f86c088b58e2cb625a0ef4680ed7281f09a40c7be9f69cba77a6967030e39b2cfa46692698ced9e5347dd7056b476545c3442f934cb2c30cb986afabd29a9a9e2eb28c5bd6ee47dabf5ef587f850ea49b124eb868aac68de949616d08f875192b93388549c7327a3ef085e287d5a743810c151b250c64", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority", + "ValidFrom": "2019-03-12 00:00:00", + "ValidTo": "2028-12-31 23:59:59", + "Signature": "188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA", + "ValidFrom": "2018-11-02 00:00:00", + "ValidTo": "2030-12-31 23:59:59", + "Signature": "4d6350ed47344a61a4dbde6a2a8c9bf100001e1d627b3ad732c2f6b3e063b3fb6100889a1b6d1007044fbeb8ea897822eb0f46ecf3465e40468912f40b775a9c2a413afcd6f4ebe7f7159533c3a18328b7de2fe494f78533832d4a4048bf9ac24f4ab18f24f4b38137d3b764b0a6236a596852425fff04ebe174657908f5a993de6b71409996ba78f1b9c8e2c30816b1ab635ac815806d745e4a757ea5b8c36cb5cfdf4a79875cc7404d6335f630d3cfb50a0e0b047fa04baebba3a5d08400933e535d34a50035696cbe9f2025100d19fb509061be398f7a8e4df69f0e1efe075112668326194895ce4ac9c17ff33a059bf96fdf887fc0239ed21e437a4531c19c4da9f059b25919e86a8d290402777c4b4bcd70be3ab2555a783ebcbb6f0310257715348af936cc4392e4ba4ff1629328255729fb5119c7a125406a8457c6b29db1bc1c0ada7c677e7d2ee9284c187ec47b3141719a4b29ec0b3d5750d2caddfd9e0551e54478dd01deb175980d5424fdf04ee3e2f883bd72bacb3d3aeef05e1792686dc861f9a6f12a0a0ba5b9f49eee983205859eebf98329d3c62c7dbd3a772e8b3742a06a82ed3b4aaa9410a4e10df817c5b65a79331892e3b575f8a1e98e0a251ee41ef19f5a8723ff9fa4519efb398011cddbb5c4a7a8806fe553d4e0e3a2c2d25b1afa32262d6a57701c3ca4582ea3f35b4b07dc3259f387a71a6d58", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "535091e6cab13af393b51ead0825f627", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "AMDPowerProfiler.sys" + ], + "yara": true + }, + { + "Id": "ad693146-4adf-4407-bb20-f2505e34c226", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create TGSafe.sys binPath=C:\\windows\\temp\\TGSafe.sys type=kernel && sc.exe start TGSafe.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "TGSafe.sys", + "SHA256": "3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "TGSafe.sys" + ], + "yara": false + }, + { + "Id": "19003e00-d42d-4cbe-91f3-756451bdd7da", + "Author": "Michael Haag, Guus Verbeek", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create AsrSetupDrv103.sys binPath=C:\\windows\\temp\\AsrSetupDrv103.sys type=kernel && sc.exe start AsrSetupDrv103.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "AsrSetupDrv103.sys", + "SHA1": "0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "SHA1": "461882bd59887617cadc1c7b2b22d0a45458c070", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "SHA1": "a7948a4e9a3a1a9ed0e4e41350e422464d8313cd", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "SHA1": "f3cce7e79ab5bd055f311bb3ac44a838779270b6", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "MD5": "", + "SHA1": "", + "SHA256": "399EFFE75D32BDAB6FA0A6BFFE02DBF0A59219D940B654837C3BE1C0BD02E9AA", + "Signature": [ + "" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "MD5": "", + "SHA1": "", + "SHA256": "27CD05527FEB020084A4A76579C125458571DA8843CDFC3733211760A11DA970", + "Signature": [ + "" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "MD5": "", + "SHA1": "", + "SHA256": "7AAF2AA194B936E48BC90F01EE854768C8383C0BE50CFB41B346666AEC0CF853", + "Signature": [ + "" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + }, + { + "Filename": "AsrSetupDrv103.sys", + "MD5": "", + "SHA1": "", + "SHA256": "727E8BA66A8FF07BDC778EACB463B65F2D7167A6616CA2F259EA32571CACF8AF", + "Signature": [ + "" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "AsrSetupDrv103.sys" + ], + "yara": false + }, + { + "Id": "7196366e-04f0-4aaf-9184-ed0a0d21a75f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create t7.sys binPath=C:\\windows\\temp\\t7.sys type=kernel && sc.exe start t7.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "t7.sys", + "SHA256": "be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "t7.sys" + ], + "yara": false + }, + { + "Id": "b51656eb-c7b6-43ae-95df-e96ebd326044", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create segwindrvx64.sys binPath=C:\\windows\\temp\\segwindrvx64.sys type=kernel && sc.exe start segwindrvx64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "segwindrvx64.sys", + "MD5": "bdc3b6b83dde7111d5d6b9a2aadf233f", + "SHA1": "2ade3347df84d6707f39d9b821890440bcfdb5e9", + "SHA256": "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2", + "Authentihash": { + "MD5": "9eea185193b6357a2bd97455572b650c", + "SHA1": "4ac29762ab2ad025a13a1e8cf7af9b7f4c875aac", + "SHA256": "ca213b79336c69128620bc39e6d987c1e605299fb6525344ba1b08b7829197c7" + }, + "Description": "SEG Windows Driver x64", + "Company": "Insyde Software Corp.", + "InternalName": "segwindrvx64.sys", + "OriginalFilename": "segwindrvx64.sys", + "FileVersion": "100, 0, 7, 0", + "Product": "SEG Windows Driver x64", + "ProductVersion": "100, 0, 7, 0", + "Copyright": "Copyright (c) 2012 - 2014, Insyde Software Corp. All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmMapLockedPagesSpecifyCache", + "MmMapIoSpace", + "MmUnmapIoSpace", + "MmAllocateContiguousMemorySpecifyCache", + "MmFreeContiguousMemorySpecifyCache", + "IofCompleteRequest", + "MmGetPhysicalAddress", + "_vsnprintf", + "RtlInitUnicodeString", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "RtlInitAnsiString", + "RtlFreeAnsiString", + "ExAllocatePool", + "RtlCopyString", + "RtlEqualString", + "RtlCompareMemory", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlQueryRegistryValues", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Insyde Software Corp., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Insyde Software Corp.", + "ValidFrom": "2012-12-28 00:00:00", + "ValidTo": "2016-01-27 23:59:59", + "Signature": "19cf4cfe8a901a2d50614d496664fcdaaa80098ec50cec3e3f56a3d08a399d96d13046789c8281a1a9bf1054c79351f73e091664da593dcd39ec4ad7077513b01270666042cb743d4cd2387b61067384d5ed20ee0773e7e61fc1a8a750c3882c6e64ad0f8819b91c19c50708510467ee34ac845fb0a68259e90c7dbef65dcc4b75c72fde8d954ef37d53bba6f00a40e1c85deeb81531772b07232f8e8fe791eac42ab152b5e970c008f14bdec7a7e1ac114bae73ae1ba4f3a525a169f37de670a9447f65653426abb77c6a8b7f91c2d5428a63059129ba94818d3f6cceac0e0790ddb23d56f598e0a9083fc8b92a3b100c0dc1729290ba44fb1538ac4cedf926", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0355af7ef9418e476d877eecd9f9e9e2", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + } + ], + "Tags": [ + "segwindrvx64.sys" + ], + "yara": true + }, + { + "Id": "a5792a63-ba77-44ac-bd4a-134b24b01033", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create 1.sys binPath=C:\\windows\\temp\\1.sys type=kernel && sc.exe start 1.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "1.sys", + "SHA256": "64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "1.sys" + ], + "yara": false + }, + { + "Id": "a338a9fc-9fe3-400c-9fe4-69bb7892602d", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create UCOREW64.SYS binPath=C:\\windows\\temp\\UCOREW64.SYS type=kernel && sc.exe start UCOREW64.SYS", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "UCOREW64.SYS", + "MD5": "a17c58c0582ee560c72f60764ed63224", + "SHA1": "bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825", + "SHA256": "a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200", + "Signature": [ + "American Megatrends, Inc.", + "VeriSign Class 3 Code Signing 2004 CA", + "VeriSign Class 3 Public Primary CA" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "6957cb828dd243621e2e67c948171264", + "SHA1": "c55173b926235b8678bddb9b49a1a8b9a92a1ada", + "SHA256": "f9c290ffc007e94fb61aecff42d267c1e626ec7939025b1a7d7285441d1c490d" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmGetPhysicalAddress", + "MmIsAddressValid", + "MmAllocateContiguousMemory", + "DbgPrint", + "MmUnmapLockedPages", + "MmMapIoSpace", + "MmUnmapIoSpace", + "IoFreeMdl", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "RtlInitUnicodeString", + "ZwUnmapViewOfSection", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "ZwClose", + "MmFreeContiguousMemory", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Georgia, L=Norcross, O=American Megatrends, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Headquarters, CN=American Megatrends, Inc.", + "ValidFrom": "2006-09-30 00:00:00", + "ValidTo": "2009-11-16 23:59:59", + "Signature": "7cb6b8f10c441fc01d130c6ae39a287be5cb175f02ae6c214f0034c77f262006f866180e4db8619079a50fef4fde71927b061ef79f3d0e1be1bba040afd81f202bb10892ce7a0549506158a1d15067dd7a82488cc4bd2c3f408ee928c85117ee0d080d9dc24b571b5d75e3ef1e87d3d6b755ab6f9c07ff92e3b2d515ab1219424bf288aed36595d534d91b905b80378c02bd470dd0fb8150888cd0ac3c98cd62becd7c274469167be833f226b05b822d875efa40863faa10e358edd17e3f4d1ee7d62590d1d3e26e9c953be9e1d9a309990e0bb9c06cdfaa89f7b021aaa8d933440d432eab2e7676bda57841b3e7a8933da8b1e047e9cde29ea89b62b4eb48b8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "08dfd80b2826716554b1fb8cfa5043d7", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + } + ], + "Tags": [ + "UCOREW64.SYS" + ], + "yara": false + }, + { + "Id": "f28231db-a876-422e-aa6a-70ee852a9555", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create rtkiow8x64.sys binPath=C:\\windows\\temp\\rtkiow8x64.sys type=kernel && sc.exe start rtkiow8x64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "rtkiow8x64.sys", + "MD5": "b8b6686324f7aa77f570bc019ec214e6", + "SHA1": "6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403", + "SHA256": "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d", + "Signature": [ + "Realtek Semiconductor Corp.", + "DigiCert EV Code Signing CA", + "DigiCert" + ], + "Date": "", + "Publisher": "", + "Company": "Realtek ", + "Description": "Realtek IO Driver", + "Product": "Realtek IO Driver ", + "ProductVersion": "1.008.0823.2017", + "FileVersion": "1.008.0823.2017", + "MachineType": "AMD64", + "OriginalFilename": "rtkiow8x64.sys ", + "Authentihash": { + "MD5": "d2914b13c253d24728fade34df3d91df", + "SHA1": "fa7fbb04748088557085ef3060b5fdb65a7b6b10", + "SHA256": "ed68f30f8246730c2b57495ed1db1480350d879b01d070999d35f38630865f5c" + }, + "InternalName": "rtkiow8x64.sys ", + "Copyright": "Copyright (C) 2017 Realtek Semiconductor Corporation. All Right Reserved. ", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KfRaiseIrql", + "MmMapIoSpace", + "MmUnmapIoSpace", + "RtlInitUnicodeString", + "MmGetSystemRoutineAddress", + "RtlCompareMemory", + "KeSetSystemAffinityThreadEx", + "KeQueryActiveProcessors", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExCreateCallback", + "ExRegisterCallback", + "ExUnregisterCallback", + "MmBuildMdlForNonPagedPool", + "MmMapLockedPagesSpecifyCache", + "KeLowerIrql", + "IoAllocateMdl", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeMdl", + "IoRegisterShutdownNotification", + "IoUnregisterShutdownNotification", + "IoWMIRegistrationControl", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenKey", + "ZwQueryValueKey", + "__C_specific_handler", + "MmUnmapLockedPages", + "_vsnprintf", + "KeStallExecutionProcessor" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "??=Private Organization, ??=TW, serialNumber=22671299, ??=No. 2, Innovation Road II, Hsinchu Science Park, postalCode=300, C=TW, ST=Taiwan, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.", + "ValidFrom": "2016-06-13 00:00:00", + "ValidTo": "2019-01-24 12:00:00", + "Signature": "9616a10e728762896fad0b74d574eb1775ae3bd1b12dc07441d668ec373ffb2ed5590d43f821b8d440c8e11338272d0cd1bc0ea5c05a428538c0ba1195e800c51e81db998174bdbe25be284a2c367d3578cf801524bd9f18b9098f4ee79f45a0e9af74894b828523f0b2c1c6837bc572da3be7f769e8df8749f26fd05087cc4b09fedac11c037e3690441286f8c52c09f18c7c179138f4844a8d99d8f9e7dec178ead089e12a05469c046a3c85b43d038811f02c6803128bf9bc1b757a2bb72d3ad61f670d3ae856ade0165f9dff89c36592b5295ead0718458c19c2f21781cd1ef0685049ebddd88806cd17e6eab078e2f0a505845ee5d9fca6904260ef8a1a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0320be3eb866526927f999b97b04346e", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + } + ], + "Tags": [ + "rtkiow8x64.sys" + ], + "yara": true + }, + { + "Id": "3bec7340-bd8b-43ae-8569-d81a66f01dda", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create ene.sys binPath=C:\\windows\\temp\\ene.sys type=kernel && sc.exe start ene.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "FileName": "ene.sys", + "MD5": "fd80c3d38669b302de4b4b736941c0d1", + "SHA1": "c47b890dda9882f9f37eccc27d58d6a774a2901f", + "SHA256": "16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354", + "Authentihash": { + "MD5": "f2d4af4dcb47113b44651d663ee322f8", + "SHA1": "097653d7068265aae9f00e37c904857d944a774c", + "SHA256": "995284d05f947e2db58ece30b6d61653a2b94b2c337e5c75ca8315793e0b3955" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "IoDeleteDevice", + "ZwUnmapViewOfSection", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "ObfDereferenceObject", + "IoCreateDevice", + "RtlAssert", + "ZwOpenSection", + "DbgPrint", + "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-09-06 21:30:32", + "ValidTo": "2019-09-06 21:30:32", + "Signature": "a5a2a99a97df110e18898e98fd07aaa52616e13f9c681d0f99cbafcb2914dd7a56a8324ab1fa926b26b9c5c87fd653c193cac3773f7750425d2090034461012f476d77005a079f2883e4cfa8b1dbab735f086c9692b3f6f53efb5db881bd94cdbda4c4c9597026a8fbf1eed41bf628879156fcacae96e751d4fe117f0f6dc985ef3bd72a7bd299bd507633600c9df2f92306fe4833a8d784019dbe8baaaa06fddae1d5066677c9bcce6506e6ebe455cc9f46b1e6e9d77f2a82159b2aac861eeb400de3dcef2bdfa85e0dc51628945f14b3f44340ba9f2a3af7ef1bf24f372b3a0d0fef4baafb86cf3ba43f29030b891d4b46b4ccb29b00506dc0ee0e44959f8369fc9e0fd4bc5fa12159a4cd6db8f9af57353c132654278784509635cf5e020c43757525a4d3dcbbd532986b46b2efaa2b6b3a00aa8d44cd0546efddb6ab2e30ccf75aba4bc8d9249262e408516b89cdd58c55b9af18baeb0201f7732724b4d3ca0c74ebc4afa19bb5583f948e9619232ece825e09465fdab93f6fe6ed0590d08435879ac1ba3cf41a8c4a8f5fea6a50e84a21a5ca38414e85de3867f4bce967cb45b62335b7416a0fdc08c1e3c049e85ef944f438e5f1296a659ff8e01a170001751f92b395bd7c9b4f33106a708a005c16c2b5439bac392253e1bcfbcb545d5f6243466205655a2e496098b9045d605b632b8f98d29f51e27e62fe63a4e8f2", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000253a2738690a3451c1000000000025", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "ene.sys", + "MD5": "7e6e2ed880c7ab115fca68136051f9ce", + "SHA1": "3cd037fbba8aae82c1b111c9f8755349c98bcb3c", + "SHA256": "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347", + "Authentihash": { + "MD5": "6055cbe0b4c535baa8c15473fc97e61a", + "SHA1": "ce280412dd778cafbe6dbb05b8cab42e98d3ae56", + "SHA256": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "cng.sys", + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "BCryptCloseAlgorithmProvider", + "BCryptGetProperty", + "BCryptDecrypt", + "BCryptImportKey", + "BCryptDestroyKey", + "BCryptSetProperty", + "BCryptOpenAlgorithmProvider", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "wcsstr", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetCurrentProcessId", + "RtlTimeToSecondsSince1970", + "__C_specific_handler", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "RtlInitUnicodeString", + "KeBugCheckEx", + "ObReferenceObjectByHandle", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-03-11 17:31:14", + "ValidTo": "2021-03-05 17:31:14", + "Signature": "7dfc7c353c4c04d9d06066e1ca8584637192eb15d1d6e7c5521b0d819d615fb56524985d30535b0573fb8e0d13173d51b27bd23b9a2052738891d67ed360766452b62c4566eb20c90f018229a8e951bf58df5a7d731c1e51217f471d470979f04e900920bfc8715122b331d82f68f73ebf3de36e09d18fbfed2f3c29190a41baafbca0025bf4e36310a04cb8e61c32fda677820aa693a7f5e69d3c3abdb495b12bb8b6d10f65d44fae945d9b0fcf695d4711fc9e1c0ddb1f569c13093e16c389f748d8fe60e8685f02357464564761db4cece391baa742f3ad3bcfa26e01975966ca41939c832bf1147bec870162ce042fd0cf10d048181ec573d317f2c5de21512f13b24de9bac9bb83fc2ceb4f6f766536fe38c03ede1f8b0a3b8828e8d914d73d0a17699ab20264a27a36e0f77c5144cf470bf44d2296290e345bd25c0bc6a08dd963ec39ce0e500599751c652dc20e9906c1ce76c1d86c09058ae8defb3d7b93b68a34ca83a981a30c2403723f7e5c664b1e951050002ad32e976db221c2d8c660047dc6acfe0da16d44c6372a5cd04b016a35193f841b903ba87e2d6e416a2c59469af9f16e249bb891f21ec22f2db0a84a48d7a9e43d2f7e3bdd016d600f57daf21829885ec035287ab332c32738f5e26c6d2502b2f044afb1e048c85c7c9baf76747de14ecdeca3c7481796a741672a047f89dafe2c12c01982a026c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "330000003a6ae333708fda7a7b00000000003a", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "FileName": "ene.sys", + "MD5": "8942e9fa2459b1e179a6535ca16a2fb4", + "SHA1": "3a3342f4ca8cc45c6b86f64b1a7d7659020b429f", + "SHA256": "810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3", + "Authentihash": { + "MD5": "198111fd73515aa7fe4387612f027f0f", + "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", + "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "IoDeleteDevice", + "ZwUnmapViewOfSection", + "ZwClose", + "IofCompleteRequest", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "ObfDereferenceObject", + "IoCreateDevice", + "RtlAssert", + "ZwOpenSection", + "DbgPrint", + "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2000-05-30 10:48:38", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=TW, postalCode=11071, ST=Taiwan, L=Taipei, ??=12F., No.1,8, Sec. 5, Zhongxiao E. Rd., Xinyi Dist., Taipei City 11071, Taiwan (R.O.C.), O=Ptolemy Tech Co., Ltd, CN=Ptolemy Tech Co., Ltd", + "ValidFrom": "2018-02-21 00:00:00", + "ValidTo": "2019-02-21 23:59:59", + "Signature": "0dbb7a0ba1c1f2522a473c9994cf7cb087a3e1b69a733e84665124c5473bc87e43d639859088db27ede83500cbf39c36a80b24476562cd1ec3363458efbcf5a770b63f75ae5c249b313cb70603564bc0eaa9825b9c3deaa0460462d7e861d487c474f8af3a42163090b6e189ca8b0d1dbf3d87f80bd1ca031140b3e37baadef936611ab23e5a7419c8dc34dc28b0a8f69c0df0c876a53fcbc7f4e6ba3f0e89cd05faed21432cc43d452344b515dc4f8f90bc5c064d3d0271850147eb782b3ac159f496cdacdc5f1c2c0a02503d042cedf7a7e999520ac193276935bdc224ec0df1bc7b9123cbc96ba51ab57aa4ba52764b04b905c74c3e66d0508fe8031819b8", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA", + "ValidFrom": "2013-05-09 00:00:00", + "ValidTo": "2028-05-08 23:59:59", + "Signature": "023f0239c3eef8ca3b89de0c6d4db1f14e924fafc2382c04ccc56311ab0963afaba2d7023fcc6f19c33dd61a0894ff25d8a988a72b101ae09bb107221a511c3ad4e1e909bfe62474af1e7b16316e23ef54512d5202e27508054cf1b751e15100c687f66cee104476576af1df586b21aa49d47c374ebdffb67554401836576711cd4f02e4fef3dafc7517dbecb7f7650923491f435783ea7e207761c84df2bb654da8f7854507af7a6927659029408bdf7b3a51398ca81f7079ad6d4220a2cf0c6c038c4ccd730794e75a8e3a04baa2a17c1fcb633a15a7d4151ba7524732a9f4bf6447d1aa1f534e323073c26fb778829d5cff46bb6b221d880bf81baa34a6fc8cf5dd7f658c8c315731d036ec47a1cfcb8ba8ef1c1858c50677ca4b9b51af4c084a7a8fe2a352e28e8ecc26e4b2d8e538c2a8edc6819c356ba958614a0a97b44b42b6559dbe99e7706d59f86d2a0c7f19605f0c9a886c30ac520990161bff2b9ddbd020ca89ea287e328e19df7b48331ed765f8aec9f8831493767d64d08ecebe357dff72314d9f9ebd1e6c2fa88f0c0650fb8c27b376c9f4e6d7c334e28c87218661febf5574e12177030a686cbbe4c9a9e6cf5925eb7cec450e796668e822cdb8ef98854d96113c098ad07fbc282813fb6aca548d925ccdc26598069ece485bd4b5379346417c07ddcffa43efba6761ff7d49e0bb307d5c80e3e616394ba7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "00e7640d3b521f8b0b6fd8ce64c827613b", + "Issuer": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA" + } + ] + } + ] + }, + { + "FileName": "ene.sys", + "MD5": "1f3522c5db7b9dcdd7729148f105018e", + "SHA1": "17b3163aecd1f512f1603548ef6eb4947fbec95e", + "SHA256": "910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c", + "Authentihash": { + "MD5": "1da05109a3734c583233491ec8242e11", + "SHA1": "b93b24e5edb56cf7872d73a0a081ae1127ae43d2", + "SHA256": "91b0fdd5bfc596b2f7c9db33e822d24f378c706daf6f92682c5fe1043e547f8d" + }, + "Description": "", + "Company": "", + "InternalName": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "", + "ProductVersion": "", + "Copyright": "", + "MachineType": "AMD64", + "Imports": [ + "cng.sys", + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "BCryptCloseAlgorithmProvider", + "BCryptGetProperty", + "BCryptDecrypt", + "BCryptImportKey", + "BCryptDestroyKey", + "BCryptSetProperty", + "BCryptOpenAlgorithmProvider", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "ZwClose", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetCurrentProcessId", + "RtlTimeToSecondsSince1970", + "__C_specific_handler", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetSystemRoutineAddress", + "wcsstr", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "ObOpenObjectByPointer", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeExports", + "RtlCreateSecurityDescriptor", + "_wcsnicmp", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "IoIsWdmVersionAvailable", + "RtlSetDaclSecurityDescriptor", + "ZwOpenKey", + "ZwSetValueKey", + "ZwQueryValueKey", + "ZwCreateKey", + "RtlFreeUnicodeString", + "KeBugCheckEx", + "RtlInitUnicodeString", + "HalTranslateBusAddress" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2019-06-05 18:34:00", + "ValidTo": "2020-06-03 18:34:00", + "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "33000000319479a318f5522d06000000000031", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + } + ], + "Tags": [ + "ene.sys" + ], + "yara": false + }, + { + "Id": "5969b6dc-b136-480e-a527-3cb2ea2f0da9", + "Author": "Guus Verbeek", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create hw_sys binPath=C:\\windows\\temp\\hw.sys type=kernel && sc.exe start hw.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/detection" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "hw.sys", + "MD5": "3247014ba35d406475311a2eab0c4657", + "SHA1": "74e4e3006b644392f5fcea4a9bae1d9d84714b57", + "SHA256": "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8", + "Signature": [ + "Marvin Test Solutions, Inc.", + "GlobalSign Extended Validation CodeSigning CA - SHA256 - G3", + "GlobalSign", + "GlobalSign Root CA - R1" + ], + "Date": "", + "Publisher": "", + "Company": "Marvin Test Solutions, Inc.", + "Description": "HW - Windows NT-10 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", + "Product": "HW", + "ProductVersion": "4.9.8.0", + "FileVersion": "4.9.8.0", + "MachineType": "I386", + "OriginalFilename": "HW.sys", + "Authentihash": { + "MD5": "6eafc9b68f2047adf6879e955d3b69e8", + "SHA1": "8a6d85617bc601b818ddf1b8e8d5db6cf7ae31c1", + "SHA256": "615a7c647eba3f2dcea463d5705d5d59ca70b4250f895ad20ce6876076a8fa28" + }, + "InternalName": "Hw.sys", + "Copyright": "Copyright © 1996-2021 Marvin Test Solutions, Inc. All Rights Reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeReleaseMutex", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "KeInitializeDpc", + "MmGetSystemRoutineAddress", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "memcpy", + "PsGetVersion", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "IoGetDmaAdapter", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "ZwOpenProcess", + "KeInitializeEvent", + "ObfDereferenceObject", + "ExAllocatePoolWithTag", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IofCompleteRequest", + "WRITE_REGISTER_BUFFER_ULONG", + "WRITE_REGISTER_BUFFER_USHORT", + "WRITE_REGISTER_BUFFER_UCHAR", + "WRITE_REGISTER_ULONG", + "WRITE_REGISTER_USHORT", + "WRITE_REGISTER_UCHAR", + "READ_REGISTER_BUFFER_ULONG", + "READ_REGISTER_BUFFER_USHORT", + "READ_REGISTER_BUFFER_UCHAR", + "READ_REGISTER_ULONG", + "READ_REGISTER_USHORT", + "READ_REGISTER_UCHAR", + "IoConnectInterrupt", + "IoDisconnectInterrupt", + "KeReleaseInterruptSpinLock", + "KeAcquireInterruptSpinLock", + "ExEventObjectType", + "KeDelayExecutionThread", + "KeInsertQueueDpc", + "ZwClose", + "KeSetEvent", + "IoCreateNotificationEvent", + "KeClearEvent", + "RtlQueryRegistryValues", + "RtlAppendUnicodeStringToString", + "RtlInitUnicodeString", + "memset", + "ExFreePoolWithTag", + "IoGetDeviceProperty", + "ExAllocatePool", + "READ_PORT_UCHAR", + "READ_PORT_USHORT", + "READ_PORT_ULONG", + "READ_PORT_BUFFER_UCHAR", + "READ_PORT_BUFFER_USHORT", + "READ_PORT_BUFFER_ULONG", + "WRITE_PORT_UCHAR", + "WRITE_PORT_USHORT", + "WRITE_PORT_ULONG", + "WRITE_PORT_BUFFER_UCHAR", + "WRITE_PORT_BUFFER_USHORT", + "WRITE_PORT_BUFFER_ULONG", + "HalAssignSlotResources", + "HalTranslateBusAddress", + "HalGetBusDataByOffset", + "HalGetInterruptVector" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2018-09-19 00:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=Private Organization, serialNumber=2147696, ??=US, ??=DELAWARE, C=US, ST=CA, L=Irvine, ??=1770 Kettering, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc.", + "ValidFrom": "2019-07-29 13:20:49", + "ValidTo": "2022-07-29 13:20:49", + "Signature": "278a08ea60d9c1c18b2b6f4f1913860edab3f46bc0945c57e099d37309bab4bbf99feec663d1dc2ef68152baa6e95b0da0e4fdb7793c2c7e779dd7206ad76432f28af41448200c079a9ffe26c8355134d71fb598f08e3864416a1925d5253f2344208a90d8b42790191581c112c3145e23fa979ec06f41cb559ad4e4d60cf549598f3746673c745a3a82e2525c9704adaa59d987ddf6a89641378a558686ca78f920cf1c975508f3943ff6df3aae70f9c5fb1db61134ad5b8d0f455e8483ad250403160b984a4fef6b0baed3cb129c953451c23a4bb9a37c762f286e8bb57049c50c4e06fb17e3fc2e6fcd4dffde6e3ee0ad173b19a9862bae7c921c8976344b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "716ef836a8ceb23aeaf9174e", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" + } + ] + } + ] + }, + { + "Filename": "HW.sys", + "MD5": "45c2d133d41d2732f3653ed615a745c8", + "SHA1": "4e56e0b1d12664c05615c69697a2f5c5d893058a", + "SHA256": "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Marvin Test Solutions, Inc.", + "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", + "Product": "HW", + "ProductVersion": "4.8.2.0", + "FileVersion": "4.8.2.0", + "MachineType": "AMD64", + "OriginalFilename": "HW.sys", + "Authentihash": { + "MD5": "22db74f3f2e50ccdeb471c81e3a62532", + "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", + "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" + }, + "InternalName": "Hw.sys", + "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "RtlAppendUnicodeStringToString", + "ZwClose", + "ZwOpenProcess", + "KeReleaseMutex", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "KeInitializeDpc", + "MmGetSystemRoutineAddress", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "PsGetVersion", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ExFreePoolWithTag", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "IoGetDeviceProperty", + "KeInitializeEvent", + "ObfDereferenceObject", + "ExAllocatePoolWithTag", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IofCompleteRequest", + "IoDisconnectInterrupt", + "KeReleaseInterruptSpinLock", + "KeAcquireInterruptSpinLock", + "ExEventObjectType", + "KeFlushQueuedDpcs", + "KeInsertQueueDpc", + "KeSetEvent", + "IoFreeMdl", + "ExAllocatePool", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", + "ValidFrom": "2015-06-17 17:46:36", + "ValidTo": "2018-05-04 18:44:13", + "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + }, + { + "Filename": "hw.sys", + "MD5": "3cf7a55ec897cc938aebb8161cb8e74f", + "SHA1": "22fc833e07dd163315095d32ebcd3b3e377c33a4", + "SHA256": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Marvin Test Solutions, Inc.", + "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", + "Product": "HW", + "ProductVersion": "4.8.2.0", + "FileVersion": "4.8.2.0", + "MachineType": "AMD64", + "OriginalFilename": "HW.sys", + "Authentihash": { + "MD5": "22db74f3f2e50ccdeb471c81e3a62532", + "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", + "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" + }, + "InternalName": "Hw.sys", + "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "RtlAppendUnicodeStringToString", + "ZwClose", + "ZwOpenProcess", + "KeReleaseMutex", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "KeInitializeDpc", + "MmGetSystemRoutineAddress", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "PsGetVersion", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ObReferenceObjectByHandle", + "ZwOpenSection", + "ExFreePoolWithTag", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "IoGetDeviceProperty", + "KeInitializeEvent", + "ObfDereferenceObject", + "ExAllocatePoolWithTag", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IofCompleteRequest", + "IoDisconnectInterrupt", + "KeReleaseInterruptSpinLock", + "KeAcquireInterruptSpinLock", + "ExEventObjectType", + "KeFlushQueuedDpcs", + "KeInsertQueueDpc", + "KeSetEvent", + "IoFreeMdl", + "ExAllocatePool", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2019-04-13 10:00:00", + "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", + "ValidFrom": "2015-06-17 17:46:36", + "ValidTo": "2018-05-04 18:44:13", + "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2011-04-15 19:55:08", + "ValidTo": "2021-04-15 20:05:08", + "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" + } + ] + } + ] + }, + { + "Filename": "hw.sys", + "MD5": "376b1e8957227a3639ec1482900d9b97", + "SHA1": "18f34a0005e82a9a1556ba40b997b0eae554d5fd", + "SHA256": "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Marvin Test Solutions, Inc.", + "Description": "HW - Windows NT-10 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", + "Product": "HW", + "ProductVersion": "4.9.8.0", + "FileVersion": "4.9.8.0", + "MachineType": "AMD64", + "OriginalFilename": "HW.sys", + "Authentihash": { + "MD5": "0e03e32b8b0f3a1abb52581c1b5698f6", + "SHA1": "4614a646d19fb297aa878ba5e70dc9a6a1c5dd8a", + "SHA256": "25bc1b72ba6092674ec561d7de8f5e4a7adb23c29fa68de5b29a30a671257dac" + }, + "InternalName": "Hw.sys", + "Copyright": "Copyright © 1996-2021 Marvin Test Solutions, Inc. All Rights Reserved.", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "RtlInitUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlQueryRegistryValues", + "KeClearEvent", + "IoCreateNotificationEvent", + "KeSetEvent", + "ZwClose", + "ZwOpenProcess", + "KeReleaseMutex", + "KeWaitForSingleObject", + "PsGetCurrentProcessId", + "KeInitializeDpc", + "MmGetSystemRoutineAddress", + "IoDeleteDevice", + "IoCreateSymbolicLink", + "KeInitializeMutex", + "IoCreateDevice", + "IoDeleteSymbolicLink", + "PsGetVersion", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ExFreePoolWithTag", + "ZwOpenSection", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmMapIoSpace", + "MmUnmapLockedPages", + "MmUnmapIoSpace", + "MmFreeContiguousMemory", + "MmGetPhysicalAddress", + "MmAllocateContiguousMemory", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "IoGetDeviceProperty", + "KeInitializeEvent", + "ObfDereferenceObject", + "ExAllocatePoolWithTag", + "ObReferenceObjectByName", + "IoDriverObjectType", + "IofCompleteRequest", + "IoDisconnectInterrupt", + "KeReleaseInterruptSpinLock", + "KeAcquireInterruptSpinLock", + "ExEventObjectType", + "KeFlushQueuedDpcs", + "KeInsertQueueDpc", + "ObReferenceObjectByHandle", + "ExAllocatePool", + "HalGetBusDataByOffset" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", + "ValidFrom": "2018-09-19 00:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "2370e9cfe2bef559ae94426fc44333aacd3f3ab96417f262064b48f140880617a1feabd15f3cc633f2f38edd1f1d3ecc1a6099820bacc7fc7e9a872aa57d0fa657eeac3b6a85d6debd4063f8ada6c888b012fcf641df0f09971e38ea539fbe05f43eead39f501276be098bc20b487d1e2e51f68d53d3ab1f401b8a8eed7dfb4f7956705f0cd38e1bb3a7700d372b9795abdae0126b1c40cec5c77eedc26258ec77ed7322c28af5864388adea136efdd8fe422fb97d5ead18ef9490ca3d27ab26949975c7cbd37bf7ca4cd3af5121925b847d2b9f153f74cb51e89e830e166f1be746ce23bdf9e4a28bd2396baa791c912ce261242d8e2a487090c41ec5e8e070", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", + "ValidFrom": "2016-06-15 00:00:00", + "ValidTo": "2024-06-15 00:00:00", + "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "??=Private Organization, serialNumber=2147696, ??=US, ??=DELAWARE, C=US, ST=CA, L=Irvine, ??=1770 Kettering, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc.", + "ValidFrom": "2019-07-29 13:20:49", + "ValidTo": "2022-07-29 13:20:49", + "Signature": "278a08ea60d9c1c18b2b6f4f1913860edab3f46bc0945c57e099d37309bab4bbf99feec663d1dc2ef68152baa6e95b0da0e4fdb7793c2c7e779dd7206ad76432f28af41448200c079a9ffe26c8355134d71fb598f08e3864416a1925d5253f2344208a90d8b42790191581c112c3145e23fa979ec06f41cb559ad4e4d60cf549598f3746673c745a3a82e2525c9704adaa59d987ddf6a89641378a558686ca78f920cf1c975508f3943ff6df3aae70f9c5fb1db61134ad5b8d0f455e8483ad250403160b984a4fef6b0baed3cb129c953451c23a4bb9a37c762f286e8bb57049c50c4e06fb17e3fc2e6fcd4dffde6e3ee0ad173b19a9862bae7c921c8976344b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "716ef836a8ceb23aeaf9174e", + "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" + } + ] + } + ] + } + ], + "Tags": [ + "hw.sys" + ], + "yara": true + }, + { + "Id": "70acea34-7ed2-42d5-885c-eca3c2de640c", + "Author": "Michael Haag, Guus Verbeek", + "Created": "2023-03-04", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create Sense5Ext.sys binPath=C:\\windows\\temp\\Sense5Ext.sys type=kernel && sc.exe start Sense5Ext.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "Sense5Ext.sys", + "MD5": "f9844524fb0009e5b784c21c7bad4220", + "SHA1": "e6765d8866cad6193df1507c18f31fa7f723ca3e", + "SHA256": "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "Sense5 CORP", + "Description": "Sense5 Driver", + "Product": "", + "ProductVersion": "2.6.0.0", + "FileVersion": "2.6.0.0", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "0b2ce413f69677a0bf78a40ed0d081a7", + "SHA1": "af83d2f800c68099976dcf75ee31681708d32ed9", + "SHA256": "13cd99ff2120d9fd651814d826b6c8481d549f684a8fbfb2d8775c9faa1c27f5" + }, + "InternalName": "", + "Copyright": "Copyright (C) 2022", + "Imports": [ + "ntoskrnl.exe", + "ntoskrnl.exe", + "HAL.dll", + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "wcsncpy", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "wcsrchr", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "_purecall", - "ZwOpenEvent", - "ZwConnectPort", - "KeClearEvent", - "PsProcessType", + "IoGetCurrentProcess", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "PsGetCurrentProcessId", + "NtBuildNumber", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "_snprintf", + "_vsnprintf", + "ZwQueryInformationFile", + "ZwReadFile", + "strcmp", + "strncmp", + "RtlCompareMemory", + "RtlImageNtHeader", + "RtlCompareUnicodeString", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "isupper", + "isdigit", + "tolower", + "strlen", + "_stricmp", + "strstr", + "wcscat", + "wcslen", + "RtlInitAnsiString", + "RtlQueryRegistryValues", + "RtlAnsiStringToUnicodeString", + "RtlCompareUnicodeStrings", + "ExAllocatePool", + "MmGetSystemRoutineAddress", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ZwOpenProcess", + "PsGetProcessPeb", + "PsGetProcessSessionId", + "RtlRandomEx", + "KeBugCheckEx", + "RtlInitUnicodeString", + "_stricmp", + "NtQuerySystemInformation", + "ZwClose", + "ZwQueryValueKey", + "ZwOpenKey", + "RtlInitUnicodeString", + "ZwWaitForSingleObject", + "ZwDeviceIoControlFile", + "ZwOpenFile", + "_wcsnicmp", + "ZwEnumerateKey", + "ZwCreateEvent", + "MmGetSystemRoutineAddress", + "ZwCreateFile", + "__C_specific_handler", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "KeQueryTimeIncrement", + "DbgBreakPointWithStatus", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "IoAllocateMdl", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "MmProbeAndLockPages", + "KeWaitForSingleObject", + "KeReleaseMutex", + "KeInitializeMutex", + "ExFreePoolWithTag", + "ExAllocatePool", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + }, + { + "Filename": "Sense5Ext.sys", + "MD5": "4e1f656001af3677856f664e96282a6f", + "SHA1": "bc62fe2b38008f154fc9ea65d851947581b52f49", + "SHA256": "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "Sense5 CORP", + "Description": "Sense5 Driver", + "Product": "", + "ProductVersion": "2.5.0.0", + "FileVersion": "2.5.0.0", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "2855f88dffa0bb68f988d5c116b336fb", + "SHA1": "169b81ce8a74d3a404384ad3e90ac3b053323d50", + "SHA256": "dcfab3c5f99c15cbb7df17c59914af551b90e0ed3c1dc040bad9927b12b67125" + }, + "InternalName": "", + "Copyright": "Copyright (C) 2022", + "Imports": [ + "ntoskrnl.exe", + "ntoskrnl.exe", + "HAL.dll", + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoGetCurrentProcess", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", + "PsGetCurrentProcessId", + "NtBuildNumber", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "ZwCreateFile", + "ZwWriteFile", + "ZwClose", + "_snprintf", + "_vsnprintf", + "ZwQueryInformationFile", + "ZwReadFile", + "strcmp", + "strncmp", + "RtlCompareMemory", + "RtlImageNtHeader", + "RtlCompareUnicodeString", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "isupper", + "isdigit", + "tolower", + "strlen", + "_stricmp", + "strstr", + "wcscat", + "wcslen", + "RtlInitAnsiString", + "RtlQueryRegistryValues", + "RtlAnsiStringToUnicodeString", + "RtlCompareUnicodeStrings", + "ExAllocatePool", + "MmGetSystemRoutineAddress", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "PsSetCreateProcessNotifyRoutineEx", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "ZwOpenProcess", + "PsGetProcessPeb", + "PsGetProcessSessionId", + "RtlRandomEx", + "KeBugCheckEx", + "RtlInitUnicodeString", + "_stricmp", + "NtQuerySystemInformation", + "ZwClose", + "ZwQueryValueKey", + "ZwOpenKey", + "RtlInitUnicodeString", + "ZwWaitForSingleObject", + "ZwDeviceIoControlFile", + "ZwOpenFile", + "_wcsnicmp", + "ZwEnumerateKey", + "ZwCreateEvent", + "MmGetSystemRoutineAddress", + "ZwCreateFile", + "__C_specific_handler", + "KeSetSystemAffinityThread", + "KeQueryActiveProcessors", + "KeQueryTimeIncrement", + "DbgBreakPointWithStatus", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "IoAllocateMdl", + "IoFreeMdl", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "MmProbeAndLockPages", + "KeWaitForSingleObject", + "KeReleaseMutex", + "KeInitializeMutex", + "ExFreePoolWithTag", + "ExAllocatePool", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnlockPages", + "IoFreeMdl", + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + } + ] + } + ] + } + ], + "Tags": [ + "Sense5Ext.sys" + ], + "yara": true + }, + { + "Id": "6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create kbdcap64.sys binPath=C:\\windows\\temp\\kbdcap64.sys type=kernel && sc.exe start kbdcap64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "kbdcap64.sys", + "SHA256": "72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "kbdcap64.sys" + ], + "yara": false + }, + { + "Id": "aaa92ef1-5728-4e15-9fca-b054b02f0fb0", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create piddrv64.sys binPath=C:\\windows\\temp\\piddrv64.sys type=kernel && sc.exe start piddrv64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "piddrv64.sys", + "MD5": "fd7de498a72b2daf89f321d23948c3c4", + "SHA1": "c4ed28fdfba7b8a8dfe39e591006f25d39990f07", + "SHA256": "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29", + "Signature": [ + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2012", + "Microsoft Root Certificate Authority 2010" + ], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "a6200c0995103391120e3561971560a6", + "SHA1": "0c2599d738d01a82ec91725f499acebbcfb47cc9", + "SHA256": "b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "WDFLDR.SYS" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "MmGetSystemRoutineAddress", + "IoBuildSynchronousFsdRequest", + "IofCallDriver", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoFreeIrp", + "IoGetDeviceProperty", "ExFreePoolWithTag", - "RtlInitUnicodeString", - "KeSetEvent", - "ProbeForWrite", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "ZwWaitForSingleObject", - "DbgBreakPoint", - "ZwSetEvent", - "IoGetCurrentProcess", - "ZwFreeVirtualMemory", - "ZwClose", - "ObfReferenceObject", "ObfDereferenceObject", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "KePulseEvent", - "ZwAllocateVirtualMemory", - "ObGetObjectSecurity", - "SeAccessCheck", - "SeReleaseSubjectContext", - "SeCaptureSubjectContext", - "PsThreadType", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "MmSectionObjectType", - "DbgPrint", - "ExDeleteResourceLite", - "ExInitializeResourceLite", - "ZwReadFile", - "swprintf", - "ZwSetInformationFile", - "ZwCreateFile", - "ZwQueryInformationFile", - "ZwWriteFile", - "_wcsnicmp", - "towupper", + "ObReferenceObjectByName", + "IoEnumerateDeviceObjectList", + "IoGetDeviceAttachmentBaseRef", + "IoDriverObjectType", + "KeBugCheckEx", + "__C_specific_handler", "ExAllocatePoolWithTag", + "KeWaitForSingleObject", "KeInitializeEvent", - "ZwCreateEvent", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwNotifyChangeKey", - "RtlInitAnsiString", - "_snprintf", - "RtlFreeUnicodeString", - "ExSystemTimeToLocalTime", - "_vsnprintf", - "ObReferenceObjectByHandle", - "RtlTimeToTimeFields", - "ZwDeviceIoControlFile", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeWaitForMultipleObjects", - "ExGetPreviousMode", - "RtlEqualUnicodeString", - "RtlPrefixUnicodeString", - "RtlAppendUnicodeStringToString", "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", + "DbgPrint", + "RtlCompareUnicodeString", + "RtlInitUnicodeString", + "ObfReferenceObject", + "memcpy_s", + "HalGetBusData", + "HalGetBusDataByOffset", + "WdfVersionUnbind", + "WdfVersionBind", + "WdfVersionBindClass", + "WdfVersionUnbindClass" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2018-09-20 19:45:06", + "ValidTo": "2019-09-20 19:45:06", + "Signature": "180e211f245e9f356516359d002cb33904c7c9b883a39af9d000d7feee231f0c68bc272d4e9818533c6dd00a732df28966757d7c84db825265e3b453ccd9e620af2d714ea7aaf1019b7666098ed84df68cbdc52180b76bcef050c13e57a3125e05a576e11221316e763219b50353920b15f0bfd58474381f0d3fc4439dea7b3de5aa7287948b34909c689aa98df140c25ed2f0b7059e84a99c68c2cd69f42af3a2c9776df0eb5f08f3bf62ecd920144b0a6511a9201f00d2bee8774cc00863ba36827c01d8849a69cb06ae35ec50976412beaada0ff49a0bb11acb1465e80a206b0b846b3049548c400cd37cd1d1f1cb3dc1e040f6f26c53adf284153000c33b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + } + ], + "Signer": [ + { + "SerialNumber": "330000006d9da53e87009d334900000000006d", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + } + ] + } + ] + } + ], + "Tags": [ + "piddrv64.sys" + ], + "yara": false + }, + { + "Id": "4dd3289c-522c-4fce-b48e-5370efc90fa1", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create iQVW64.sys binPath=C:\\windows\\temp\\iQVW64.SYS type=kernel && sc.exe start iQVW64.SYS", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "iQVW64.SYS", + "MD5": "c796a92a66ec725b7b7febbdc13dc69b", + "SHA1": "0ed0c4d6c3b6b478cbfd7fb0bd1e1b5457a757cc", + "SHA256": "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775", + "Authentihash": { + "MD5": "9628077052773b85d492e06322fa4366", + "SHA1": "013c02f8fb3b1eb638a8ccdd9da5277749d1060b", + "SHA256": "46ec6310c5ea5e289299d40f5ecca82b9c722ffc766dfd08f36dc88835e63567" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2011 Intel Corporation All Rights Reserved.", + "MachineType": "IA64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeGetCurrentIrql", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "ObfDereferenceObject", "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "MmIsAddressValid", - "KeDelayExecutionThread", - "KeNumberProcessors", - "PsLookupProcessByProcessId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenDirectoryObject", - "ZwQueryInformationProcess", - "ZwQuerySecurityObject", - "NtSetInformationFile", - "ZwDeleteValueKey", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "NtQueryInformationFile", - "IoFileObjectType", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "NtCreateFile", + "MmGetPhysicalAddress", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", "ZwEnumerateValueKey", - "RtlLengthSecurityDescriptor", - "ZwQueryDirectoryObject", - "ZwSetSecurityObject", - "ZwDuplicateObject", - "ZwOpenProcess", - "ExReleaseFastMutexUnsafe", - "ZwDeleteKey", - "ZwEnumerateKey", - "ZwQueryKey", "ZwOpenKey", - "MmSystemRangeStart", - "_stricmp", - "_strnicmp", - "mbstowcs", - "ProbeForRead", - "RtlUpcaseUnicodeString", - "_snwprintf", - "ZwQuerySymbolicLinkObject", - "ZwMapViewOfSection", - "MmGetSystemRoutineAddress", - "RtlAppendUnicodeToString", - "IoCreateFile", - "RtlQueryRegistryValues", - "MmBuildMdlForNonPagedPool", - "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "ObQueryNameString", - "ZwUnmapViewOfSection", - "NtClose", - "IoFreeIrp", - "PsGetVersion", - "IoAllocateIrp", - "RtlCompareMemory", - "MmUnlockPages", - "ZwSetInformationObject", - "ZwOpenFile", - "wcsncmp", - "RtlImageNtHeader", - "IoAllocateMdl", - "IofCallDriver", - "ZwQueryVolumeInformationFile", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlInitializeSid", - "RtlCreateSecurityDescriptor", + "KeTickCount", + "KeBugCheckEx", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", + "IofCallDriver", "IoDeleteDevice", - "IoGetDeviceObjectPointer", - "ExEventObjectType", - "IofCompleteRequest", + "KeStallExecutionProcessor", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2009-05-26 00:00:00", + "ValidTo": "2012-05-30 23:59:59", + "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "058258571670ab2b1bac50679cec49a1", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "f7d963c14a691a022301afa31de9ecef", + "SHA1": "2e546d86d3b1e4eaa92b6ec4768de79f70eb922f", + "SHA256": "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501", + "Authentihash": { + "MD5": "9e5958641168a690ab2b8003d3095a1f", + "SHA1": "b1ce8991df0af287d5fd6837306384bd4327ea1d", + "SHA256": "6f2cf1c9502c5c5054edb556827ba30ffc2e6689faf807db404672781b032eaf" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.3.2.16 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.3.2.16", + "Copyright": "Copyright (C) 2002-2018 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "IoCreateSymbolicLink", - "ObOpenObjectByName", - "NtQueryInformationProcess", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", "strncpy", - "NtOpenProcess", - "ObInsertObject", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", - "IoReleaseVpbSpinLock", - "wcschr", - "IoGetConfigurationInformation", - "IoRegisterPlugPlayNotification", - "IoGetStackLimits", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "IofCallDriver", "IoBuildSynchronousFsdRequest", - "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "FsRtlIsNameInExpression", - "wcsstr", - "ExAllocatePool", - "IoUnregisterPlugPlayNotification", - "MmProbeAndLockPages", - "RtlCompareUnicodeString", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", "IoGetDeviceInterfaces", - "KeAcquireSpinLockRaiseToDpc", + "ObReferenceObjectByPointer", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", "KeBugCheckEx", - "IoCreateDevice", + "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "ZwSetSecurityObject", + "ObOpenObjectByPointer", "IoDeviceObjectType", - "SeCaptureSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "RtlLengthSid", - "RtlGetSaclSecurityDescriptor", + "IoCreateDevice", "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "ZwTerminateProcess", - "ExAcquireResourceExclusiveLite", - "__C_specific_handler" + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -95735,710 +98406,249 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2020-12-15 22:15:33", - "ValidTo": "2021-12-02 22:15:33", - "Signature": "0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c", + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2000-05-30 10:48:38", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELND1617S2", + "ValidFrom": "2016-09-22 20:52:10", + "ValidTo": "2018-09-22 20:52:10", + "Signature": "54c74e29a233c023318bb790335296bd320e2fe2d0c3911439fa64bb42649c1b23b4feef4a6d0033c868e6bc100dc48908feb70b8f9a789c244adb601dab2931ba223ab00fa35f20dcdbd4c23d01d1a21fc45475c825817125636a1d291a4d2ad58b4f42a45b6c5099448f1d42b150a46449b77f2da99fb5c96dd4b5171f3fd8469ad8d2754d5ab0de3a66c92b2f0522152c5d431f8930203f1058421de74d752432509fc05513a7bfb8ea307171379148ee283ce62702fbe3be88a717090651c879cde40589550e80453707b604dbefda434187093c85f04a2aedb502f7eeef27675b0a53f3855655ea8c662a98d9a90b16b8dd7ef677ba3233738e8740185fee1ea12b96515e7ed8acdcc980f9fffb00a822fa9cefa8b8935d27d6eda7b10c13cf24e0cd0a55afd3d49bb166a5b1d4b9ab13d7969882c11aef0966e512e17da18affa9139e4bc48b002ed1b3889dd71571b74613f7d340b09a59e4809458d4838f7fdb9f90e4c6f0d9273430c47a10e89272e323ecdb08146dc4d13aad95ab5ca8d8932e090c92102f3e89409967cd8b21507f41d5cf4a65e80723000944911561f15bfd50fc6f612d75185db6c31f94cfad85556b32c3b149aad421f10b42162c01aba2a2f773196b0063506ca08337069ebe6ce23cc2a14582182ed46e267d0dd8e982b8016be5eca29b2130c82b504dac2f3751b3010abde895db438352", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", + "ValidFrom": "2015-10-28 00:00:00", + "ValidTo": "2021-06-17 23:59:59", + "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" } ], "Signer": [ { - "SerialNumber": "33000000b5213fca1e4aa03de40000000000b5", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" + "SerialNumber": "560000013927007472d9b99b9b000000000139", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "8580165a2803591e007380db9097bbcc", - "SHA1": "5a55c227ca13e9373b87f1ef6534533c7ce1f4fb", - "SHA256": "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48", + "FileName": "iQVW64.SYS", + "MD5": "73a40e29f61e5d142c8f42b28a351190", + "SHA1": "bdfb25cc4ed569dc0d5849545eb4abe08539029f", + "SHA256": "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b", "Authentihash": { - "MD5": "01266e09667dd8822e9895786c7802b5", - "SHA1": "7e52c3e0861290dd0d7e8807a6f6cfd52b7ab5c2", - "SHA256": "5e71106ee81d050e30afd84cade4ef4a581d70130477aa1e34549e6de50cde87" + "MD5": "de5dc7fda88792287ab03e73cece0ba8", + "SHA1": "99adef60a03c2ba9aa008adcd151686175ede2db", + "SHA256": "0ae3c446e5f075e8fc3db31eabd744a65b2c50a9b4a52877873547951bc19bc9" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1047", - "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_KmCallUm@8", - "_KmCallUmEx@12", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "__UtilDosPathNameToNtPathName@12" - ], - "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "RtlSubAuthoritySid", - "RtlInitializeSid", + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.6 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.6", + "Copyright": "Copyright (C) 2002-2012 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "ZwRequestWaitReplyPort", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "ZwConnectPort", - "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "DbgBreakPoint", - "PsGetProcessExitTime", - "MmSectionObjectType", + "MmGetPhysicalAddress", "DbgPrint", - "memset", - "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "KeDelayExecutionThread", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", - "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "MmHighestUserAddress", - "IoFreeIrp", - "memcpy", - "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "_purecall", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "RtlEqualUnicodeString", - "IoFileObjectType", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCopyUnicodeString", - "RtlCompareMemory", - "_snwprintf", - "RtlImageNtHeader", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", - "ZwQueryVolumeInformationFile", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", "ObReferenceObjectByPointer", - "ObQueryNameString", - "IoBuildDeviceIoControlRequest", - "IofCompleteRequest", - "ExEventObjectType", - "_allmul", - "IoDeleteDevice", + "KeBugCheckEx", "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2012-05-17 00:00:00", + "ValidTo": "2015-05-30 23:59:59", + "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "69ba501a268f09f694ff0e8e208aa20e", + "SHA1": "3d6d53b0f1cc908b898610227b9f1b9352137aba", + "SHA256": "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9", + "Authentihash": { + "MD5": "61c9bc2fd776b341f21b71fb1891eb5a", + "SHA1": "9af173db51828d2a3c64d34e9120f1fd129a2359", + "SHA256": "ecd6e879e5521ca4053a59ef6682a95d97f6d9ba75f313b87bd133afe5267852" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.3.2.17 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.3.2.17", + "Copyright": "Copyright (C) 2002-2018 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "RtlCompareUnicodeString", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "IoDriverObjectType", - "RtlAppendUnicodeStringToString", - "strncmp", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "PsThreadType", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "RtlUpcaseUnicodeString", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "IofCallDriver", "IoBuildSynchronousFsdRequest", - "MmSystemRangeStart", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "wcsstr", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", + "KeInitializeEvent", + "ZwClose", "RtlFreeAnsiString", + "strstr", "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", + "ZwEnumerateValueKey", + "ZwOpenKey", "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "IoFreeMdl", - "ExAcquireFastMutexUnsafe", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", "ZwSetSecurityObject", + "ObOpenObjectByPointer", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", + "_snwprintf", "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", "RtlLengthSid", + "wcschr", "RtlAbsoluteToSelfRelativeSD", - "ZwQuerySymbolicLinkObject", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "KeGetCurrentIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KfRaiseIrql", - "ClassInitialize" + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -96446,12 +98656,121 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2000-05-30 10:48:38", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=ND, CN=Intel(R) INTELND1820", + "ValidFrom": "2018-08-09 21:34:08", + "ValidTo": "2020-08-08 21:34:08", + "Signature": "714c055fff1a2bd770c1b7103eb47360ca789a29c9e4a59a9050dd5f9b20d559fa927bd5a6a7bb8e90be3324862edbe148f96f164427cd86b7c99ef8e972368a3aad8789e77ad0787ca5361a940eceb6b575a78655040f4104ddc57610bb1045c9aa03f3044b67c067a57c1d2dcf6be9969ce946684d131c1f8e750ddde70bf6740ea6c912945b8aea873d8a2653180e02fa8cd0803d617f6bc1a432d3dd39ee49cb520959cffcab34bf6deba98ce8a8eba46eec31a34a075e1269c8cf68fe8d70b17e72c83206ca40797c51997ee0521ed3ebf4f20fb5a8c48c93722362f65ffb68f49325f479e30b398938d8b87a8adfe0d8c1e68b0be9de1d11dca8aca582ba3a568c0f94b344c0cc5acd6b13870baf515fe169110c33d54f5e475272e485e949bf8f6dd4c7306bc32859dbbcde89228d1f92a7b9a0b20dd88097f76a19e6149afa28fb25574f9885252460aadb51be7695a59f13fe307a8346f4cf54f36b94dd1d8d082747f9869da38daed9301a20e728f7562dd789b52e11d061800bf8eb5bfce47c114b939ed0787760bb530a86585de6b79927216dfadc3b6ab3234b94e3069feedfcac8adfa9ab3f910104f32fb18a44c90a8b9dab58915cccf8ce134bcb39a9eb4ddc158607cccbce0cfb7f23506fc40b99d3c79b6de258c7c1734e29abae3a2330cf45871fc0dd444abbe8057a27b67cb4467f5bfd199d4ddedb7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", + "ValidFrom": "2015-10-28 00:00:00", + "ValidTo": "2021-06-17 23:59:59", + "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "560000077b478c76c9afcafcaf00000000077b", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "de4001f89ed139d1ed6ae5586d48997a", + "SHA1": "cb212a826324909fdedd2b572a59a5be877f1d7d", + "SHA256": "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee", + "Authentihash": { + "MD5": "b962ae9f688f5a0fc864e3b64a8fa443", + "SHA1": "f6e5a0c338354dfbd1a9170fb9bd71123db5ac3b", + "SHA256": "ee625d1910f91fc9e79237bd60b0ee5efb85c7f859922f30e4434db6cd50fa9b" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "IA64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeGetCurrentIrql", + "DbgPrint", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "MmGetPhysicalAddress", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeTickCount", + "KeBugCheckEx", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCallDriver", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -96460,10 +98779,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -96474,766 +98800,1464 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-12-27 00:00:00", - "ValidTo": "2013-02-15 23:59:59", - "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2006-04-17 00:00:00", + "ValidTo": "2009-05-31 23:59:59", + "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "65680c783b728ab2a1880df4232ded32", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "FileName": "TmComm.sys", - "MD5": "085d3423f3c12a17119920f1a293ab4d", - "SHA1": "d3daa971580b9f94002f7257de44fcef13bb1673", - "SHA256": "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b", + "FileName": "iQVW64.SYS", + "MD5": "5adebdb94abb4c76dad2b7ecb1384a9d", + "SHA1": "1e8bccbd74f194db6411011017716c8c6b730d03", + "SHA256": "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572", "Authentihash": { - "MD5": "037efb773500b55fa774ab62ef60838c", - "SHA1": "9b1bc87c26d4a75e929ba54b88d32909d3cc6e5a", - "SHA256": "2e37c0e580bf6f0514af985b1581fef3d66b845aeefa790c625964512a911659" + "MD5": "772d513b311dd6ff2ded105980a7f92a", + "SHA1": "5db96ed94e2e32cf82f38724f8715fd775e0ebff", + "SHA256": "94b42f99cb2ac4db601a3759afe374168bad1714bd48662d74fed69099517a65" }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1073", - "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "IA64", "Imports": [ "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "HAL.dll" ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeGetCurrentIrql", + "DbgPrint", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "MmGetPhysicalAddress", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeTickCount", + "KeBugCheckEx", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCallDriver", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2006-04-17 00:00:00", + "ValidTo": "2009-05-31 23:59:59", + "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "65680c783b728ab2a1880df4232ded32", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "b32497762d916dba6c827e31205b67dd", + "SHA1": "9310239b75394b75a963336fbd154038fc13c4e3", + "SHA256": "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0", + "Authentihash": { + "MD5": "b08ec7710e9596bf9389b458b4f9717b", + "SHA1": "d544c1dfd17aee4bf15dc4aa8d5208fe304f4eb4", + "SHA256": "b261d4065c03dcc732a951a9451b3a9f6054899eb3b8a4062dfed1c0ca3f3755" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.3.2.13 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.3.2.13", + "Copyright": "Copyright (C) 2002-2017 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "ZwSetSecurityObject", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELND1617", + "ValidFrom": "2016-09-22 20:33:26", + "ValidTo": "2017-09-22 20:33:26", + "Signature": "58a551acbb46f94e4e69d0dba0bc403d4290ce875c9acf2e6d12020b912d9e0d32875d781c9708fe33ac9ccdeb2bed9145239dd5801cdb9b3bb6fb13cd2faabe50bef817958fbc3da7ae52cf26d0479f7719ca250c3b16a656d91306585d5fdac2ba2f6c1c79aa27c658b15b65782eff638d7a35fdf339431c5781f5097a0a6ea06548d565f2a1242132e946117a7655258902642ade6bdccfc16de3076e8793f72f54a350311120a32012b3867e96be72615d1958972a76672007236bbe386630bbeea96c1eedc9ad9e0a37c552359fdbaf315f2d180e9c5b62f32cb870d1c87600da28fd67a0574e86be564e80ac8918a6fba69a1a151020d4af214528127f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", + "ValidFrom": "2015-04-24 21:46:24", + "ValidTo": "2018-04-24 21:46:23", + "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000ba45a7f4234edca115e400020000ba45", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "ca6931fcbc1492d7283aa9dc0149032e", + "SHA1": "45a9f95a7a018925148152b888d09d478d56bbf5", + "SHA256": "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683", + "Authentihash": { + "MD5": "5617c10f9fb9e09aba8657adb2c05b07", + "SHA1": "b4d869e7b3be6f0ae0113b05bc5358b955e2f6d4", + "SHA256": "08209cd92723526d56863e89f283750e2ee57c69db37ae501aa889c0c60bb552" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.2.7 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.2.7", + "Copyright": "Copyright (C) 2002-2016 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "ObfDereferenceObject", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "ZwSetSecurityObject", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", + "ValidFrom": "2015-09-28 19:41:01", + "ValidTo": "2016-09-27 19:41:01", + "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", + "ValidFrom": "2014-12-09 21:30:38", + "ValidTo": "2017-12-09 21:30:35", + "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "349fa788a4a7b57e37e426aca9b736d5", + "SHA1": "687b8962febbbea4cf6b3c11181fd76acb7dfd5a", + "SHA256": "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9", + "Authentihash": { + "MD5": "c50808f1da14138ea4b38907f113ab5a", + "SHA1": "859be8b0b744eee0b9a3410fc5a614b924ac4b43", + "SHA256": "e7fe1fa6d2e5502ff1882a345790d0aab3ad34fe269ab23e3115d2d93db3fe6b" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2006-04-17 00:00:00", + "ValidTo": "2009-05-31 23:59:59", + "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "65680c783b728ab2a1880df4232ded32", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "1c61eb82f1269d8d6be8de2411133811", + "SHA1": "0d6fb0cb9566b4e4ca4586f26fe0631ffa847f2c", + "SHA256": "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7", + "Authentihash": { + "MD5": "0b6c1cf6b4bad6edccd9c8457af495bc", + "SHA1": "69e6d06476e4c55989507cf47722f0c355f568ad", + "SHA256": "c857c2db1fe1b9c979079add29d5b970147d6a264b4095e6579b5d0669c2b572" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.3.2.18 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.3.2.18", + "Copyright": "Copyright (C) 2002-2019 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", + "IoCreateSymbolicLink", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "RtlInitUnicodeString", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "MmAllocateNonCachedMemory", + "MmFreeNonCachedMemory", + "KeBugCheckEx", + "IoDeleteSymbolicLink", "ObfDereferenceObject", - "ZwSetEvent", + "IoDeleteDevice", + "MmGetSystemRoutineAddress", + "ZwSetSecurityObject", + "ObOpenObjectByPointer", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "_wcsnicmp", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "ZwCreateKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "RtlFreeUnicodeString", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority", + "ValidFrom": "2000-05-30 10:48:38", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "64bf83f15f9a85d0cdb8a129570de85af7d1e93ef276046ef15270bb1e3cff4d0d746acc818225d3c3a02a5d4cf5ba8ba16dc4540975c7e3270e5d847937401377f5b4ac1cd03bab1712d6ef34187e2be979d3ab57450caf28fad0dbe5509588bbdf8557697d92d852ca7381bf1cf3e6b86e661105b31e942d7f91959259f14ccea391714c7c470c3b0b19f6a1b16c863e5caac42e82cbf90796ba484d90f294c8a973a2eb067b239ddea2f34d559f7a6145981868c75e406b23f5797aef8cb56b8bb76f46f47bf13d4b04d89380595ae041241db28f15605847dbef6e46fd15f5d95f9ab3dbd8b8e440b3cd9739ae85bb1d8ebcdc879bd1a6eff13b6f10386f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=ND_QV", + "ValidFrom": "2019-03-27 21:49:54", + "ValidTo": "2021-03-26 21:49:54", + "Signature": "2b03535c8db5fa8488a8241590410378f7362874f1b40f0f3750eae22224e9f559d4f703760a9a0530b2869436b78ef40ec4fd88bc1ebe2783b74b2339d011cde8788c4ed967fd4de5f4ccc2af794eed1d8efc0bf6737ccd5db59f64394a68f0a3a152de60b5c5091c6a9913192cccb7168ab4465ac7da62ad6cba49688c4b2340c7e97386ca3a06fd9ffeb114f21cadf7e0c4f0dcd1457b7c1f7d0b0b286f90cffef6d1802d818c73fdf3588c46dc99855f2e80aa329c3fa62f9f941589e016b6cbb775b311a49cbfc1ae5cb906eee8cf9f93e7ae994e7f6069bd6d9b4b071ba7042653eaf235bae020582b9c6ab78a237c05bbbe8f9182631c0f836ad3da9a71ba48e2c3260d002c88c98f1ad0c6d67d259c393129e17fa2913545c1a9bc7a48e18452d2048bcf2d931d996472155dd91338551feb086e3f8ac979745b1652f6cc8efae1c3c1df6983db6a45549a5de477567bc22ed2529adb7db1002b15bd8ab4e91739a3d4d018aa6bc2ac744abcc68690c938ef2a3a3e2b6552944806f6ba7260c3d8d949d29e056e922a581edd28ff12ee03279882a5e389070fa06a1b1a900b9a32e1208c8f00bfc9a2f2dbb96c10071fb05231ed2ba6170b007717ad33c0934c45d6b9690194dcd0212f5cb68c203400a196a218bb20ca645ed6b72cfba8f31cdae8b56b91415973dd46b6dac1e4b268ebbd17de7da59f253b380c41", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B", + "ValidFrom": "2015-10-28 00:00:00", + "ValidTo": "2021-06-17 23:59:59", + "Signature": "35bb03eacc9b601a13d075528e8095454e9ebf6ec0bb64aac36eb1021d465e2fe82f48cc8410f7ad993bfffa856829b0d37c31e21ab47bc166e2a53bc729189835ae6301a845209561db104db90d6bd39964ce5f8bb86c1346a06e5a0d3ee790ebb731a121f58dde3b7b6936f10800b9aabf1c566156d7cc923f29d4d96bd8222f0e56f56ad146e8808f397a923c6748b7e2fa190f3767e2df292d02aa43282eae2c464224be6dbb6a8849a64c20dfe5654ffae1c1be71d5f85ef59d6692b23b64e1e8aeac995517bddb1bdfa0934f3f56f23b83d5d2b7c1085a524042e33e9120f735b491f04de134694879c0ed30c9931a84d572198f6d8039f459ab2016d8f9ff7026237becc50033227c3d203aedb428bc7a810ce70bc13f7c300c4e50b8670fd76417b7c3c52085ca8fced5262a1254b9ff22f8a8273cca0e853714ee02e52f66156263876a5ecf29d3b89178b76172177bc119a6180822dad09125f606090926b02dac808874335fc7e044c1309976d877b14701ef69922bedae582963a0358ee41db704f1da3ab23280b1c8bcf0e70f71007a333a06e8a4d879d9d953cd9bfeb2685b8884856b0771d04f930a0760033408d273bf141adfe3c7041b2d999e931c95b38798425a1c916352398a8f4a2ac24c7b70693a3cf1fb2fff0e0a8794e4016acf9bb41fa30ea9ea2adcaf2b8c4401fd3a587d3278a219d5c974c5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.12" + } + ], + "Signer": [ + { + "SerialNumber": "5600000a6c1826788c3ae621c1000000000a6c", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Issuing CA 7B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "31a4631d77b2357ac9618e2a60021f11", + "SHA1": "637d0de7fa2a06e462dad40a575cb0fa4a38d377", + "SHA256": "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5", + "Authentihash": { + "MD5": "67bc13f641db5e7b40ffd8fd33b7d9c6", + "SHA1": "627e4a44e5a5da00cdb8ae2a538175ded6a9a113", + "SHA256": "9f94d9180104c820c3d27f03e20f5bbc9d2a5bc2ae6e74baf2a848f2f1790ec8" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", "ZwClose", - "ZwConnectPort", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2009-05-26 00:00:00", + "ValidTo": "2012-05-30 23:59:59", + "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "058258571670ab2b1bac50679cec49a1", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "7c22b7686c75a2bb7409b3c392cc791a", + "SHA1": "bed5bad7f405aa828a146c7f71d09c31d0c32051", + "SHA256": "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df", + "Authentihash": { + "MD5": "1789a16d20ca2b55f491ad71848166a2", + "SHA1": "2cbfe4ad0e1231ff3e19c19ca9311d952ce170b7", + "SHA256": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.7 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.7", + "Copyright": "Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", "RtlInitUnicodeString", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", - "ZwRequestWaitReplyPort", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2012-05-17 00:00:00", + "ValidTo": "2015-05-30 23:59:59", + "Signature": "285fe626bdcc91182509755ed38bee901a395d2f11b14eb7857cb9b3624afadee423a07cca07804cd51a299716b3bd127c84e6d827dd786b29964aee3b6dd0193d366813ff62ab31f61e2c37bda7a2cd4c19a877cd410dcd066acefa7013e47436b8b4270238dbf631a4907c380f2397eda3a013d8d3d006a15b581edf946d7cc16896d2af8e79981802555b12bb1b177f7e9a85c0c92b8af3d423ecbd858a1aa0d8face738f4f4934b2a0f9654db4cc1e388afad699371e83992bd317de8ae0dce9df2f6de60191af4462eca8a2ba30e8b203b68bff09f4753cfbedbf41a64f1e0cc999f90c83dc3062dd62dd46773f8e93d1051f19a29a97377c1d0bee7f39", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "2776ab5cf2d09872f1ad05fbc3f21a87", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "477e02a8e31cde2e76a8fb020df095c2", + "SHA1": "9449f211c3c47821b638513d239e5f2c778dc523", + "SHA256": "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5", + "Authentihash": { + "MD5": "99f8e77dfc84cbd445500575ec9ab78a", + "SHA1": "154c4d80f243b40dcebc2d5a2f3cee968d2f6f0c", + "SHA256": "7cc54914473d7c75a483c5672655bd9df2ce20b556a0d92c6e4cb8722ab1647b" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2009-05-26 00:00:00", + "ValidTo": "2012-05-30 23:59:59", + "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "058258571670ab2b1bac50679cec49a1", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "ce67e51b8c0370d1bfe421b79fa8b656", + "SHA1": "4885cd221fa1ea330b9e4c1702be955d68bd3f6a", + "SHA256": "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c", + "Authentihash": { + "MD5": "02eedc6afdeb843f391a69611266a838", + "SHA1": "9dae306ebc30a8c2f160e3f6e726fcd3e4f92280", + "SHA256": "727666434d5ea292a7631d0944edd36097db12862730996ce8a3f052be04a2cd" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "ExAllocatePoolWithTag", "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", + "MmGetPhysicalAddress", "DbgPrint", - "memset", + "sprintf", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "RtlInitUnicodeString", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmMapIoSpace", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2009-05-26 00:00:00", + "ValidTo": "2012-05-30 23:59:59", + "Signature": "3d01e2c5a5f6209e2b1cbf422f38c19677d0c3d164d29bcf4fda7ad174d1bbd575795110e13d1af2fad8fcf7a683374a113b00b3b79677f04594c035194e9ab3d016259124793bae1750082011447c5f3e5e46d4c8423affadd01a84b40bbb6143b2030b6741f17d9d9b31124857587c24f1b9877f901b861a7e487bb0ba249553fc7decd252dd7c15a2ebdddec25e84d4dc9e5d6bdf06cb35c97b9a14c04945765431fb8be90e0b007daa667972409973db8f484b2283492c62a7923202797428054a8077cbabc1b1ad48334a759a32c6c2651b9ed192f67dd6d1479da1ea6f0a3b24a02c01b4ac85d293dc40150f831870b8aaa56d727eec6f55a0ff68402a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "058258571670ab2b1bac50679cec49a1", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "2cc65e805757cfc4f87889cdceb546cd", + "SHA1": "7c625de858710d3673f6cb0cd8d0643d5422c688", + "SHA256": "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f", + "Authentihash": { + "MD5": "3e2ca18cf98afa0faac4da0fb1eca408", + "SHA1": "15a85aa659248751080984a29dc848c37e900002", + "SHA256": "ccc65f108ad084af41725e42efc3c3c539f89a474c1b1293b111a83e3eba216a" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.1.2 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.1.2", + "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", "ExAllocatePoolWithTag", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "RtlInitUnicodeString", + "MmMapIoSpace", + "ObfDereferenceObject", "KeWaitForSingleObject", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeDelayExecutionThread", - "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwOpenKey", - "ZwEnumerateKey", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "ZwQuerySecurityObject", - "memcpy", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmFreeContiguousMemory", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", + "ValidFrom": "2015-09-28 19:41:01", + "ValidTo": "2016-09-27 19:41:01", + "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", + "ValidFrom": "2015-04-24 21:46:24", + "ValidTo": "2018-04-24 21:46:23", + "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "e1ebc6c5257a277115a7e61ee3e5e42f", + "SHA1": "b67945815e40b1cd90708c57c57dab12ed29da83", + "SHA256": "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1", + "Authentihash": { + "MD5": "d6a18c98a17d12e0c8678cd0c1cc5fc6", + "SHA1": "d3f4a292c29d6c87b4744370a430889cba6ab093", + "SHA256": "83aad7f91c4ebec89fb63e60ccc05628281aa0439362097bd91c69f4b74470bb" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "IA64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeGetCurrentIrql", + "DbgPrint", + "sprintf", + "vsprintf", "IoFreeMdl", - "_purecall", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "NtClose", - "ObQueryNameString", - "MmGetSystemRoutineAddress", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "MmMapLockedPages", "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", - "strrchr", - "ZwQueryVolumeInformationFile", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "MmGetPhysicalAddress", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", + "KeTickCount", + "KeBugCheckEx", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", "IofCompleteRequest", - "ExEventObjectType", - "IoDeleteDevice", + "IoCreateDevice", + "IoCreateSymbolicLink", + "RtlInitUnicodeString", "IoDeleteSymbolicLink", + "IofCallDriver", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2006-04-17 00:00:00", + "ValidTo": "2009-05-31 23:59:59", + "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "65680c783b728ab2a1880df4232ded32", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "edbf206c27c3aa7d1890899dffcc03ec", + "SHA1": "3bb1dddb4157b6b8175fc6e1e7c33bef7870c500", + "SHA256": "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5", + "Authentihash": { + "MD5": "23b096e4055705b360ce4c802fb5e36c", + "SHA1": "4d3d6c6932e2882067830b2167b994b169e536d1", + "SHA256": "e80597ea0d75e9198428c81ca5b4495bf11922dd29852a0a2e63998e36857746" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.1.0 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.1.0", + "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", - "RtlCompareUnicodeString", + "IoCreateDevice", + "IofCompleteRequest", + "MmIsAddressValid", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "MmGetPhysicalAddress", + "DbgPrint", "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", + "vsprintf", + "IoFreeMdl", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "RtlInitUnicodeString", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", "IoBuildSynchronousFsdRequest", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", + "KeInitializeEvent", + "ZwClose", "RtlFreeAnsiString", + "strstr", "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", + "ZwEnumerateValueKey", + "ZwOpenKey", "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ZwSetSecurityObject", - "ExAcquireFastMutexUnsafe", - "IoDeviceObjectType", - "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "RtlAbsoluteToSelfRelativeSD", - "MmUnlockPages", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", + "KeBugCheckEx", + "IoDeleteSymbolicLink", + "MmFreeContiguousMemory", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -97241,628 +100265,258 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2015-05-05 00:00:00", - "ValidTo": "2015-12-31 23:59:59", - "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) INTELNPG1", + "ValidFrom": "2015-09-28 19:41:01", + "ValidTo": "2016-09-27 19:41:01", + "Signature": "2e848fb2550d87edeeacf69dca78bc7ee5e795fd42baa6a313ef275d8d2e759cc65a18cd2377377e94a0ebb35a0102145417defb44dcf18f4dd77ee101906f3246ae512d7bb1e1dc4e40381a2c6ee4b4109167360f93b6694abc8c91dfec6b9da549d30c874b96a7f1217f5a4ee8093a880eb8aafbc2d9b58de2a71e8cb2fcf51d7133cf971410e9de26ad9a1b3516055847e9979af0c1fe4950fcd301d3f4170bf37660e3eb7f30197aad793158fee9958f2772eca1836e57bfd50c2c3dbf6cb6916e56f9a7e262f79d57c75993056f677ff60638475f9980b51f0916fea9e87e96778bb86cbb56425752eed78660e6e026728f8388d1e05f2cf54fd664c17e", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2015-02-20 00:00:00", - "ValidTo": "2016-05-21 23:59:59", - "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", + "ValidFrom": "2014-05-30 16:35:55", + "ValidTo": "2021-03-17 18:33:33", + "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Thales TSS ESN:E892,D055,162F, OU=Thales TSS ESN:E892,D055,162F, CN=timestamp.intel.com", + "ValidFrom": "2015-04-24 21:46:24", + "ValidTo": "2018-04-24 21:46:23", + "Signature": "8047f4f1adda6f2972314a83957d8317eaac6de7c512ffd6069d24346b58a697a0722a7e8f6fb1a3825f077b4115dcb2003b12b1e9cd47c2bce88061e702768706f101c55154b860d71ae231242724ec4e09a87e776f3b4ec14a432dd51da06908b867d874759885bdba067703d65975f064df053453abeaff8f46cc7f0dbf7a7f7771155314da26284645114a4b457556b9b86a7e6d656f6d5d07ad51c212a336d392a18508484a89594bf9433cc56f4a28f13cbb8c07911bbe7688519f20e4ee85acd6bcb40655e0e2d120af74a61f059d57fc51e7897c4b4c495d7e58b7a53f9f6e60ec746ffc1c83e50bb90b31f78c4623d0d3c6cabd94b092173f6d92493ea4109bef62b451cdd34855970eb7d46eff53faa9a5dfa86ce6827b4c6239ad91a6043965b86ded234fb7df1c1dd1999fb3f40cba71be3b0fdaf27b52094b4327aa4b0465dff988dfbaed910b737a4ef098c661896f0db44a438acd6ae50f2d8d52ab07b20bd11f7577a253a41d891bf853ba5d3900a496cdc1913eb3279ad47c07e02e0477afd8f1afbaa91ea4397e65a660baece3779e44a9db7638b84b76afdd6f42dcc7f5df4ede64b4dad08039849784a2faefe3537f587499af729480c29214c9cb5c7c58afd5a474ee319a892dc603d522fd5e588369f322c15c8dcd8848ecf1d203c48434736573ed50266127bd3b2a97189c05bb1bb70ff394ce11", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + }, { - "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "TmComm.sys", - "MD5": "08bac71557df8a9b1381c8c165f64520", - "SHA1": "891c8d482e23222498022845a6b349fe1a186bcc", - "SHA256": "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf", - "Authentihash": { - "MD5": "cfb84fad4e23da054656c41b09c8c467", - "SHA1": "4dad9e501ec85acd2b405eca3fc1e5787d64ab34", - "SHA256": "14cfe7b4f7572aa3434ac5dd458a35f286538b34734cf7a310fb7bcba209921c" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "2.5.0.1106", - "Product": "AEGIS", - "ProductVersion": "2.5", - "Copyright": "Copyright (C) 2005-2008 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "CLASSPNP.SYS" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", - "??_7CContext@@6B@", - "??_7CContextList@@6B@", - "??_7CDebugLog@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", - "??_7CFile@@6B@", - "??_7CFileExtension@@6B@", - "??_7CKEvent@@6B@", - "??_7CList@@6B@", - "??_7CLockEvent@@6B@", - "??_7CLockList@@6B@", - "??_7CMemoryAllocator@@6B@", - "??_7CMemoryPoolAllocator@@6B@", - "??_7CModuleConfig@@6B@", - "??_7CModuleConfigList@@6B@", - "??_7CModuleFileExtConfig@@6B@", - "??_7CModuleFlagConfig@@6B@", - "??_7CModuleMultiStringConfig@@6B@", - "??_7CModuleStringConfig@@6B@", - "??_7CStrList@@6B@", - "??_7CSystemThread@@6B@", - "??_7CUserFuncAdapterJob@@6B@", - "??_7CWorkerThread@@6B@", - "??_7CWorkerThreadJob@@6B@", - "??_7CWorkerThreadJobQueue@@6B@", - "??_7CWorkerThreadPool@@6B@", - "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKmLPC@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKmLPC@0", - "_KmCallUm@8", - "_MapMem@12", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UnMapMem@8", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetProcessName@12", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilQueryKeyValue@24", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "__UtilDosPathNameToNtPathName@12" + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000b7c6cfa9df260db5243500020000b7c6", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "d0a5f9ace1f0c459cef714156db1de02", + "SHA1": "540b9f9a232b9d597138b8e0f33d83f5f6e247af", + "SHA256": "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54", + "Authentihash": { + "MD5": "a3680d04628485c4f6258dc95f4e8e76", + "SHA1": "a254c2464cf2f39e729125250fa80297de9dcf01", + "SHA256": "dcd4d4bee76aacba8792df291eb55cc716752bd7ddb51ecb9bec491b02f57c70" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.1.0 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.1.0", + "Copyright": "Copyright (C) 2002-2015 Intel Corporation All Rights Reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" ], + "ExportedFunctions": "", "ImportedFunctions": [ - "KeEnterCriticalRegion", - "KeGetCurrentThread", - "KeLeaveCriticalRegion", - "ExReleaseFastMutexUnsafe", - "wcsncpy", - "memcpy", - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "DbgPrint", - "KeReleaseSemaphore", - "RtlSubAuthoritySid", - "RtlInitializeSid", + "IoCreateSymbolicLink", + "IoCreateDevice", + "IofCompleteRequest", + "MmIsAddressValid", "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", - "ZwClose", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "memmove", - "KeStackAttachProcess", - "ZwConnectPort", - "RtlInitUnicodeString", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", - "memset", - "MmIsAddressValid", - "ZwWriteFile", - "ZwReadFile", - "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", - "towupper", - "_wcsnicmp", - "KeInitializeEvent", - "_snprintf", - "PsGetCurrentProcessId", - "RtlTimeToTimeFields", - "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", - "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "_vsnprintf", + "MmGetPhysicalAddress", + "DbgPrint", + "strncpy", + "vsprintf", + "IoFreeMdl", "MmMapLockedPagesSpecifyCache", "MmBuildMdlForNonPagedPool", - "MmCreateMdl", + "IoAllocateMdl", + "MmUnmapIoSpace", "MmUnmapLockedPages", - "KeSetPriorityThread", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeNumberProcessors", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwOpenDirectoryObject", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", - "ZwOpenKey", - "ZwEnumerateKey", + "MmAllocateContiguousMemory", + "RtlInitUnicodeString", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "IofCallDriver", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ExGetPreviousMode", - "ExAcquireFastMutexUnsafe", - "ObOpenObjectByPointer", - "PsProcessType", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFreeIrp", - "IoBuildAsynchronousFsdRequest", - "ProbeForWrite", + "ZwOpenKey", + "wcsncpy", + "IoGetDeviceObjectPointer", + "IoGetDeviceInterfaces", + "ObReferenceObjectByPointer", "KeBugCheckEx", - "RtlImageNtHeader", - "_stricmp", - "_strnicmp", - "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "KeDelayExecutionThread", - "mbstowcs", - "ZwQuerySymbolicLinkObject", - "ZwOpenSymbolicLinkObject", - "RtlEqualUnicodeString", - "IoFileObjectType", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", + "IoDeleteSymbolicLink", + "MmFreeContiguousMemory", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "KeQueryPerformanceCounter" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Intel Network Drivers", + "ValidFrom": "2014-09-25 20:18:50", + "ValidTo": "2015-09-25 20:18:50", + "Signature": "282fbd46725208a238f3b5692c350f5a4c0435aa16618799ca4a4b50e71c9be943c5f066d41ace15a81c2793d1c2e9b028b9e286547b065c092b778c21c4074ac7b680b673e0ddf92264e0a996ac7d377514787cd0f849ee320a25437779313dc9b8a6eb0ad5e39e07af803aae07f604b3face98f2803dc50e662598c62c900f71f0b3108c5ea58ac23c3f03cf82fad4c2a036495844141edc66d5aae317406280975a638b82613d7009d34e6886666c96d72d119f54d1c073e19bfc9a2c52003f7446867a39bd5574cc4fe5c4a43242943759796d16e390c2b418cf86e28f14ffbe9eb0bdfbd827d3998ffbbf471a482866514cd8ab53a7ee64b19cca57f809", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", + "ValidFrom": "2013-02-08 22:21:23", + "ValidTo": "2018-02-08 22:31:23", + "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", + "ValidFrom": "2013-02-01 00:00:00", + "ValidTo": "2020-05-30 10:48:38", + "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", + "ValidFrom": "2015-02-03 00:00:00", + "ValidTo": "2026-03-03 00:00:00", + "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", + "ValidFrom": "2011-04-13 10:00:00", + "ValidTo": "2028-01-28 12:00:00", + "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", + "ValidFrom": "2013-08-15 20:26:30", + "ValidTo": "2023-08-15 20:36:30", + "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "330000b4a079accd956034e6ae00020000b4a0", + "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" + } + ] + } + ] + }, + { + "FileName": "iQVW64.SYS", + "MD5": "cebf532d1e3c109418687cb9207516ad", + "SHA1": "444a2b778e2fc26067c49dde0aff0dcfb85f2b64", + "SHA256": "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7", + "Authentihash": { + "MD5": "e6245e7df4ae8bd2e49e0f41d3fad7fc", + "SHA1": "73d3fbb52669d917c11808919817d8d97681c6ac", + "SHA256": "1452103306895429c54ba1735800b8c8694c3165cdef32ca12ed6ce348019292" + }, + "Description": "Intel(R) Network Adapter Diagnostic Driver", + "Company": "Intel Corporation ", + "InternalName": "iQVW64.SYS", + "OriginalFilename": "iQVW64.SYS", + "FileVersion": "1.03.0.4 built by: WinDDK", + "Product": "Intel(R) iQVW64.SYS", + "ProductVersion": "1.03.0.4", + "Copyright": "Copyright (C) 2002-2006 Intel Corporation All Rights Reserved.", + "MachineType": "IA64", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "KeGetCurrentIrql", + "DbgPrint", + "sprintf", + "vsprintf", "IoFreeMdl", + "MmMapLockedPages", + "MmBuildMdlForNonPagedPool", "IoAllocateMdl", - "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCompareMemory", - "RtlCopyUnicodeString", - "RtlAppendUnicodeStringToString", - "IofCompleteRequest", - "ExEventObjectType", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "ProbeForRead", + "MmUnmapIoSpace", + "MmUnmapLockedPages", + "MmAllocateContiguousMemory", + "MmFreeContiguousMemory", + "MmMapIoSpace", + "ObfDereferenceObject", + "KeWaitForSingleObject", + "MmGetPhysicalAddress", + "IoBuildSynchronousFsdRequest", + "KeInitializeEvent", + "ZwClose", + "RtlFreeAnsiString", + "strstr", + "RtlUnicodeStringToAnsiString", + "ZwEnumerateValueKey", + "ZwOpenKey", + "wcsncpy", "IoGetDeviceObjectPointer", - "ExAllocatePool", - "RtlUpperChar", - "RtlCompareUnicodeString", - "PsLookupProcessByProcessId", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", + "IoGetDeviceInterfaces", "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "_snwprintf", - "RtlAnsiStringToUnicodeString", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", "KeTickCount", - "RtlUnwind", - "ZwSetSecurityObject", - "IoDeviceObjectType", + "KeBugCheckEx", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "IofCompleteRequest", "IoCreateDevice", - "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", - "SeCaptureSecurityDescriptor", - "SeExports", - "IoIsWdmVersionAvailable", - "RtlLengthSid", - "wcschr", - "RtlAbsoluteToSelfRelativeSD", - "RtlFreeUnicodeString", - "ZwTerminateProcess", - "_purecall", - "ClassInitialize" + "IoCreateSymbolicLink", + "RtlInitUnicodeString", + "IoDeleteSymbolicLink", + "IofCallDriver", + "IoDeleteDevice", + "KeStallExecutionProcessor", + "WRITE_PORT_ULONG", + "WRITE_PORT_USHORT", + "WRITE_PORT_UCHAR", + "READ_PORT_ULONG", + "READ_PORT_USHORT", + "READ_PORT_UCHAR", + "KeQueryPerformanceCounter" ], "Signatures": [ { "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", "ValidFrom": "2003-12-04 00:00:00", @@ -97870,6 +100524,13 @@ "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", "ValidFrom": "2004-07-16 00:00:00", @@ -97877,53 +100538,261 @@ "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2008-01-16 00:00:00", - "ValidTo": "2011-02-16 23:59:59", - "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, ST=Oregon, L=Hillsboro, O=Intel Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=LAN Access Division, CN=Intel Corporation", + "ValidFrom": "2006-04-17 00:00:00", + "ValidTo": "2009-05-31 23:59:59", + "Signature": "1c9c5e1020ecb0b42a91db52dd24e367787824834a64266a853e2e606da460488ac331c35600c43713d44df9a63e354c802f6fd18393206067cb6386f02d31c9b1ec0cf22d2067dc3add71bcb23063436822b69c31e1aa9c236e1111651ba67adf5fa784b98a264a33e03e61bb7e5b3e47152ce5d4d4918ca92bfc581063b1c83777480f29f7c02f08f47078e95e0eca268714fd9e5cce7a381bcfcd55918af45d3e3b1f2a82846df292a4a2ac99e94fb5df00b73cf90968b2d47789bf10f6673b4e5c3b6631eedc336a2aa1b6de1fc3dda1d26b10c9d9c4bb92ceff38b0e49c0939a9d5b179f0d1cf7251406b473381c79bf4fa9670d6c6325a7f9909ae0b63", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "645212f783f4d7aba3555729e99ce065", + "SerialNumber": "65680c783b728ab2a1880df4232ded32", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] + } + ], + "Tags": [ + "iQVW64.SYS" + ], + "yara": true + }, + { + "Id": "d35cb48d-2aca-4d7d-a194-f4566183bcd9", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create TmComm.sys binPath=C:\\windows\\temp\\TmComm.sys type=kernel && sc.exe start TmComm.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ { "FileName": "TmComm.sys", - "MD5": "42132c7a755064f94314b01afb80e73c", - "SHA1": "3e790c4e893513566916c76a677b0f98bd7334dd", - "SHA256": "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0", + "MD5": "34686a4b10f239d781772e9e94486c1a", + "SHA1": "8a922499f7a1b978555b46c30f90de1339760c74", + "SHA256": "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06", "Authentihash": { - "MD5": "37dd516b2406b4e5d95e260886230437", - "SHA1": "95e72a3ba11c83d127302e8327b2fe9580a61e3f", - "SHA256": "a553ba125adf00a769718d5cd26ed1a59b5e397956ebc6163973b10fe8c58214" + "MD5": "ebd5f8589975be817ecd3c281055d4a7", + "SHA1": "ebd74b4fecfb48c28cdf11f123e0364c9e9852ea", + "SHA256": "66539655171ddff02d8134241c58a53de3faa6467db7be14131e04b99ef33cee" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.0.0.1099", + "FileVersion": "6.70.0.1106", "Product": "Trend Micro Eyes", - "ProductVersion": "7.0", - "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "CLASSPNP.SYS", - "HAL.dll" + "HAL.dll", + "CLASSPNP.SYS" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", @@ -98058,7 +100927,6 @@ "??2CMemoryAllocator@@SGPAXI@Z", "??2CMemoryPoolAllocator@@SGPAXI@Z", "??3@YAXPAX@Z", - "??3@YAXPAXI@Z", "??3IMemoryAllocator@@SGXPAX@Z", "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", "??4CBlobConfig@@QAEAAV0@ABV0@@Z", @@ -98366,7 +101234,6 @@ "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_AllocFullFileName@8", "_DeInitKm2UmCommunication@0", "_DeInitKmLPC@0", "_DuplicateFullFileName@4", @@ -98383,7 +101250,6 @@ "_KmCallUmEx@12", "_KmCleanupCommPortAPIs@0", "_KmGetUmInitProcess@0", - "_KmSetBackupCommPortAPIs@4", "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", @@ -98427,226 +101293,227 @@ "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", - "ObfDereferenceObject", - "ZwClose", - "ZwCreateSection", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ZwOpenEvent", + "wcsrchr", + "KeSetEvent", "KePulseEvent", + "KeClearEvent", "KeStackAttachProcess", "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", + "ObfDereferenceObject", "ZwSetEvent", - "_allmul", - "memcpy", - "memset", - "PsProcessType", - "wcsncpy", - "wcsrchr", + "ZwClose", + "ZwConnectPort", + "RtlInitUnicodeString", "RtlUnicodeStringToInteger", + "ZwCreateSection", "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", "ZwRequestWaitReplyPort", - "ZwConnectPort", - "swprintf", - "RtlCopyUnicodeString", - "DbgPrint", - "KeDelayExecutionThread", - "KeQuerySystemTime", - "ExAllocatePoolWithTag", - "PsGetVersion", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "SeCaptureSubjectContext", + "ExFreePoolWithTag", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "ObReleaseObjectSecurity", "SeReleaseSubjectContext", "SeAccessCheck", + "SeCaptureSubjectContext", "ObGetObjectSecurity", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "PsThreadType", - "MmSectionObjectType", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "ExGetPreviousMode", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", + "DbgPrint", + "memset", "MmIsAddressValid", "ExInitializeResourceLite", "ExDeleteResourceLite", - "ZwCreateFile", + "ZwWriteFile", + "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", + "ZwCreateFile", + "swprintf", "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "ObQueryNameString", - "MmHighestUserAddress", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "KeInitializeEvent", "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", + "PsGetCurrentProcessId", "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "ZwCreateKey", + "KeQuerySystemTime", "PsGetCurrentThreadId", + "RtlInitAnsiString", "ZwDeviceIoControlFile", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "ZwOpenFile", - "ExFreePoolWithTag", - "mbstowcs", - "_stricmp", - "IoGetDeviceObjectPointer", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "_strnicmp", - "RtlCompareUnicodeString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IofCallDriver", - "IoFreeIrp", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoFileObjectType", - "IoDriverObjectType", - "IoBuildDeviceIoControlRequest", - "IoCreateFile", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "_snwprintf", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "ObOpenObjectByName", - "KeServiceDescriptorTable", - "KeAddSystemServiceTable", + "ExGetPreviousMode", + "KeWaitForSingleObject", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeDelayExecutionThread", "KeNumberProcessors", - "RtlLengthSecurityDescriptor", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", "ZwEnumerateKey", "ZwEnumerateValueKey", - "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", "ZwTerminateProcess", "ZwOpenProcess", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", + "ZwQueryKey", + "ZwSetValueKey", + "IoFileObjectType", "_allrem", - "RtlAppendUnicodeToString", - "ZwFsControlFile", - "ObInsertObject", - "strrchr", - "wcschr", - "wcsncmp", - "RtlQueryRegistryValues", + "ZwQuerySecurityObject", + "memcpy", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "_purecall", "IoBuildAsynchronousFsdRequest", - "ZwOpenSymbolicLinkObject", + "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "mbstowcs", "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", + "ZwOpenSymbolicLinkObject", "NtClose", + "ObQueryNameString", + "MmGetSystemRoutineAddress", "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "RtlUpcaseUnicodeString", + "_snwprintf", "MmSystemRangeStart", + "wcsncmp", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "wcsstr", - "ExAllocatePool", + "_allshr", "ExInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", + "IoBuildSynchronousFsdRequest", + "wcsstr", "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", + "KeTickCount", + "KeBugCheckEx", "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ZwSetSecurityObject", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlLengthSid", "SeExports", "IoIsWdmVersionAvailable", + "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "KeWaitForSingleObject", - "KeLeaveCriticalRegion", - "KeBugCheckEx", - "KeEnterCriticalRegion", - "KeSetEvent", - "KeClearEvent", - "KeInitializeEvent", - "RtlInitUnicodeString", + "MmUnlockPages", "KeGetCurrentThread", - "memmove", - "ZwQueryVolumeInformationFile", - "_purecall", - "ClassInitialize", - "KeRaiseIrqlToDpcLevel", "KfAcquireSpinLock", - "KeGetCurrentIrql", - "ExReleaseFastMutex", - "ExAcquireFastMutex", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", "KfLowerIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", "KfRaiseIrql", - "KfReleaseSpinLock" + "ClassInitialize" ], "Signatures": [ { @@ -98654,17 +101521,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2016-03-29 00:00:00", - "ValidTo": "2017-06-28 23:59:59", - "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -98684,7 +101558,7 @@ ], "Signer": [ { - "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "SerialNumber": "497c4fad471540e6e453d0cafb155740", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -98693,22 +101567,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "f51065667fb127cf6de984daea2f6b24", - "SHA1": "1768fb2b4796f624fa52b95dfdfbfb922ac21019", - "SHA256": "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad", + "MD5": "28d6b138adc174a86c0f6248d8a88275", + "SHA1": "8ac5703e67c3e6e0585cb8dbb86d196c5362f9bb", + "SHA256": "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56", "Authentihash": { - "MD5": "671205c31cc873b793bd9922b8c2594e", - "SHA1": "d8dea3a091ef24abd0cee37b74a6e6bf8dccea23", - "SHA256": "9bea1a92c747c203cd3e370f422ed6023787817a5495385e5ca473ef59396a2e" + "MD5": "53dc04de7603508de1788cc4cfcbf35f", + "SHA1": "b9b4d64e4c97b88e7258994f542c0ac84e934554", + "SHA256": "cf0855a8517be550b08a981bfacf90f245791cd70620868a241f1b1e2d8dfd89" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.0.0.1072", + "FileVersion": "6.70.0.1121", "Product": "Trend Micro Eyes", - "ProductVersion": "6.0", - "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" @@ -98995,6 +101869,7 @@ "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", "?GetID@CModuleConfig@@QEAAKXZ", "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", @@ -99161,6 +102036,8 @@ "GetModuleInfoByModuleName", "InitKm2UmCommunication", "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", "KmCallUm", "KmCallUmByLPC", "KmCallUmEx", @@ -99178,6 +102055,7 @@ "UtilAddDeviceInDriveTable", "UtilAddReparsePointMapping", "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", "UtilCreateDosFileName", "UtilDeleteFileForce", "UtilGetDeviceObjectName", @@ -99195,6 +102073,7 @@ "UtilModuleIATHook", "UtilModuleIATUnHook", "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", "UtilQueryKeyValue", "UtilRemoveDeviceFromDriveTable", "UtilVolumeDeviceToDosName", @@ -99203,6 +102082,7 @@ "UtilbuildDynamicDiskMappingTable", "UtlWriteBinValueKeyToRegistry", "ValidateAddressWithSize", + "_ResetProtectFromClose", "_UtilDosPathNameToNtPathName" ], "ImportedFunctions": [ @@ -99274,7 +102154,9 @@ "PsGetCurrentThreadId", "PsGetCurrentProcessId", "KeWaitForMultipleObjects", + "ExGetPreviousMode", "RtlEqualUnicodeString", + "RtlPrefixUnicodeString", "RtlAppendUnicodeStringToString", "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", @@ -99289,7 +102171,7 @@ "PsSetCreateProcessNotifyRoutine", "ZwOpenDirectoryObject", "ZwQueryInformationProcess", - "ExGetPreviousMode", + "ZwQuerySecurityObject", "NtSetInformationFile", "ZwDeleteValueKey", "ZwSetValueKey", @@ -99300,19 +102182,22 @@ "ZwQueryDirectoryFile", "NtCreateFile", "ZwEnumerateValueKey", + "RtlLengthSecurityDescriptor", "ZwQueryDirectoryObject", + "ZwSetSecurityObject", "ZwDuplicateObject", "ZwOpenProcess", "ZwTerminateProcess", - "ZwDeleteKey", + "ExReleaseFastMutexUnsafe", "ZwEnumerateKey", "ZwQueryKey", "ZwOpenKey", - "ExReleaseFastMutexUnsafe", + "MmSystemRangeStart", "_stricmp", "_strnicmp", "mbstowcs", "ProbeForRead", + "RtlUpcaseUnicodeString", "_snwprintf", "ZwQuerySymbolicLinkObject", "ZwMapViewOfSection", @@ -99331,6 +102216,7 @@ "IoAllocateIrp", "RtlCompareMemory", "MmUnlockPages", + "ZwSetInformationObject", "ZwOpenFile", "wcsncmp", "RtlImageNtHeader", @@ -99353,10 +102239,12 @@ "RtlCreateSecurityDescriptor", "IoDeleteSymbolicLink", "IoDeleteDevice", + "IoGetDeviceObjectPointer", "ExEventObjectType", "IofCompleteRequest", "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", + "ObOpenObjectByName", + "NtQueryInformationProcess", "strncpy", "NtOpenProcess", "ObInsertObject", @@ -99364,6 +102252,8 @@ "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", "IoReleaseVpbSpinLock", "wcschr", "strncat", @@ -99373,7 +102263,6 @@ "wcstombs", "IoGetConfigurationInformation", "IoRegisterPlugPlayNotification", - "RtlUpcaseUnicodeString", "IoGetStackLimits", "IoBuildSynchronousFsdRequest", "KeReleaseSpinLock", @@ -99385,13 +102274,10 @@ "MmProbeAndLockPages", "RtlCompareUnicodeString", "IoGetDeviceInterfaces", - "DbgPrintEx", "KeAcquireSpinLockRaiseToDpc", "KeBugCheckEx", "IoCreateDevice", - "ZwSetSecurityObject", "IoDeviceObjectType", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", "IoIsWdmVersionAvailable", @@ -99401,7 +102287,7 @@ "RtlGetDaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "MmSystemRangeStart", + "ZwDeleteKey", "ExAcquireResourceExclusiveLite", "__C_specific_handler" ], @@ -99411,38 +102297,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2010-05-10 00:00:00", - "ValidTo": "2015-05-10 23:59:59", - "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", + "ValidFrom": "2019-07-12 00:00:00", + "ValidTo": "2020-07-10 12:00:00", + "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", - "ValidFrom": "2013-01-17 00:00:00", - "ValidTo": "2014-03-18 23:59:59", - "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } @@ -99450,28 +102343,27 @@ }, { "FileName": "TmComm.sys", - "MD5": "a31246180e61140ad7ff9dd7edf1f6a1", - "SHA1": "fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1", - "SHA256": "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc", + "MD5": "e3aaa0c1c3a5e99eb9970ebe4b5a3183", + "SHA1": "8fafd70bae94bbc22786c9328ee9126fed54dbae", + "SHA256": "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687", "Authentihash": { - "MD5": "9da7d62145d6f4c104da27b797fabc4c", - "SHA1": "597144e2c01496c32aeed3277f8619c229de17b4", - "SHA256": "d3227dc2e8f83258810cf43719f02a8d52648eb17939fddd79fd70155a47305d" + "MD5": "257904eecb49998ecad8b3d2acee8344", + "SHA1": "7f7110dcca30c2110d31f5a875305d52dac0db49", + "SHA256": "3847a1ed764ba25361a1748761fd9a1cbb65e42db00094f8ad6def9ac5da4116" }, - "Description": "TrendMicro Common Module NoTrap Build", + "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "5.0.0.1104", + "FileVersion": "5.50.0.1124", "Product": "Trend Micro Eyes", - "ProductVersion": "5.0", - "Copyright": "Copyright (C) 2005-2011 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll", - "CLASSPNP.SYS", - "SCSIPORT.SYS" + "CLASSPNP.SYS" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", @@ -99500,6 +102392,14 @@ "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -99560,6 +102460,10 @@ "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -99623,6 +102527,10 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -99726,6 +102634,7 @@ "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", @@ -99766,6 +102675,10 @@ "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", @@ -99796,6 +102709,7 @@ "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", @@ -99809,6 +102723,10 @@ "?RemoveTail@CLockList@@UAEPAXXZ", "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", "?Run@CDelayLoadThread@@UAEXXZ", @@ -99820,7 +102738,7 @@ "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", "?SetEngineContext@CContext@@QAEXPAX@Z", "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", @@ -99842,7 +102760,8 @@ "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForReady@CDelayLoadThread@@QAEEXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", "?Write@CDebugLog@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", @@ -99857,6 +102776,8 @@ "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", "_KmCallUm@8", "_KmCallUmEx@12", "_ModGetExportProcAddress@8", @@ -99874,6 +102795,8 @@ "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", @@ -99886,9 +102809,15 @@ "_UtilWaitValueChangeToZero@8", "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeInitializeSemaphore", "KeWaitForSingleObject", "KeReleaseSemaphore", "KeStackAttachProcess", @@ -99920,8 +102849,11 @@ "ZwOpenEvent", "ObfReferenceObject", "IoGetCurrentProcess", + "DbgBreakPoint", "PsGetProcessExitTime", "MmSectionObjectType", + "PsThreadType", + "MmGetSystemRoutineAddress", "DbgPrint", "memset", "MmIsAddressValid", @@ -99972,11 +102904,16 @@ "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", + "IoFileObjectType", + "memcpy", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", "MmHighestUserAddress", "IoFreeIrp", - "IoFreeMdl", + "_purecall", "MmUnlockPages", - "KeInitializeSemaphore", + "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", @@ -99990,7 +102927,6 @@ "ZwMapViewOfSection", "ZwOpenFile", "RtlEqualUnicodeString", - "IoFileObjectType", "IoCreateFile", "IofCallDriver", "IoAllocateIrp", @@ -99998,12 +102934,12 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", - "MmGetSystemRoutineAddress", "RtlCopyUnicodeString", + "RtlFreeUnicodeString", "RtlCompareMemory", + "RtlUpcaseUnicodeString", "_snwprintf", "RtlImageNtHeader", - "RtlFreeUnicodeString", "RtlAnsiStringToUnicodeString", "RtlInitAnsiString", "strrchr", @@ -100027,68 +102963,69 @@ "IoDriverObjectType", "RtlAppendUnicodeStringToString", "NtQueryInformationProcess", + "IoThreadToProcess", "PsIsThreadTerminating", - "PsThreadType", "KeAddSystemServiceTable", "ZwQueryObject", - "ZwQuerySecurityObject", "ObInsertObject", - "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", - "RtlUpcaseUnicodeString", "ObCreateObject", "_allshr", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmFreeContiguousMemory", - "MmAllocateContiguousMemory", - "MmMapIoSpace", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "MmSystemRangeStart", + "wcsstr", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", "KeBugCheckEx", "RtlUnwind", - "KeClearEvent", - "KePulseEvent", - "KeSetEvent", - "wcsrchr", - "memcpy", - "ZwSetSecurityObject", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "_allrem", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", - "wcschr", "RtlAbsoluteToSelfRelativeSD", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "_purecall", - "IoBuildAsynchronousFsdRequest", + "IoFreeMdl", "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", - "ExReleaseFastMutex", + "KeGetCurrentIrql", "ExAcquireFastMutex", - "ClassInitialize", - "ScsiPortReadPortBufferUshort", - "ScsiPortReadPortUchar", - "ScsiPortWritePortUchar", - "ScsiPortStallExecution", - "ScsiPortWritePortBufferUshort" + "ExReleaseFastMutex", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -100096,24 +103033,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2015-05-05 00:00:00", + "ValidTo": "2015-12-31 23:59:59", + "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -100124,16 +103054,23 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-01-31 00:00:00", - "ValidTo": "2012-02-16 23:59:59", - "Signature": "5ae5a2abcc8bbf832dd651a0cb396ee5af87305e67d20288d6d830699286ce0b1b3ec77c732d80564e6a482461bda52329dc301ec6286011fe60413c97f4207bf675a71460365e9d917b19d7b5e7c49ff035a5488f8fc703a61512b1588cb6fc8ceef0f6353d47c66a5edbef40e53197431ada77acef71cca7db0dbaa88d02355af0a62a7901e91bc8c59ad48b4ecfd67f137023601c308691ad14d6859c9d6b28c6a3e15314e55832cea94793436a5610bbe5f0901cedc6796c9ca53b5d55f79974cd6be7093bba119675614c1654139096e506c3fb92460d45879bdbc196bd833ae4dc31da6e14130df14a20c05615db7ea7e25aa0fe59801ec30a56501e56", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2015-02-20 00:00:00", + "ValidTo": "2016-05-21 23:59:59", + "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "24e3d70b86ed54d0b22c3450b960984e", + "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -100142,22 +103079,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "569676d3d45b0964ac6dd0815be8ff8c", - "SHA1": "58b31fb2b623bd2c5d5c8c49b657a14a674664a4", - "SHA256": "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524", + "MD5": "5a615f4641287e5e88968f5455627d45", + "SHA1": "dcfeca5e883a084e89ecd734c4528b922a1099b9", + "SHA256": "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30", "Authentihash": { - "MD5": "6d3193458659666e4c86ec1b9fb06bf9", - "SHA1": "ef123d041e10d8a0b22786f6e471d0c18bc13167", - "SHA256": "83a67b544982a2fd1484af752cc4ab2f6c0b50cb3c9dba60b888c2c2e37d1036" + "MD5": "f9170d67a08b1a8f4e283615b4400773", + "SHA1": "e1e0a986b99795fa8c40328c5a01b5b8cbb9ca34", + "SHA256": "dd54115ef08b107691425e4c0bf94dc0ae7c522fba60a0ce3f574ebf4f5dbc5a" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.20.0.1008", + "FileVersion": "6.70.0.1098", "Product": "Trend Micro Eyes", - "ProductVersion": "6.20", - "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -100613,6 +103550,8 @@ "_GetModuleInfoByModuleName@8", "_InitKm2UmCommunication@8", "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", "_KmCallUm@8", "_KmCallUmByLPC@8", "_KmCallUmEx@12", @@ -100630,6 +103569,7 @@ "_UtilAddDeviceInDriveTable@4", "_UtilAddReparsePointMapping@8", "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", "_UtilCreateDosFileName@8", "_UtilDeleteFileForce@4", "_UtilGetDeviceObjectName@8", @@ -100647,6 +103587,7 @@ "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", @@ -100655,6 +103596,7 @@ "_UtilbuildDynamicDiskMappingTable@0", "_UtlWriteBinValueKeyToRegistry@16", "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ @@ -100727,6 +103669,7 @@ "RtlAppendUnicodeStringToString", "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", + "ExGetPreviousMode", "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", @@ -100740,27 +103683,28 @@ "ZwQuerySystemInformation", "ZwQueryDirectoryFile", "ZwQueryDirectoryObject", - "ZwDuplicateObject", "ZwOpenKey", "ZwEnumerateKey", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", - "ExGetPreviousMode", "ZwTerminateProcess", "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", "IoFileObjectType", "_allrem", + "ZwQuerySecurityObject", "memcpy", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", "IoFreeIrp", "IoFreeMdl", - "MmUnlockPages", + "_purecall", "IoBuildAsynchronousFsdRequest", "_strnicmp", - "_purecall", + "RtlQueryRegistryValues", "RtlAppendUnicodeToString", "mbstowcs", "ZwQuerySymbolicLinkObject", @@ -100780,10 +103724,11 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", + "RtlImageNtHeader", "RtlCompareMemory", + "RtlUpcaseUnicodeString", "_snwprintf", "MmSystemRangeStart", - "RtlImageNtHeader", "wcsncmp", "strrchr", "ZwQueryVolumeInformationFile", @@ -100817,8 +103762,7 @@ "NtQueryInformationProcess", "PsIsThreadTerminating", "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", + "ZwFsControlFile", "ObInsertObject", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", @@ -100830,7 +103774,6 @@ "IoGetStackLimits", "IoBuildSynchronousFsdRequest", "wcsstr", - "RtlUpcaseUnicodeString", "IoUnregisterPlugPlayNotification", "FsRtlIsNameInExpression", "IoGetConfigurationInformation", @@ -100854,22 +103797,20 @@ "ExReleaseFastMutexUnsafe", "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "MmHighestUserAddress", - "ExAcquireFastMutexUnsafe", "ZwSetSecurityObject", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "RtlQueryRegistryValues", + "MmUnlockPages", "KeGetCurrentThread", "KfAcquireSpinLock", "KfReleaseSpinLock", @@ -100887,37 +103828,37 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2010-05-10 00:00:00", - "ValidTo": "2015-05-10 23:59:59", - "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2016-03-29 00:00:00", + "ValidTo": "2017-06-28 23:59:59", + "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", - "ValidFrom": "2013-01-17 00:00:00", - "ValidTo": "2014-03-18 23:59:59", - "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", + "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -100926,184 +103867,183 @@ }, { "FileName": "TmComm.sys", - "MD5": "df9953fa93e1793456a8d428ba7e5700", - "SHA1": "8db4376a86bd2164513c178a578a0bf8d90e7292", - "SHA256": "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408", + "MD5": "85e606523ce390f7fcd8370d5f4b812a", + "SHA1": "55c64235d223baeb8577a2445fdaa6bedcde23db", + "SHA256": "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039", "Authentihash": { - "MD5": "33de043781d74ef12f02411b9944186e", - "SHA1": "a405bb5d0ca4862f40a0f9eadce8ef068f421004", - "SHA256": "d74599ab8960f16e8026dcd564c5407956444c46c3dea6b38b1c243fbbbdc517" + "MD5": "438eb42132c6fb062033d6effb62813c", + "SHA1": "e6c39b401e841e2351a9daa07b85abf679636f89", + "SHA256": "3ed3d54fb8222d861785f0d7e71d6223278fbf4d0baa335a54813087d7c3674e" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.60.0.1056", + "FileVersion": "7.30.0.1065", "Product": "Trend Micro Eyes", - "ProductVersion": "6.60", - "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", - "MachineType": "I386", + "ProductVersion": "7.30", + "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "CLASSPNP.SYS" + "ntoskrnl.exe" ], "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", - "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", - "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QAE@ABV0@@Z", - "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QAE@ABV0@@Z", - "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", - "??0CFile@@QAE@ABV0@@Z", - "??0CFile@@QAE@E@Z", - "??0CFileExtension@@QAE@ABV0@@Z", - "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", - "??0CKEvent@@QAE@ABV0@@Z", - "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", - "??0CList@@QAE@ABV0@@Z", - "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QAE@ABV0@@Z", - "??0CLockEvent@@QAE@XZ", - "??0CLockList@@QAE@ABV0@@Z", - "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QAE@ABV0@@Z", - "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", - "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@ABV0@@Z", - "??0CModuleConfig@@QAE@XZ", - "??0CModuleConfigList@@QAE@ABV0@@Z", - "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", - "??0CModuleFlagConfig@@QAE@ABV0@@Z", - "??0CModuleFlagConfig@@QAE@K@Z", - "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", - "??0CModuleStringConfig@@QAE@ABV0@@Z", - "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", - "??0CSmartLock@@QAE@XZ", - "??0CSmartReference@@QAE@AAJ@Z", - "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", - "??0CStrList@@QAE@ABV0@@Z", - "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QAE@ABV0@@Z", - "??0CSystemThread@@QAE@K@Z", - "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", - "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@ABV0@@Z", - "??0CWorkerThreadJob@@QAE@E@Z", - "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", - "??0CWorkerThreadJobQueue@@QAE@K@Z", - "??0CWorkerThreadPool@@QAE@ABV0@@Z", - "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", - "??0IMemoryAllocator@@QAE@ABV0@@Z", - "??0IMemoryAllocator@@QAE@XZ", - "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", - "??1CContext@@UAE@XZ", - "??1CContextList@@UAE@XZ", - "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", - "??1CFile@@UAE@XZ", - "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", - "??1CKEvent@@UAE@XZ", - "??1CList@@UAE@XZ", - "??1CLockEvent@@UAE@XZ", - "??1CLockList@@UAE@XZ", - "??1CMemoryAllocator@@UAE@XZ", - "??1CMemoryPoolAllocator@@UAE@XZ", - "??1CModuleConfig@@UAE@XZ", - "??1CModuleConfigList@@UAE@XZ", - "??1CModuleFileExtConfig@@UAE@XZ", - "??1CModuleFlagConfig@@UAE@XZ", - "??1CModuleMultiStringConfig@@UAE@XZ", - "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", - "??1CSmartLock@@QAE@XZ", - "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", - "??1CStrList@@UAE@XZ", - "??1CSystemThread@@UAE@XZ", - "??1CUserFuncAdapterJob@@UAE@XZ", - "??1CWorkerThread@@UAE@XZ", - "??1CWorkerThreadJob@@UAE@XZ", - "??1CWorkerThreadJobQueue@@UAE@XZ", - "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", - "??1IMemoryAllocator@@UAE@XZ", - "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??2CMemoryAllocator@@SGPAXI@Z", - "??2CMemoryPoolAllocator@@SGPAXI@Z", - "??3@YAXPAX@Z", - "??3IMemoryAllocator@@SGXPAX@Z", - "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", - "??4CContext@@QAEAAV0@ABV0@@Z", - "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", - "??4CFile@@QAEAAV0@ABV0@@Z", - "??4CKEvent@@QAEAAV0@ABV0@@Z", - "??4CLockEvent@@QAEAAV0@ABV0@@Z", - "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", - "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", - "??4CModuleConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", - "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEAAV0@ABV0@@Z", - "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", - "??4CSystemThread@@QAEAAV0@ABV0@@Z", - "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", - "??4CWorkerThread@@QAEAAV0@ABV0@@Z", - "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", - "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3@YAXPEAX_K@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", @@ -101144,532 +104084,519 @@ "??_7CWorkerThreadPool@@6B@", "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QAEXXZ", - "??_FCFile@@QAEXXZ", - "??_FCFileExtension@@QAEXXZ", - "??_FCModuleConfigList@@QAEXXZ", - "??_FCStrList@@QAEXXZ", - "??_FCSystemThread@@QAEXXZ", - "??_FCWorkerThread@@QAEXXZ", - "??_FCWorkerThreadJob@@QAEXXZ", - "??_FCWorkerThreadJobQueue@@QAEXXZ", - "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", - "??_V@YAXPAX@Z", - "?Acquire@CLockEvent@@QAEXXZ", - "?Add@CContextList@@QAEEPAVCContext@@@Z", - "?Add@CFileExtension@@QAEEPBGK@Z", - "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", - "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", - "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", - "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", - "?Cleanup@CModuleStringConfig@@AAEXXZ", - "?Close@CFile@@QAEJXZ", - "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", - "?Create@CFile@@QAEJPBGKKKK@Z", - "?Create@CSystemThread@@QAEEXZ", - "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", - "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", - "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", - "?Delete@CFile@@QAEJXZ", - "?Delete@CFileExtension@@QAEEPBGK@Z", - "?Delete@CStrList@@QAEEPBG@Z", - "?DeleteAll@CList@@UAEXXZ", - "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", - "?DeleteNode@CContextList@@MAEXPAX@Z", - "?DeleteNode@CList@@UAEXPAX@Z", - "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", - "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", - "?DoIt@CWorkerThreadJob@@QAEJXZ", - "?EntryPoint@CSystemThread@@KGXPAX@Z", - "?Find@CContextList@@QAEPAVCContext@@K@Z", - "?Find@CContextList@@QAEPAVCContext@@PAX@Z", - "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", - "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", - "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FindNode@CContextList@@IAEPAXPAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", - "?First@CList@@UAEPAXXZ", - "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", - "?Free@CMemoryAllocator@@UAEXPAX@Z", - "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", - "?GetAttributes@CFile@@QAEKXZ", - "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", - "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QAEKXZ", - "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", - "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QAEPAGXZ", - "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", - "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", - "?GetID@CModuleConfig@@QAEKXZ", - "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QAEKXZ", - "?GetLinkContext@CContext@@QAEPAXXZ", - "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", - "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", - "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", - "?GetThreadID@CSystemThread@@QAEKXZ", - "?GetType@CContext@@QAEKXZ", - "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", - "?InitializeFlagConfig@CContext@@QAEHKK@Z", - "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", - "?InitializeStringConfig@CContext@@QAEHKPBG@Z", - "?Insert@CList@@UAEXQAXE@Z", - "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", - "?InsertAfter@CList@@UAEXPAX0@Z", - "?InsertBefore@CList@@UAEXPAX0@Z", - "?Instance@CWorkerThreadPool@@SGPAV1@XZ", - "?IsEmpty@CList@@UAEEXZ", - "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", - "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", - "?IsOpened@CFile@@QAEEXZ", - "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", - "?IsValid@CMemoryAllocator@@UAEEXZ", - "?IsValid@CMemoryPoolAllocator@@UAEEXZ", - "?IsValid@IMemoryAllocator@@UAEEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", - "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", - "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", - "?MatchAllExtensions@CFileExtension@@QAEEXZ", - "?MatchNoExtensions@CFileExtension@@QAEEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", - "?NeedDelete@CWorkerThreadJob@@QAEEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", - "?NewNode@CList@@UAEPAXXZ", - "?NewNode@CStrList@@EAEPAXXZ", - "?NewNodeVariant@CList@@IAEPAXK@Z", - "?Next@CList@@UBEPAXQAX@Z", - "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", - "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", - "?NotityTerminate@CWorkerThread@@QAEXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", - "?Pulse@CKEvent@@QAEJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", - "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", - "?ReferenceCount@CContext@@QAEAAKXZ", - "?Release@CLockEvent@@QAEXXZ", - "?Remove@CContextList@@UAEEQAX@Z", - "?Remove@CList@@UAEEQAX@Z", - "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", - "?RemoveHead@CList@@UAEPAXXZ", - "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", - "?RemoveTail@CList@@UAEPAXXZ", - "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", - "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", - "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", - "?Run@CWorkerThread@@UAEXXZ", - "?SeekToEnd@CFile@@QAEJXZ", - "?Set@CKEvent@@QAEJJE@Z", - "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", - "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", - "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", - "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", - "?SetLinkContext@CContext@@QAEXPAX@Z", - "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", - "?SetPriority@CSystemThread@@QAEXK@Z", - "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", - "?Setup@CSystemThread@@MAEXXZ", - "?StopUse@CContext@@QAEHXZ", - "?TearDown@CSystemThread@@MAEXXZ", - "?Terminate@CSystemThread@@QAEXE@Z", - "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", - "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", - "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", - "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", - "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", - "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", - "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", - "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", - "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", - "_GetModuleInfoByAddress@8", - "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", - "_ModGetExportProcAddress@8", - "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", - "_ModLoadModule@8", - "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", - "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", - "_UtilGetSystemTime@4", - "_UtilIoSetFileInfo@24", - "_UtilIopCreateFileIRP@40", - "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", - "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", - "_UtilVolumeDeviceToDosName@8", - "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "??_V@YAXPEAX_K@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "AllocFullFileName", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetBackupCommPortAPIs", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], "ImportedFunctions": [ - "wcsrchr", + "RtlInitUnicodeString", + "KeInitializeEvent", + "KeClearEvent", "KeSetEvent", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", + "ExFreePoolWithTag", + "ExAcquireFastMutexUnsafe", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObfReferenceObject", + "ObfDereferenceObject", + "ZwClose", + "ZwCreateSection", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenEvent", "KePulseEvent", - "KeClearEvent", "KeStackAttachProcess", "KeUnstackDetachProcess", - "ObfDereferenceObject", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", "ZwSetEvent", - "ZwClose", - "ZwConnectPort", - "RtlInitUnicodeString", + "__C_specific_handler", + "PsProcessType", + "wcslen", + "wcsncpy", + "wcsrchr", "RtlUnicodeStringToInteger", - "ZwCreateSection", "ZwWaitForSingleObject", - "ZwOpenEvent", - "IoGetCurrentProcess", - "ObfReferenceObject", - "DbgBreakPoint", "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", - "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", - "MmGetSystemRoutineAddress", - "ObReleaseObjectSecurity", + "ZwConnectPort", + "_stricmp", + "ExAllocatePoolWithTag", + "MmIsAddressValid", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "SeCaptureSubjectContext", "SeReleaseSubjectContext", "SeAccessCheck", - "SeCaptureSubjectContext", "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "PsThreadType", + "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "KeDelayExecutionThread", + "ExGetPreviousMode", "DbgPrint", - "memset", - "MmIsAddressValid", + "swprintf", + "RtlCopyUnicodeString", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", "ExInitializeResourceLite", "ExDeleteResourceLite", - "ZwWriteFile", - "ZwReadFile", + "ZwCreateFile", "ZwQueryInformationFile", "ZwSetInformationFile", - "ZwCreateFile", - "swprintf", + "ZwReadFile", + "ZwWriteFile", "towupper", - "_wcsnicmp", - "ExAllocatePoolWithTag", - "KeInitializeEvent", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "PsGetCurrentThreadId", + "ObQueryNameString", + "PsGetVersion", "_snprintf", - "PsGetCurrentProcessId", + "_vsnprintf", + "RtlInitAnsiString", + "wcscat", + "RtlFreeUnicodeString", "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", "ZwCreateKey", - "ZwCreateEvent", - "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", + "ZwDeviceIoControlFile", "ZwNotifyChangeKey", - "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", + "ZwOpenFile", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "IoCreateFile", "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", - "KeWaitForSingleObject", + "_snwprintf", + "strlen", + "_strnicmp", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "ObOpenObjectByName", "KeSetPriorityThread", - "PsTerminateSystemThread", "PsCreateSystemThread", - "KeDelayExecutionThread", + "PsTerminateSystemThread", "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", - "ZwQuerySystemInformation", - "ZwQueryDirectoryFile", - "ZwQueryDirectoryObject", - "ZwDuplicateObject", + "RtlLengthSecurityDescriptor", "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", "ZwEnumerateKey", "ZwEnumerateValueKey", + "ZwQueryKey", "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", + "ZwSetValueKey", "ZwTerminateProcess", "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "memcpy", + "ZwDuplicateObject", + "ZwQuerySecurityObject", "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", - "IoFreeIrp", - "IoFreeMdl", - "_purecall", - "IoBuildAsynchronousFsdRequest", - "_strnicmp", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "NtCreateFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "IoFileObjectType", + "ObInsertObject", + "wcschr", + "wcsncmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "mbstowcs", - "ZwQuerySymbolicLinkObject", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IoFreeIrp", "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", "NtClose", - "ObQueryNameString", "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", - "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "ProbeForRead", - "PsGetVersion", - "RtlImageNtHeader", - "RtlCompareMemory", - "RtlUpcaseUnicodeString", - "_snwprintf", + "SeQueryAuthenticationIdToken", "MmSystemRangeStart", - "wcsncmp", - "RtlCompareUnicodeString", - "strrchr", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", - "IofCompleteRequest", - "ExEventObjectType", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwFsControlFile", - "ObInsertObject", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "strcpy", "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", + "RtlCompareUnicodeString", + "DbgPrintEx", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ExAllocatePool", + "ExpInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", "IoGetDeviceInterfaces", "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", - "KeTickCount", - "KeBugCheckEx", - "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "ZwQuerySecurityObject", - "ExAcquireFastMutexUnsafe", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", "IoDeviceObjectType", "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", "RtlGetDaclSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", "SeCaptureSecurityDescriptor", + "RtlLengthSid", "SeExports", "IoIsWdmVersionAvailable", - "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "MmUnlockPages", - "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", - "KfLowerIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeGetCurrentIrql", - "KfRaiseIrql", - "ClassInitialize" + "RtlAnsiStringToUnicodeString", + "_purecall", + "KeBugCheckEx" ], "Signatures": [ { @@ -101677,17 +104604,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2016-03-29 00:00:00", - "ValidTo": "2017-06-28 23:59:59", - "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -101707,7 +104641,7 @@ ], "Signer": [ { - "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "SerialNumber": "497c4fad471540e6e453d0cafb155740", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -101716,19 +104650,19 @@ }, { "FileName": "TmComm.sys", - "MD5": "58a92520dda53166e322118ee0503364", - "SHA1": "d2be76e79741454b4611675b58446e10fc3d0c6c", - "SHA256": "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b", + "MD5": "6e25148bb384469f3d5386dc5217548a", + "SHA1": "dbf6e72c08824fe49c29b7660c9965c37d983e93", + "SHA256": "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f", "Authentihash": { - "MD5": "7311c7bcd55dd7a769f43b480c1978d8", - "SHA1": "390bd5d395784a675a3b62929407a4f83e0bcc87", - "SHA256": "2175f4289f3bae19b058e5a4f590c200bede255cd2716dfb054d5e0840f70359" + "MD5": "2778b2480e305bca99547b921a96ede5", + "SHA1": "69044e94c725b1536c4f721b5a0cd9816581c745", + "SHA256": "eb14c5db8307488809897be13c66ef02941f6020f9c34a9664db92a00d551f4a" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1129", + "FileVersion": "6.70.0.1128", "Product": "Trend Micro Eyes", "ProductVersion": "6.70", "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", @@ -102200,9 +105134,7 @@ "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", - "_NormalizeFileName1@8", "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName1@8", "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", "_UtilAddDeviceInDriveTable@4", @@ -102464,6 +105396,13 @@ "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ + { + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", + "ValidFrom": "2019-07-12 00:00:00", + "ValidTo": "2020-07-10 12:00:00", + "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", "ValidFrom": "2011-04-15 19:45:33", @@ -102471,13 +105410,6 @@ "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "??=TW, ??=Private Organization, serialNumber=23310837, C=TW, ST=Taipei City, L=Da???an District, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2020-08-07 00:00:00", - "ValidTo": "2021-04-15 12:00:00", - "Signature": "578aa329d98f23e576b6937a3146ca65f1ec8da04b5ec5f4c499436cfe710be5660f7c864950d9276a6dfdd2341048e6fe4f51044e7fce164f3b9203035bc3d311991685fbce0d90a4c7b2b511d0d3ba37b3558eae76db3ab30f4a2ef102faad1820e26b5fcbc216b368980655de80fe7177f9f1a80c75e4a0a21451a59c86986e5348318da4d295e8d02520fa674ce89756903b25521b5ad358f8328c5591a9702494cc24e340418dbcf08ef06214a8e90c4836dc6f8465fd59385bd56407d83bfc8a633e8125c523ff23dd8c669169848668d5aefe059ee5091e1776ec4686efd0d6ccee0e0bea5922ee41fb36e63d5704633f85115f9584926bdb708a9edb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, { "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", "ValidFrom": "2014-10-22 00:00:00", @@ -102486,10 +105418,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -102502,8 +105434,8 @@ ], "Signer": [ { - "SerialNumber": "0f6146af9397c7fa04b13c2d0279a1ba", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } @@ -102511,27 +105443,28 @@ }, { "FileName": "TmComm.sys", - "MD5": "4c6d311e0b13c4f469f717db4ab4d0e7", - "SHA1": "6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77", - "SHA256": "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085", + "MD5": "ad866d83b4f0391aecceb4e507011831", + "SHA1": "2cc70b772b42e0208f345c7c70d78f7536812f99", + "SHA256": "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272", "Authentihash": { - "MD5": "8dfae750a79d89ab846e49f1f587a361", - "SHA1": "1d11a90b1d32a812a7dd36a886254d446cdd823a", - "SHA256": "af45d91fefd4dfffda0ce70957a542b68775368432e52d20dfdf0fc159495c7f" + "MD5": "9242d88e9b533ca214638aadacfb515a", + "SHA1": "9892893a2a7d2a458ee795eeee065f64d4f6e3c4", + "SHA256": "6ad7bdf11a7ce7296a06eb4f14091df84fafdb04413e714f09f9ea6c686a1323" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1091", + "FileVersion": "5.0.0.1113", "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "5.0", + "Copyright": "Copyright (C) 2005-2011 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", "HAL.dll", - "CLASSPNP.SYS" + "CLASSPNP.SYS", + "SCSIPORT.SYS" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", @@ -102560,14 +105493,6 @@ "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -102628,10 +105553,6 @@ "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -102695,10 +105616,6 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -102842,10 +105759,6 @@ "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", @@ -102889,10 +105802,6 @@ "?RemoveTail@CLockList@@UAEPAXXZ", "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", "?Run@CDelayLoadThread@@UAEXXZ", @@ -102904,7 +105813,7 @@ "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", "?SetEngineContext@CContext@@QAEXPAX@Z", "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", @@ -102926,8 +105835,7 @@ "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitForReady@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", "?Write@CDebugLog@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", @@ -102959,8 +105867,6 @@ "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", @@ -102973,15 +105879,9 @@ "_UtilWaitValueChangeToZero@8", "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", - "KePulseEvent", - "KeClearEvent", - "KeInitializeSemaphore", "KeWaitForSingleObject", "KeReleaseSemaphore", "KeStackAttachProcess", @@ -103016,7 +105916,6 @@ "DbgBreakPoint", "PsGetProcessExitTime", "MmSectionObjectType", - "PsThreadType", "DbgPrint", "memset", "MmIsAddressValid", @@ -103069,13 +105968,13 @@ "ZwSetValueKey", "MmHighestUserAddress", "IoFreeIrp", - "memcpy", + "IoFreeMdl", "MmUnlockPages", - "IoBuildAsynchronousFsdRequest", + "KeInitializeSemaphore", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "_purecall", + "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", @@ -103121,10 +106020,9 @@ "ObOpenObjectByName", "IoDriverObjectType", "RtlAppendUnicodeStringToString", - "strncmp", "NtQueryInformationProcess", - "IoThreadToProcess", "PsIsThreadTerminating", + "PsThreadType", "KeAddSystemServiceTable", "ZwQueryObject", "ZwQuerySecurityObject", @@ -103137,36 +106035,19 @@ "RtlUpcaseUnicodeString", "ObCreateObject", "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "MmSystemRangeStart", - "wcsstr", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmFreeContiguousMemory", + "MmAllocateContiguousMemory", + "MmMapIoSpace", "KeTickCount", "KeBugCheckEx", "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "IoFreeMdl", - "ExAcquireFastMutexUnsafe", + "KeClearEvent", + "KePulseEvent", + "KeSetEvent", + "wcsrchr", + "memcpy", "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", @@ -103179,18 +106060,29 @@ "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", + "wcschr", "RtlAbsoluteToSelfRelativeSD", - "mbstowcs", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "_purecall", + "IoBuildAsynchronousFsdRequest", "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", - "KeGetCurrentIrql", - "ExAcquireFastMutex", "ExReleaseFastMutex", - "KfRaiseIrql", - "ClassInitialize" + "ExAcquireFastMutex", + "ClassInitialize", + "ScsiPortReadPortBufferUshort", + "ScsiPortReadPortUchar", + "ScsiPortWritePortUchar", + "ScsiPortStallExecution", + "ScsiPortWritePortBufferUshort" ], "Signatures": [ { @@ -103198,10 +106090,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2010-05-10 00:00:00", - "ValidTo": "2015-05-10 23:59:59", - "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -103215,212 +106114,182 @@ "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", - "ValidFrom": "2013-01-17 00:00:00", - "ValidTo": "2014-03-18 23:59:59", - "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - }, - { - "FileName": "TmComm.sys", - "MD5": "1db988eb9ac5f99756c33b91830a9cf6", - "SHA1": "4471935df0e68fe149425703b66f1efca3d82168", - "SHA256": "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01", - "Authentihash": { - "MD5": "a134546e7fd28a27327fd6e4c7ddad9e", - "SHA1": "3f0972132e791e4b24c6a390633aff670afd7ccc", - "SHA256": "3912c38f4c09b107ee9bbb60f43a8193d6bacf00bfb3b59b7b146d76594797cf" - }, - "Description": "TrendMicro Common Module", - "Company": "Trend Micro Inc.", - "InternalName": "TmComm.sys", - "OriginalFilename": "TmComm.sys", - "FileVersion": "7.30.0.1078", - "Product": "Trend Micro Eyes", - "ProductVersion": "7.30", - "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3@YAXPEAX_K@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-01-31 00:00:00", + "ValidTo": "2012-02-16 23:59:59", + "Signature": "5ae5a2abcc8bbf832dd651a0cb396ee5af87305e67d20288d6d830699286ce0b1b3ec77c732d80564e6a482461bda52329dc301ec6286011fe60413c97f4207bf675a71460365e9d917b19d7b5e7c49ff035a5488f8fc703a61512b1588cb6fc8ceef0f6353d47c66a5edbef40e53197431ada77acef71cca7db0dbaa88d02355af0a62a7901e91bc8c59ad48b4ecfd67f137023601c308691ad14d6859c9d6b28c6a3e15314e55832cea94793436a5610bbe5f0901cedc6796c9ca53b5d55f79974cd6be7093bba119675614c1654139096e506c3fb92460d45879bdbc196bd833ae4dc31da6e14130df14a20c05615db7ea7e25aa0fe59801ec30a56501e56", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "24e3d70b86ed54d0b22c3450b960984e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "dd9596c18818288845423c68f3f39800", + "SHA1": "fb1570b4865083dfce1fcff2bd72e9e1b03cead5", + "SHA256": "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e", + "Authentihash": { + "MD5": "ad490c2e1c6e3f31f1cd1073b03bb866", + "SHA1": "a2c557dd6ee13783291800be7a6d28af2bc051a4", + "SHA256": "5b08743c8e1de8343ab0a0d453ca76487c6a438608c68c2b2921ea2c2a92821c" + }, + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "2.80.0.1077", + "Product": "Trend Micro AEGIS", + "ProductVersion": "2.80", + "Copyright": "Copyright (C) 2005-2009 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", "??_7CExclusionFilePathConfig@@6B@", @@ -103428,10 +106297,6 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -103444,7 +106309,6 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -103452,521 +106316,1208 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "??_V@YAXPEAX_K@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "AllocFullFileName", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetBackupCommPortAPIs", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFBCallBackRoutine@CContext@@QAEKXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilCleanFileReadOnly@4", + "_UtilDeleteFileForce@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilQueryKeyValue@24", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "__UtilDosPathNameToNtPathName@12" + ], + "ImportedFunctions": [ + "ExReleaseFastMutexUnsafe", + "wcsncpy", + "memcpy", + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "DbgPrint", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", + "ExFreePoolWithTag", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ObfDereferenceObject", + "ZwSetEvent", + "ZwClose", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "memmove", + "KeStackAttachProcess", + "ZwConnectPort", + "RtlInitUnicodeString", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ObfReferenceObject", + "IoGetCurrentProcess", + "memset", + "MmIsAddressValid", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", + "swprintf", + "towupper", + "_wcsnicmp", + "KeInitializeEvent", + "_snprintf", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", + "ZwNotifyChangeKey", + "PsGetCurrentThreadId", + "_vsnprintf", + "KeSetPriorityThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeNumberProcessors", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", + "ZwTerminateProcess", + "ObOpenObjectByPointer", + "PsProcessType", + "KeLeaveCriticalRegion", + "ZwQueryKey", + "ZwSetValueKey", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "MmUnlockPages", + "_purecall", + "ProbeForWrite", + "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "KeDelayExecutionThread", + "mbstowcs", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "NtClose", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlCompareMemory", + "RtlCopyUnicodeString", + "RtlImageNtHeader", + "PsLookupProcessByProcessId", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "strrchr", + "KeBugCheckEx", + "RtlAppendUnicodeStringToString", + "IofCompleteRequest", + "ExEventObjectType", + "_allmul", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "ProbeForRead", + "IoGetDeviceObjectPointer", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "RtlUpperChar", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "IoDriverObjectType", + "NtQueryInformationProcess", + "_snwprintf", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "IoBuildDeviceIoControlRequest", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "_allshr", + "KeTickCount", + "RtlUnwind", + "KeEnterCriticalRegion", + "ZwOpenProcess", + "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "IoBuildAsynchronousFsdRequest", + "KeGetCurrentThread", + "KfLowerIrql", + "KeRaiseIrqlToDpcLevel", + "ClassInitialize" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2008-01-16 00:00:00", + "ValidTo": "2011-02-16 23:59:59", + "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "645212f783f4d7aba3555729e99ce065", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "3e796eb95aca7e620d6a0c2118d6871b", + "SHA1": "dc6e62dbde5869a6adc92253fff6326b6af5c8d4", + "SHA256": "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0", + "Authentihash": { + "MD5": "3d01509bec77747dea890e23147245ca", + "SHA1": "3dab396397670007e1d04f9497a7d4d6244d0cb7", + "SHA256": "c032e2abdf4f07ba42ce4559e6413387becbebb0a43c287b6d367dbb33bde751" + }, + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.60.0.1082", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.60", + "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetFileVersionOfNtoskrnl@16", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeInitializeEvent", - "KeClearEvent", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KeWaitForSingleObject", - "ExFreePoolWithTag", - "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", - "ObfDereferenceObject", - "ZwClose", - "ZwCreateSection", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ZwOpenEvent", "KePulseEvent", + "KeClearEvent", "KeStackAttachProcess", "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", + "ObfDereferenceObject", "ZwSetEvent", - "__C_specific_handler", - "PsProcessType", - "wcslen", - "wcsncpy", - "wcsrchr", + "ZwClose", + "ZwConnectPort", + "RtlInitUnicodeString", "RtlUnicodeStringToInteger", + "ZwCreateSection", "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", "ZwRequestWaitReplyPort", - "ZwConnectPort", - "_stricmp", - "ExAllocatePoolWithTag", - "MmIsAddressValid", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", - "ObGetObjectSecurity", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "PsThreadType", - "MmSectionObjectType", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "KeDelayExecutionThread", - "ExGetPreviousMode", + "ExFreePoolWithTag", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "MmGetSystemRoutineAddress", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", "DbgPrint", - "swprintf", - "RtlCopyUnicodeString", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", + "memset", + "MmIsAddressValid", "ExInitializeResourceLite", "ExDeleteResourceLite", - "ZwCreateFile", + "ZwWriteFile", + "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", + "ZwCreateFile", + "swprintf", "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "PsGetCurrentThreadId", - "ObQueryNameString", - "PsGetVersion", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "KeInitializeEvent", "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "wcscat", - "RtlFreeUnicodeString", + "PsGetCurrentProcessId", "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "ZwCreateKey", + "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", "ZwDeviceIoControlFile", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "ZwOpenFile", - "ZwQueryVolumeInformationFile", - "mbstowcs", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "IoCreateFile", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "_snwprintf", - "strlen", - "_strnicmp", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "ObOpenObjectByName", + "ExGetPreviousMode", + "KeWaitForSingleObject", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeDelayExecutionThread", "KeNumberProcessors", - "RtlLengthSecurityDescriptor", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", "ZwEnumerateKey", "ZwEnumerateValueKey", - "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", "ZwTerminateProcess", "ZwOpenProcess", - "ZwDuplicateObject", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", - "NtCreateFile", - "NtQueryInformationFile", - "NtSetInformationFile", + "ZwQueryKey", + "ZwSetValueKey", "IoFileObjectType", - "ObInsertObject", - "wcschr", - "wcsncmp", + "_allrem", + "KeSetEvent", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "_purecall", + "MmUnlockPages", + "IoBuildAsynchronousFsdRequest", + "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IoFreeIrp", - "ZwOpenSymbolicLinkObject", + "mbstowcs", "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", + "ZwOpenSymbolicLinkObject", "NtClose", + "ObQueryNameString", "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "RtlUpcaseUnicodeString", + "_snwprintf", "MmSystemRangeStart", + "wcsncmp", + "RtlCompareUnicodeString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IoGetDeviceObjectPointer", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "strcpy", - "wcsstr", - "RtlCompareUnicodeString", - "DbgPrintEx", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ExAllocatePool", - "ExpInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", + "_allshr", + "ExInterlockedPopEntrySList", "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", + "IoBuildSynchronousFsdRequest", + "wcsstr", "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "wcsrchr", + "memcpy", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ZwQuerySecurityObject", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlLengthSid", "SeExports", "IoIsWdmVersionAvailable", + "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "RtlAnsiStringToUnicodeString", - "_purecall", - "KeBugCheckEx" + "IoFreeMdl", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -103974,45 +107525,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", + "ValidFrom": "2019-07-12 00:00:00", + "ValidTo": "2020-07-10 12:00:00", + "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } @@ -104020,22 +107571,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "f33c3f08536f988aac84d72d83b139a6", - "SHA1": "07f60b2b0e56cb15aad3ca8a96d9fe3a91491329", - "SHA256": "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10", + "MD5": "f4b7b84a6828d2f9205b55cf8cfc7742", + "SHA1": "e835776e0dc68c994dd18e8628454520156c93e3", + "SHA256": "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4", "Authentihash": { - "MD5": "9c5ecf2cf0ba2a3297f9677d514c2a39", - "SHA1": "01df70bdb08dda678118d4449b6171fe387b5d0c", - "SHA256": "35a7be9b0cde8c3d409a472a320541df070d7af6008e6458a05947f2591da9b5" + "MD5": "0fe42b5332d879959e93066779cac8e5", + "SHA1": "06c69146793ba18827da747ce0f0a5a13cc4399f", + "SHA256": "1f642b5e76572b80684d15bf48bb6e2b6d2743171280ab50502284808a515904" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1070", - "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "3.20.0.1012", + "Product": "Trend Micro AEGIS", + "ProductVersion": "3.20", + "Copyright": "Copyright (C) 2005-2010 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -104053,8 +107604,6 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", "??0CExclusionExtConfig@@QAE@KKE@Z", "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", @@ -104069,14 +107618,6 @@ "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -104101,13 +107642,10 @@ "??0CModuleMultiStringConfig@@QAE@KK@Z", "??0CModuleStringConfig@@QAE@ABV0@@Z", "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", "??0CSmartLock@@QAE@XZ", "??0CSmartReference@@QAE@AAJ@Z", "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", "??0CStrList@@QAE@ABV0@@Z", "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CSystemThread@@QAE@ABV0@@Z", @@ -104129,7 +107667,6 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", "??1CExclusionFilePathConfig@@UAE@XZ", @@ -104137,10 +107674,6 @@ "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -104153,10 +107686,8 @@ "??1CModuleFlagConfig@@UAE@XZ", "??1CModuleMultiStringConfig@@UAE@XZ", "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", "??1CSmartLock@@QAE@XZ", "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", "??1CStrList@@UAE@XZ", "??1CSystemThread@@UAE@XZ", "??1CUserFuncAdapterJob@@UAE@XZ", @@ -104174,7 +107705,6 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", "??4CLockEvent@@QAEAAV0@ABV0@@Z", @@ -104185,7 +107715,6 @@ "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", "??4CSystemThread@@QAEAAV0@ABV0@@Z", "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", "??4CWorkerThread@@QAEAAV0@ABV0@@Z", @@ -104196,7 +107725,6 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", "??_7CExclusionFilePathConfig@@6B@", @@ -104204,10 +107732,6 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -104220,7 +107744,6 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -104246,14 +107769,12 @@ "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", "?Cancel@CWorkerThreadJob@@QAEXXZ", "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", "?Cleanup@CBlobConfig@@AAEXXZ", "?Cleanup@CModuleFileExtConfig@@IAEXXZ", @@ -104261,7 +107782,6 @@ "?Cleanup@CModuleStringConfig@@AAEXXZ", "?Close@CFile@@QAEJXZ", "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", "?Create@CFile@@QAEJPBGKKKK@Z", "?Create@CSystemThread@@QAEEXZ", "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", @@ -104274,7 +107794,6 @@ "?Delete@CStrList@@QAEEPBG@Z", "?DeleteAll@CList@@UAEXXZ", "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", "?DeleteNode@CContextList@@MAEXPAX@Z", "?DeleteNode@CList@@UAEXPAX@Z", "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", @@ -104291,7 +107810,6 @@ "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", "?Free@CMemoryAllocator@@UAEXPAX@Z", "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", "?GetAttributes@CFile@@QAEKXZ", @@ -104336,25 +107854,18 @@ "?InitializeStringConfig@CContext@@QAEHKPBG@Z", "?Insert@CList@@UAEXQAXE@Z", "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", "?InsertAfter@CList@@UAEXPAX0@Z", "?InsertBefore@CList@@UAEXPAX0@Z", "?Instance@CWorkerThreadPool@@SGPAV1@XZ", "?IsEmpty@CList@@UAEEXZ", "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", @@ -104364,7 +107875,6 @@ "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", "?MatchNoExtensions@CFileExtension@@QAEEXZ", "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", @@ -104376,7 +107886,6 @@ "?NewNodeVariant@CList@@IAEPAXK@Z", "?Next@CList@@UBEPAXQAX@Z", "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", @@ -104390,21 +107899,13 @@ "?Remove@CContextList@@UAEEQAX@Z", "?Remove@CList@@UAEEQAX@Z", "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", "?RemoveHead@CList@@UAEPAXXZ", "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", "?RemoveTail@CList@@UAEPAXXZ", "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", "?Run@CWorkerThread@@UAEXXZ", "?SeekToEnd@CFile@@QAEJXZ", "?Set@CKEvent@@QAEJJE@Z", @@ -104413,7 +107914,7 @@ "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", "?SetEngineContext@CContext@@QAEXPAX@Z", "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", @@ -104435,8 +107936,6 @@ "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", "?Write@CDebugLog@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", @@ -104452,7 +107951,7 @@ "_GetModuleInfoByModuleName@8", "_InitKmLPC@0", "_KmCallUm@8", - "_KmCallUmEx@12", + "_MapMem@12", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", "_ModLoadDLLToBufferWithImageSize@8", @@ -104461,15 +107960,12 @@ "_NormalizeFileName@4", "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", + "_UnMapMem@8", "_UtilCleanFileReadOnly@4", "_UtilDeleteFileForce@4", "_UtilGetFileObjectForProcessByEPROC@8", "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", @@ -104477,15 +107973,16 @@ "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ + "ExReleaseFastMutexUnsafe", + "wcsncpy", + "memcpy", "wcsrchr", "KeSetEvent", "KePulseEvent", @@ -104522,15 +108019,10 @@ "ZwOpenEvent", "ObfReferenceObject", "IoGetCurrentProcess", - "DbgBreakPoint", "PsGetProcessExitTime", - "MmSectionObjectType", - "PsThreadType", "DbgPrint", "memset", "MmIsAddressValid", - "ExInitializeResourceLite", - "ExDeleteResourceLite", "ZwWriteFile", "ZwReadFile", "ZwQueryInformationFile", @@ -104552,42 +108044,43 @@ "ZwNotifyChangeKey", "PsGetCurrentThreadId", "_vsnprintf", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "MmUnmapLockedPages", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", "KeNumberProcessors", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "KeDelayExecutionThread", - "ZwOpenDirectoryObject", - "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", "ZwQueryDirectoryFile", + "ZwOpenDirectoryObject", "ZwQueryDirectoryObject", "ZwDuplicateObject", "ZwOpenKey", - "ZwEnumerateKey", + "KeLeaveCriticalRegion", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", "ExGetPreviousMode", "ZwTerminateProcess", - "ZwOpenProcess", + "_purecall", "ZwQueryKey", "ZwSetValueKey", - "MmHighestUserAddress", - "memcpy", + "IoFreeIrp", "IoFreeMdl", "MmUnlockPages", "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "_purecall", + "KeDelayExecutionThread", + "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", + "PsLookupProcessByProcessId", "ZwSetInformationObject", "_stricmp", "ZwUnmapViewOfSection", @@ -104598,7 +108091,6 @@ "IoCreateFile", "IofCallDriver", "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", "IoAllocateMdl", "ProbeForRead", "PsGetVersion", @@ -104611,13 +108103,13 @@ "RtlAnsiStringToUnicodeString", "RtlInitAnsiString", "strrchr", + "KeBugCheckEx", + "RtlAppendUnicodeStringToString", "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", "ObQueryNameString", - "IoBuildDeviceIoControlRequest", "IofCompleteRequest", "ExEventObjectType", - "_allmul", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", @@ -104627,12 +108119,10 @@ "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", + "MmSectionObjectType", "ObOpenObjectByName", "IoDriverObjectType", - "RtlAppendUnicodeStringToString", - "strncmp", "NtQueryInformationProcess", - "PsIsThreadTerminating", "KeAddSystemServiceTable", "ZwQueryObject", "ZwQuerySecurityObject", @@ -104642,38 +108132,11 @@ "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", - "RtlUpcaseUnicodeString", "ObCreateObject", - "_allshr", - "ExInterlockedPopEntrySList", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "MmSystemRangeStart", - "IoUnregisterPlugPlayNotification", - "FsRtlIsNameInExpression", - "wcsstr", - "IoGetConfigurationInformation", - "MmProbeAndLockPages", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", - "wcschr", - "wcsncat", - "wcstombs", "KeTickCount", - "KeBugCheckEx", "RtlUnwind", - "wcsncpy", - "ExReleaseResourceLite", - "ExAcquireResourceExclusiveLite", - "ExAcquireResourceSharedLite", - "ExReleaseFastMutexUnsafe", - "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "IoFreeIrp", + "ZwEnumerateKey", "ExAcquireFastMutexUnsafe", "ZwSetSecurityObject", "IoDeviceObjectType", @@ -104687,17 +108150,12 @@ "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", + "wcschr", "RtlAbsoluteToSelfRelativeSD", - "mbstowcs", + "ZwOpenProcess", "KeGetCurrentThread", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeRaiseIrqlToDpcLevel", "KfLowerIrql", - "KeGetCurrentIrql", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KfRaiseIrql", + "KeRaiseIrqlToDpcLevel", "ClassInitialize" ], "Signatures": [ @@ -104706,10 +108164,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -104720,10 +108178,17 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2008-01-16 00:00:00", + "ValidTo": "2011-02-16 23:59:59", + "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -104732,19 +108197,12 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-12-27 00:00:00", - "ValidTo": "2013-02-15 23:59:59", - "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "645212f783f4d7aba3555729e99ce065", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -104752,22 +108210,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "46edb648c1b5c3abd76bd5e912dac026", - "SHA1": "3f43412c563889a5f5350f415f7040a71cc25221", - "SHA256": "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd", + "MD5": "29122f970a9e766ef01a73e0616d68b3", + "SHA1": "432fa24e0ce4b3673113c90b34d6e52dc7bac471", + "SHA256": "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69", "Authentihash": { - "MD5": "24d18871ef8362a3fc2296f859f34793", - "SHA1": "fcd9d88abae49a60c462fdfb0cca8f1d105eb3b1", - "SHA256": "92bb92314ad69e9d118df55924ddab76b983029f1eae7739bbb098c6bea86ca1" + "MD5": "84cb997d2380df8ee2ac77eacdb2d9f7", + "SHA1": "c8c6a98f592d7255d12b7a6c3d7f5bf5c4a34b50", + "SHA256": "62d1ca62fb251b1eeda5d2577719414e6e26d4afdc5f3df3faf3b35de5cb9506" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1070", + "FileVersion": "6.70.0.1140", "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2021 Trend Micro Incorporated. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" @@ -104783,6 +108241,8 @@ "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", "??0CDebugLog@@QEAA@AEBV0@@Z", "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", "??0CDelayLoadThread@@QEAA@AEBV0@@Z", "??0CDelayLoadThread@@QEAA@XZ", "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", @@ -104843,7 +108303,7 @@ "??0CSystemThread@@QEAA@AEBV0@@Z", "??0CSystemThread@@QEAA@K@Z", "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z0@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QEAA@AEBV0@@Z", "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", @@ -104852,6 +108312,8 @@ "??0CWorkerThreadJobQueue@@QEAA@K@Z", "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", "??0IMemoryAllocator@@QEAA@AEBV0@@Z", "??0IMemoryAllocator@@QEAA@XZ", "??1CAutoUpdateConfigThread@@UEAA@XZ", @@ -104859,6 +108321,7 @@ "??1CContext@@UEAA@XZ", "??1CContextList@@UEAA@XZ", "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", "??1CDelayLoadThread@@UEAA@XZ", "??1CExclusionExtConfig@@UEAA@XZ", "??1CExclusionFileNameConfig@@UEAA@XZ", @@ -104894,6 +108357,7 @@ "??1CWorkerThreadJob@@UEAA@XZ", "??1CWorkerThreadJobQueue@@UEAA@XZ", "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", "??1IMemoryAllocator@@UEAA@XZ", "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", "??2CMemoryAllocator@@SAPEAX_K@Z", @@ -104904,6 +108368,7 @@ "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", "??4CContext@@QEAAAEAV0@AEBV0@@Z", "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", "??4CFile@@QEAAAEAV0@AEBV0@@Z", "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", @@ -104926,6 +108391,7 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -104958,6 +108424,7 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QEAAXXZ", "??_FCFile@@QEAAXXZ", @@ -104997,7 +108464,9 @@ "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", "?Delete@CFile@@QEAAJXZ", "?Delete@CFileExtension@@QEAAEPEBGK@Z", @@ -105019,6 +108488,8 @@ "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", "?FindNode@CContextList@@IEAAPEAXPEAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", "?First@CList@@UEAAPEAXXZ", "?First@CLockList@@UEAAPEAXXZ", "?First@CNoLockList@@UEAAPEAXXZ", @@ -105041,24 +108512,31 @@ "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", "?GetID@CModuleConfig@@QEAAKXZ", "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QEAAKXZ", "?GetLinkContext@CContext@@QEAAPEAXXZ", "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", "?GetModuleId@CModuleConfig@@QEAAKXZ", "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", "?GetSize@CBlobConfig@@QEAAKXZ", "?GetStringConfig@CContext@@QEAAPEAGK@Z", "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", "?GetThreadID@CSystemThread@@QEAA_KXZ", "?GetType@CContext@@QEAAKXZ", "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", "?InitializeFlagConfig@CContext@@QEAAHKK@Z", @@ -105087,12 +108565,15 @@ "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", "?IsOpened@CFile@@QEAAEXZ", "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", "?IsValid@CMemoryAllocator@@UEAAEXZ", "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", "?IsValid@IMemoryAllocator@@UEAAEXZ", "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QEAAKXZ", "?Limit@CNoLockList@@QEAAKXZ", "?MatchAllExtensions@CFileExtension@@QEAAEXZ", @@ -105110,11 +108591,14 @@ "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", "?NotityTerminate@CWorkerThread@@QEAAXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", "?Pulse@CKEvent@@QEAAJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", "?ReferenceCount@CContext@@QEAAAEAKXZ", "?Release@CLockEvent@@QEAAXXZ", "?Remove@CContextList@@UEAAEQEAX@Z", @@ -105150,6 +108634,7 @@ "?SetFlagConfig@CContext@@UEAAJKK@Z", "?SetLinkContext@CContext@@QEAAXPEAX@Z", "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", @@ -105162,37 +108647,64 @@ "?TearDown@CSystemThread@@MEAAXXZ", "?Terminate@CSystemThread@@QEAAXE@Z", "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", "?WaitForInit@CDelayLoadThread@@QEAAEXZ", "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "DeInitKm2UmCommunication", "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetFileVersionOfNtoskrnl", + "GetKm2UmMode", "GetModuleInfoByAddress", "GetModuleInfoByModuleName", + "InitKm2UmCommunication", "InitKmLPC", + "IsWindows8_1_update", "KmCallUm", + "KmCallUmByLPC", "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetCommPortAPIs", "ModGetExportProcAddress", "ModLoadDLLToBuffer", "ModLoadDLLToBufferWithImageSize", "ModLoadModule", "ModUnLoadModule", "NormalizeFileName", + "NormalizeFileName1", "NormalizeFullNtPathToDosName", + "NormalizeFullNtPathToDosName1", "TmCommConfigRoutine", "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", "UtilGetFileObjectForProcessByEPROC", "UtilGetFileObjectFromFileName", "UtilGetProcessName", @@ -105205,6 +108717,8 @@ "UtilKeGetLowFileDevice", "UtilModuleIATHook", "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", "UtilQueryKeyValue", "UtilRemoveDeviceFromDriveTable", "UtilVolumeDeviceToDosName", @@ -105212,6 +108726,8 @@ "UtilWriteVersionToRegistry", "UtilbuildDynamicDiskMappingTable", "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", "_UtilDosPathNameToNtPathName" ], "ImportedFunctions": [ @@ -105224,22 +108740,14 @@ "ExReleaseResourceLite", "_purecall", "ZwOpenEvent", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", "ZwConnectPort", - "ExAllocatePoolWithTag", "KeClearEvent", "PsProcessType", "ExFreePoolWithTag", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", "RtlInitUnicodeString", "KeSetEvent", "ProbeForWrite", "KeUnstackDetachProcess", - "RtlAddAccessAllowedAce", "ZwRequestWaitReplyPort", "ZwWaitForSingleObject", "DbgBreakPoint", @@ -105247,20 +108755,20 @@ "IoGetCurrentProcess", "ZwFreeVirtualMemory", "ZwClose", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "RtlInitializeSid", "ObfReferenceObject", "ObfDereferenceObject", "RtlUnicodeStringToInteger", "ZwCreateSection", "ObOpenObjectByPointer", "KeStackAttachProcess", - "RtlCreateSecurityDescriptor", "KePulseEvent", "ZwAllocateVirtualMemory", + "ObGetObjectSecurity", + "SeAccessCheck", + "SeReleaseSubjectContext", + "SeCaptureSubjectContext", "PsThreadType", + "ObReleaseObjectSecurity", "PsGetProcessExitTime", "MmSectionObjectType", "DbgPrint", @@ -105274,37 +108782,67 @@ "ZwWriteFile", "_wcsnicmp", "towupper", + "ExAllocatePoolWithTag", "KeInitializeEvent", "ZwCreateEvent", "ZwCreateKey", + "RtlAnsiStringToUnicodeString", "ZwNotifyChangeKey", + "RtlInitAnsiString", "_snprintf", + "RtlFreeUnicodeString", "ExSystemTimeToLocalTime", "_vsnprintf", "ObReferenceObjectByHandle", "RtlTimeToTimeFields", + "ZwDeviceIoControlFile", "PsGetCurrentThreadId", "PsGetCurrentProcessId", - "MmIsAddressValid", "KeWaitForMultipleObjects", + "ExGetPreviousMode", + "RtlEqualUnicodeString", + "RtlPrefixUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "KeWaitForSingleObject", "KeSetPriorityThread", "PsCreateSystemThread", "PsTerminateSystemThread", + "MmIsAddressValid", + "KeDelayExecutionThread", "KeNumberProcessors", "PsLookupProcessByProcessId", "PsSetCreateProcessNotifyRoutine", "ZwOpenDirectoryObject", - "KeDelayExecutionThread", "ZwQueryInformationProcess", - "ExGetPreviousMode", - "ExReleaseFastMutexUnsafe", + "ZwQuerySecurityObject", + "NtSetInformationFile", + "ZwDeleteValueKey", + "ZwSetValueKey", "ZwQuerySystemInformation", + "NtQueryInformationFile", + "IoFileObjectType", "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "NtCreateFile", + "ZwEnumerateValueKey", + "RtlLengthSecurityDescriptor", + "ZwQueryDirectoryObject", + "ZwSetSecurityObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "ExReleaseFastMutexUnsafe", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwQueryKey", "ZwOpenKey", + "MmSystemRangeStart", "_stricmp", "_strnicmp", "mbstowcs", "ProbeForRead", + "RtlUpcaseUnicodeString", "_snwprintf", "ZwQuerySymbolicLinkObject", "ZwMapViewOfSection", @@ -105312,53 +108850,84 @@ "RtlAppendUnicodeToString", "IoCreateFile", "RtlQueryRegistryValues", - "RtlEqualUnicodeString", "MmBuildMdlForNonPagedPool", "ZwOpenSymbolicLinkObject", "IoFreeMdl", - "RtlFreeUnicodeString", - "IoFileObjectType", + "ObQueryNameString", "ZwUnmapViewOfSection", "NtClose", "IoFreeIrp", "PsGetVersion", "IoAllocateIrp", - "RtlCopyUnicodeString", + "RtlCompareMemory", + "MmUnlockPages", + "ZwSetInformationObject", "ZwOpenFile", + "wcsncmp", "RtlImageNtHeader", "IoAllocateMdl", "IofCallDriver", "ZwQueryVolumeInformationFile", - "ObQueryNameString", "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlInitializeSid", + "RtlCreateSecurityDescriptor", "IoDeleteSymbolicLink", "IoDeleteDevice", + "IoGetDeviceObjectPointer", "ExEventObjectType", "IofCompleteRequest", "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "strncpy", + "NtOpenProcess", "ObInsertObject", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", "IoReleaseVpbSpinLock", + "wcschr", + "IoGetConfigurationInformation", + "IoRegisterPlugPlayNotification", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "FsRtlIsNameInExpression", + "wcsstr", + "ExAllocatePool", + "IoUnregisterPlugPlayNotification", + "MmProbeAndLockPages", + "RtlCompareUnicodeString", + "IoGetDeviceInterfaces", + "KeAcquireSpinLockRaiseToDpc", "KeBugCheckEx", "IoCreateDevice", - "ZwSetSecurityObject", "IoDeviceObjectType", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", "IoIsWdmVersionAvailable", "SeExports", - "wcschr", "RtlLengthSid", "RtlGetSaclSecurityDescriptor", "RtlGetDaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "ZwSetValueKey", + "ZwTerminateProcess", "ExAcquireResourceExclusiveLite", "__C_specific_handler" ], @@ -105368,45 +108937,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2020-12-15 22:15:33", + "ValidTo": "2021-12-02 22:15:33", + "Signature": "0d2d53cd15a8feddcb17e2df1bf7dc1aef21e98c6cd220f58b593824849c134a0f1add59ce42ef80ddf47860273013604d9568ec5894a797bd4e571432a9aaf10ab04dd1c038b26ab7c5ca3a9c88d009267fab56254525546a0a055fb37b9cd8029c7d501809fc8b11482c7a4347b3ad29f35427c9570e87117db52cc94864259274b9e2e758f918a3af1fdb9f9d40ffa3ae2e2ae012fb97a436258642a2a4223dc6690db88103a6e5220646bd8afb3d12eb894ac28b527396a1965408487f6ab878b3c474b8c960842861ae8e799a3d2a8d6f918f50f8e26bb1ed6ced47be36e447574e8568582964ff31cd288b9c7f8d7e6a46d6c3d92f5c101fe1522a720c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-12-27 00:00:00", - "ValidTo": "2013-02-15 23:59:59", - "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", + "ValidFrom": "2012-04-18 23:48:38", + "ValidTo": "2027-04-18 23:58:38", + "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "33000000b5213fca1e4aa03de40000000000b5", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" } ] } @@ -105414,25 +108962,26 @@ }, { "FileName": "TmComm.sys", - "MD5": "2ddd3c0e23bc0fd63702910c597298b4", - "SHA1": "3fd7fda9c7dfdb2a845c39971572bd090bee3b1d", - "SHA256": "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e", + "MD5": "8580165a2803591e007380db9097bbcc", + "SHA1": "5a55c227ca13e9373b87f1ef6534533c7ce1f4fb", + "SHA256": "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48", "Authentihash": { - "MD5": "007d2afd1aa5ebcd3cfa447087156319", - "SHA1": "a3e23bd4ea435781eb394581ac3fa1fe27e074ec", - "SHA256": "886b28af7d2907a61720da0b6ea5d88a9a8512ceb120e88889f3fedd6bf313b4" + "MD5": "01266e09667dd8822e9895786c7802b5", + "SHA1": "7e52c3e0861290dd0d7e8807a6f6cfd52b7ab5c2", + "SHA256": "5e71106ee81d050e30afd84cade4ef4a581d70130477aa1e34549e6de50cde87" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "2.5.0.1121", - "Product": "AEGIS", - "ProductVersion": "2.5", - "Copyright": "Copyright (C) 2005-2008 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "5.50.0.1047", + "Product": "Trend Micro Eyes", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", + "HAL.dll", "CLASSPNP.SYS" ], "ExportedFunctions": [ @@ -105446,6 +108995,8 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", "??0CExclusionExtConfig@@QAE@KKE@Z", "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", @@ -105460,6 +109011,14 @@ "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -105484,10 +109043,13 @@ "??0CModuleMultiStringConfig@@QAE@KK@Z", "??0CModuleStringConfig@@QAE@ABV0@@Z", "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", "??0CSmartLock@@QAE@XZ", "??0CSmartReference@@QAE@AAJ@Z", "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", "??0CStrList@@QAE@ABV0@@Z", "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CSystemThread@@QAE@ABV0@@Z", @@ -105509,6 +109071,7 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", "??1CExclusionFilePathConfig@@UAE@XZ", @@ -105516,6 +109079,10 @@ "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -105528,8 +109095,10 @@ "??1CModuleFlagConfig@@UAE@XZ", "??1CModuleMultiStringConfig@@UAE@XZ", "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", "??1CSmartLock@@QAE@XZ", "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", "??1CStrList@@UAE@XZ", "??1CSystemThread@@UAE@XZ", "??1CUserFuncAdapterJob@@UAE@XZ", @@ -105547,6 +109116,7 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", "??4CLockEvent@@QAEAAV0@ABV0@@Z", @@ -105557,6 +109127,7 @@ "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", "??4CSystemThread@@QAEAAV0@ABV0@@Z", "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", "??4CWorkerThread@@QAEAAV0@ABV0@@Z", @@ -105567,6 +109138,7 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", + "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", "??_7CExclusionFilePathConfig@@6B@", @@ -105574,6 +109146,10 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -105586,6 +109162,7 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -105610,12 +109187,15 @@ "?Add@CFileExtension@@QAEEPBGK@Z", "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", "?Cancel@CWorkerThreadJob@@QAEXXZ", "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", "?Cleanup@CBlobConfig@@AAEXXZ", "?Cleanup@CModuleFileExtConfig@@IAEXXZ", @@ -105623,6 +109203,7 @@ "?Cleanup@CModuleStringConfig@@AAEXXZ", "?Close@CFile@@QAEJXZ", "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", "?Create@CFile@@QAEJPBGKKKK@Z", "?Create@CSystemThread@@QAEEXZ", "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", @@ -105635,6 +109216,7 @@ "?Delete@CStrList@@QAEEPBG@Z", "?DeleteAll@CList@@UAEXXZ", "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", "?DeleteNode@CContextList@@MAEXPAX@Z", "?DeleteNode@CList@@UAEXPAX@Z", "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", @@ -105651,6 +109233,7 @@ "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", "?Free@CMemoryAllocator@@UAEXPAX@Z", "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", "?GetAttributes@CFile@@QAEKXZ", @@ -105695,19 +109278,25 @@ "?InitializeStringConfig@CContext@@QAEHKPBG@Z", "?Insert@CList@@UAEXQAXE@Z", "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", "?InsertAfter@CList@@UAEXPAX0@Z", "?InsertBefore@CList@@UAEXPAX0@Z", - "?InsertEx@CLockList@@UAEEQAXE@Z", "?Instance@CWorkerThreadPool@@SGPAV1@XZ", "?IsEmpty@CList@@UAEEXZ", "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", @@ -105717,6 +109306,7 @@ "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", "?MatchNoExtensions@CFileExtension@@QAEEXZ", "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", @@ -105728,6 +109318,7 @@ "?NewNodeVariant@CList@@IAEPAXK@Z", "?Next@CList@@UBEPAXQAX@Z", "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", @@ -105741,13 +109332,21 @@ "?Remove@CContextList@@UAEEQAX@Z", "?Remove@CList@@UAEEQAX@Z", "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", "?RemoveHead@CList@@UAEPAXXZ", "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", "?RemoveTail@CList@@UAEPAXXZ", "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", "?Run@CWorkerThread@@UAEXXZ", "?SeekToEnd@CFile@@QAEJXZ", "?Set@CKEvent@@QAEJJE@Z", @@ -105756,7 +109355,7 @@ "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", "?SetEngineContext@CContext@@QAEXPAX@Z", "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", @@ -105778,6 +109377,8 @@ "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", "?Write@CDebugLog@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", @@ -105793,43 +109394,49 @@ "_GetModuleInfoByModuleName@8", "_InitKmLPC@0", "_KmCallUm@8", - "_MapMem@12", + "_KmCallUmEx@12", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", "_NormalizeFileName@4", "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UnMapMem@8", + "_UtilAddDeviceInDriveTable@4", + "_UtilCleanFileReadOnly@4", + "_UtilDeleteFileForce@4", "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "KeEnterCriticalRegion", - "KeGetCurrentThread", - "KeLeaveCriticalRegion", - "ExReleaseFastMutexUnsafe", - "wcsncpy", - "memcpy", "wcsrchr", "KeSetEvent", "KePulseEvent", "KeClearEvent", "KeInitializeSemaphore", "KeWaitForSingleObject", - "DbgPrint", "KeReleaseSemaphore", + "KeStackAttachProcess", + "KeUnstackDetachProcess", "RtlSubAuthoritySid", "RtlInitializeSid", "ExAllocatePoolWithTag", @@ -105842,19 +109449,29 @@ "ObfDereferenceObject", "ZwSetEvent", "ZwClose", - "KeUnstackDetachProcess", "ZwRequestWaitReplyPort", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", "memmove", - "KeStackAttachProcess", "ZwConnectPort", "RtlInitUnicodeString", + "RtlUnicodeStringToInteger", "ZwCreateSection", "ZwWaitForSingleObject", "ZwOpenEvent", "ObfReferenceObject", "IoGetCurrentProcess", + "DbgBreakPoint", + "PsGetProcessExitTime", + "MmSectionObjectType", + "DbgPrint", "memset", "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", "ZwWriteFile", "ZwReadFile", "ZwQueryInformationFile", @@ -105876,17 +109493,17 @@ "ZwNotifyChangeKey", "PsGetCurrentThreadId", "_vsnprintf", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "MmUnmapLockedPages", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", "KeNumberProcessors", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "KeDelayExecutionThread", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", "ZwQueryDirectoryFile", - "ZwOpenDirectoryObject", "ZwQueryDirectoryObject", "ZwDuplicateObject", "ZwOpenKey", @@ -105896,58 +109513,68 @@ "ZwDeleteValueKey", "ZwDeleteKey", "ExGetPreviousMode", - "ExAcquireFastMutexUnsafe", - "ObOpenObjectByPointer", - "PsProcessType", + "ZwTerminateProcess", "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", + "MmHighestUserAddress", "IoFreeIrp", + "memcpy", + "MmUnlockPages", "IoBuildAsynchronousFsdRequest", - "ProbeForWrite", - "_stricmp", - "RtlImageNtHeader", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "KeDelayExecutionThread", "mbstowcs", - "ZwQuerySymbolicLinkObject", + "_purecall", "ZwOpenSymbolicLinkObject", + "NtClose", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", "RtlEqualUnicodeString", "IoFileObjectType", "IoCreateFile", "IofCallDriver", "IoAllocateIrp", - "IoFreeMdl", + "MmBuildMdlForNonPagedPool", "IoAllocateMdl", + "ProbeForRead", "PsGetVersion", "MmGetSystemRoutineAddress", - "RtlCompareMemory", "RtlCopyUnicodeString", - "KeBugCheckEx", - "RtlAppendUnicodeStringToString", + "RtlCompareMemory", + "_snwprintf", + "RtlImageNtHeader", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "ObQueryNameString", + "IoBuildDeviceIoControlRequest", "IofCompleteRequest", "ExEventObjectType", + "_allmul", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", - "ProbeForRead", "IoGetDeviceObjectPointer", - "ExAllocatePool", "RtlUpperChar", "RtlCompareUnicodeString", - "PsLookupProcessByProcessId", "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", - "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", "ObOpenObjectByName", + "IoDriverObjectType", + "RtlAppendUnicodeStringToString", + "strncmp", "NtQueryInformationProcess", - "_snwprintf", - "RtlAnsiStringToUnicodeString", + "PsIsThreadTerminating", + "PsThreadType", "KeAddSystemServiceTable", "ZwQueryObject", "ZwQuerySecurityObject", @@ -105957,9 +109584,39 @@ "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", + "RtlUpcaseUnicodeString", "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "MmSystemRangeStart", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "wcsstr", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", + "KeBugCheckEx", "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "IoFreeMdl", + "ExAcquireFastMutexUnsafe", "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", @@ -105972,11 +109629,17 @@ "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", - "wcschr", "RtlAbsoluteToSelfRelativeSD", - "RtlFreeUnicodeString", - "ZwTerminateProcess", - "_purecall", + "ZwQuerySymbolicLinkObject", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "KeGetCurrentIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KfRaiseIrql", "ClassInitialize" ], "Signatures": [ @@ -105985,10 +109648,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -105999,17 +109662,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2008-01-16 00:00:00", - "ValidTo": "2011-02-16 23:59:59", - "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -106018,12 +109674,19 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-12-27 00:00:00", + "ValidTo": "2013-02-15 23:59:59", + "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "645212f783f4d7aba3555729e99ce065", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -106031,39 +109694,65 @@ }, { "FileName": "TmComm.sys", - "MD5": "3e4a1384a27013ab7b767a88b8a1bd34", - "SHA1": "ae344c123ef6d206235f2a8448d07f86433db5a6", - "SHA256": "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e", + "MD5": "085d3423f3c12a17119920f1a293ab4d", + "SHA1": "d3daa971580b9f94002f7257de44fcef13bb1673", + "SHA256": "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b", "Authentihash": { - "MD5": "32f1d8b0fca32fd72a762cfa58870978", - "SHA1": "aef6765d5e4281854562e8e88cc09f5571ab17bc", - "SHA256": "2ffbb534c73106a2879d5a9d4ad3436c8d3ab8ac6aa8b217e26a6492fa1d16d0" + "MD5": "037efb773500b55fa774ab62ef60838c", + "SHA1": "9b1bc87c26d4a75e929ba54b88d32909d3cc6e5a", + "SHA256": "2e37c0e580bf6f0514af985b1581fef3d66b845aeefa790c625964512a911659" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "1.6.0.1052", - "Product": "ActiveClean", - "ProductVersion": "1.6", - "Copyright": "Copyright (C) 2005-2007 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "6.70.0.1073", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GXPAU_TMCE_EVENT_REPORT@@PAX@Z1@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", "??0CContextList@@QAE@ABV0@@Z", "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", "??0CFile@@QAE@ABV0@@Z", "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -106081,23 +109770,26 @@ "??0CModuleConfigList@@QAE@ABV0@@Z", "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@K@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", "??0CModuleFlagConfig@@QAE@ABV0@@Z", "??0CModuleFlagConfig@@QAE@K@Z", "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", "??0CModuleStringConfig@@QAE@ABV0@@Z", "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", "??0CSmartLock@@QAE@XZ", "??0CSmartReference@@QAE@AAJ@Z", "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", "??0CStrList@@QAE@ABV0@@Z", "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -106106,14 +109798,28 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -106126,8 +109832,10 @@ "??1CModuleFlagConfig@@UAE@XZ", "??1CModuleMultiStringConfig@@UAE@XZ", "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", "??1CSmartLock@@QAE@XZ", "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", "??1CStrList@@UAE@XZ", "??1CSystemThread@@UAE@XZ", "??1CUserFuncAdapterJob@@UAE@XZ", @@ -106135,6 +109843,7 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", @@ -106142,8 +109851,11 @@ "??3@YAXPAX@Z", "??3IMemoryAllocator@@SGXPAX@Z", "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", "??4CLockEvent@@QAEAAV0@ABV0@@Z", @@ -106154,17 +109866,30 @@ "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", "??4CSystemThread@@QAEAAV0@ABV0@@Z", "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", "??4CWorkerThread@@QAEAAV0@ABV0@@Z", "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -106177,6 +109902,7 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -106184,6 +109910,7 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -106201,32 +109928,43 @@ "?Add@CFileExtension@@QAEEPBGK@Z", "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CModuleFileExtConfig@@AAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@AAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", "?Cleanup@CModuleStringConfig@@AAEXXZ", "?Close@CFile@@QAEJXZ", "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", "?Create@CFile@@QAEJPBGKKKK@Z", "?Create@CSystemThread@@QAEEXZ", "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", "?Delete@CStrList@@QAEEPBG@Z", "?DeleteAll@CList@@UAEXXZ", "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", "?DeleteNode@CContextList@@MAEXPAX@Z", "?DeleteNode@CList@@UAEXPAX@Z", "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", "?DoIt@CWorkerThreadJob@@QAEJXZ", "?EntryPoint@CSystemThread@@KGXPAX@Z", "?Find@CContextList@@QAEPAVCContext@@K@Z", @@ -106236,14 +109974,18 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", "?Free@CMemoryAllocator@@UAEXPAX@Z", "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", "?GetAttributes@CFile@@QAEKXZ", "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", "?GetCategory@CContext@@QAEKXZ", - "?GetCatetory@CModuleConfig@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", "?GetData@CModuleFlagConfig@@QAEKXZ", @@ -106251,48 +109993,75 @@ "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", "?GetData@CModuleStringConfig@@QAEPAGXZ", "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEHKPAGPAK@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEHKPAK@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEHKPAGPAK@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEHKPAGPAK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", - "?GetType@CModuleConfig@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", "?InitializeStringConfig@CContext@@QAEHKPBG@Z", "?Insert@CList@@UAEXQAXE@Z", "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", "?InsertAfter@CList@@UAEXPAX0@Z", "?InsertBefore@CList@@UAEXPAX0@Z", "?Instance@CWorkerThreadPool@@SGPAV1@XZ", "?IsEmpty@CList@@UAEEXZ", "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", "?MatchNoExtensions@CFileExtension@@QAEEXZ", "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", @@ -106304,217 +110073,369 @@ "?NewNodeVariant@CList@@IAEPAXK@Z", "?Next@CList@@UBEPAXQAX@Z", "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", "?Remove@CList@@UAEEQAX@Z", "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", "?RemoveHead@CList@@UAEPAXXZ", "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", "?RemoveTail@CList@@UAEPAXXZ", "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", "?Run@CWorkerThread@@UAEXXZ", "?SeekToEnd@CFile@@QAEJXZ", "?Set@CKEvent@@QAEJJE@Z", "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetFileExtensionConfig@CContext@@UAEHKPBG@Z", - "?SetFlagConfig@CContext@@UAEHKK@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEHKPBG@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", "?SetPriority@CSystemThread@@QAEXK@Z", "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEHKPBG@Z", + "?SetStringConfig@CContext@@UAEJKPBG@Z", "?Setup@CSystemThread@@MAEXXZ", "?StopUse@CContext@@QAEHXZ", "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", - "_MapMem@12", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UnMapMem@8", - "_UtilGetProcessName@8", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8" + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "KeInitializeEvent", - "_purecall", - "ExAcquireFastMutexUnsafe", - "KeEnterCriticalRegion", - "KeGetCurrentThread", - "KeLeaveCriticalRegion", - "ExReleaseFastMutexUnsafe", - "wcsncpy", + "wcsrchr", "KeSetEvent", "KePulseEvent", "KeClearEvent", - "IofCompleteRequest", - "ZwClose", - "KeDelayExecutionThread", + "KeStackAttachProcess", + "KeUnstackDetachProcess", "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExEventObjectType", - "ZwCreateEvent", + "ZwSetEvent", + "ZwClose", + "ZwConnectPort", "RtlInitUnicodeString", - "swprintf", - "KeQuerySystemTime", - "KeWaitForSingleObject", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "RtlCopyUnicodeString", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", + "ZwRequestWaitReplyPort", + "ExFreePoolWithTag", "ProbeForWrite", - "ProbeForRead", - "ExGetPreviousMode", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", "DbgPrint", "memset", "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", "ZwWriteFile", "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", + "swprintf", "towupper", "_wcsnicmp", - "memcpy", - "sprintf", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "_snprintf", "PsGetCurrentProcessId", - "IoGetCurrentProcess", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", "ZwCreateKey", + "ZwCreateEvent", "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "PsGetCurrentThreadId", - "vsprintf", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "ExFreePoolWithTag", - "MmUnmapLockedPages", - "ExAllocatePoolWithTag", - "RtlImageNtHeader", - "mbstowcs", - "_stricmp", - "ZwQuerySystemInformation", - "IoGetDeviceObjectPointer", - "KeServiceDescriptorTable", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "ExGetPreviousMode", + "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", + "KeDelayExecutionThread", "KeNumberProcessors", - "ZwQueryDirectoryFile", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", "ZwQueryDirectoryObject", - "ZwDuplicateObject", "ZwOpenKey", "ZwEnumerateKey", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", + "ZwTerminateProcess", + "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", - "ZwQuerySecurityObject", - "ObInsertObject", "IoFileObjectType", "_allrem", - "PsLookupProcessByProcessId", - "strncpy", - "NtOpenProcess", - "ObOpenObjectByPointer", - "PsProcessType", - "ObReferenceObjectByPointer", - "KeUnstackDetachProcess", - "MmSectionObjectType", - "KeStackAttachProcess", - "ObQueryNameString", - "ObOpenObjectByName", - "RtlAppendUnicodeStringToString", - "NtQueryInformationProcess", - "RtlAnsiStringToUnicodeString", + "ZwQuerySecurityObject", + "memcpy", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "_purecall", + "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", + "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", - "RtlEqualUnicodeString", + "NtClose", + "ObQueryNameString", + "MmGetSystemRoutineAddress", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", "IoCreateFile", - "IoFreeIrp", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "RtlUpcaseUnicodeString", + "_snwprintf", + "MmSystemRangeStart", + "wcsncmp", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwFsControlFile", + "ObInsertObject", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", - "IofCallDriver", "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "IoAllocateIrp", - "IoFreeMdl", - "IoAllocateMdl", - "PsGetVersion", - "MmGetSystemRoutineAddress", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "wcsstr", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", "KeBugCheckEx", + "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", "ZwSetSecurityObject", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", - "RtlUnwind", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "_snwprintf", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", - "RtlAddAccessAllowedAce", "RtlLengthSid", - "wcschr", "RtlAbsoluteToSelfRelativeSD", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlFreeUnicodeString" + "MmUnlockPages", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -106522,38 +110443,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2015-05-05 00:00:00", + "ValidTo": "2015-12-31 23:59:59", + "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2006-01-20 00:00:00", - "ValidTo": "2007-02-14 23:59:59", - "Signature": "1cac25cad86c51f4576b3418ffcb10db11a2c24511d265ae343a6ea1cbd451223028151c63d1d75b95464083978c405a14fba8d2a2832c631a4c627cba1c9a2e957c381e24aa49cde6d45788e3ad48f0525db52080a83c55fb558cab104f1a3f9fd24fd3b2875132c02e709bd81cb750bc0f498267b1c28f9187eb63f7ac8217947b0275175dab5b8b6b57f8f785e38a38e851a0ec096eab530b219e9e9c5c2460ac97d5977cc90ab4cd9fcfd02b79b4099f099fb81910c680ff181f6c9baaf33fb128b18ee7939f45e537191e2f202fc358aed24b37a0d669a024cdb8630c99390e248e2907c25e5c9ca75008e0f915cfd5388cc889e6335e85de06a5e7fe97", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2015-02-20 00:00:00", + "ValidTo": "2016-05-21 23:59:59", + "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "681ce312057f03f206153b679ec06cb9", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -106561,21 +110489,21 @@ }, { "FileName": "TmComm.sys", - "MD5": "f65e545771fd922693f0ec68b2141012", - "SHA1": "850f15fd67d9177a50f3efef07a805b9613f50d6", - "SHA256": "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee", + "MD5": "08bac71557df8a9b1381c8c165f64520", + "SHA1": "891c8d482e23222498022845a6b349fe1a186bcc", + "SHA256": "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf", "Authentihash": { - "MD5": "18831ebdbd1eb06f09fe812e958dd2e0", - "SHA1": "5d39543a15234f7d472d5d9132bd0d0faa7cdcd3", - "SHA256": "c264c3d71a57a5dff031d74bd2f6ef715eff603cc8078df123e862603e096be4" + "MD5": "cfb84fad4e23da054656c41b09c8c467", + "SHA1": "4dad9e501ec85acd2b405eca3fc1e5787d64ab34", + "SHA256": "14cfe7b4f7572aa3434ac5dd458a35f286538b34734cf7a310fb7bcba209921c" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "2.2.0.1016", + "FileVersion": "2.5.0.1106", "Product": "AEGIS", - "ProductVersion": "2.2", + "ProductVersion": "2.5", "Copyright": "Copyright (C) 2005-2008 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ @@ -106944,8 +110872,11 @@ "_ModLoadDLLToBuffer@4", "_ModLoadModule@8", "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", "_UnMapMem@8", + "_UtilGetFileObjectForProcessByEPROC@8", "_UtilGetProcessName@12", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", @@ -106954,7 +110885,9 @@ "_UtilQueryKeyValue@24", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8" + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ "KeEnterCriticalRegion", @@ -106967,25 +110900,33 @@ "KeSetEvent", "KePulseEvent", "KeClearEvent", - "IofCompleteRequest", - "ZwClose", - "KeDelayExecutionThread", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExEventObjectType", - "ZwCreateEvent", - "RtlInitUnicodeString", - "swprintf", - "KeQuerySystemTime", + "KeInitializeSemaphore", "KeWaitForSingleObject", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", "DbgPrint", - "RtlCopyUnicodeString", - "ProbeForWrite", - "ProbeForRead", - "ExGetPreviousMode", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", + "ExFreePoolWithTag", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ObfDereferenceObject", + "ZwSetEvent", + "ZwClose", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "memmove", + "KeStackAttachProcess", + "ZwConnectPort", + "RtlInitUnicodeString", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ObfReferenceObject", + "IoGetCurrentProcess", "memset", "MmIsAddressValid", "ZwWriteFile", @@ -106993,116 +110934,109 @@ "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", + "swprintf", "towupper", "_wcsnicmp", + "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", - "IoGetCurrentProcess", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", + "KeQuerySystemTime", "ZwCreateKey", - "KeInitializeEvent", + "ZwCreateEvent", "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", "PsGetCurrentThreadId", "_vsnprintf", "MmMapLockedPagesSpecifyCache", "MmBuildMdlForNonPagedPool", "MmCreateMdl", - "ExFreePoolWithTag", "MmUnmapLockedPages", - "ExAllocatePoolWithTag", - "RtlImageNtHeader", - "mbstowcs", - "_stricmp", - "ZwQuerySystemInformation", - "IoGetDeviceObjectPointer", - "KeServiceDescriptorTable", - "KeAddSystemServiceTable", - "_strnicmp", - "PsLookupProcessByProcessId", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcess", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", "KeNumberProcessors", + "ZwQuerySystemInformation", "ZwQueryDirectoryFile", "ZwOpenDirectoryObject", "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoFreeMdl", - "IofCallDriver", - "ExAcquireFastMutexUnsafe", - "IoAllocateIrp", - "IoFileObjectType", + "ZwDuplicateObject", "ZwOpenKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryValueKey", - "ZwDeleteValueKey", - "ZwDeleteKey", - "ZwQueryKey", - "ZwSetValueKey", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", - "strncpy", - "NtOpenProcess", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", + "ExAcquireFastMutexUnsafe", "ObOpenObjectByPointer", "PsProcessType", - "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", - "ObOpenObjectByName", - "RtlAppendUnicodeStringToString", - "ObfReferenceObject", - "NtQueryInformationProcess", - "_snwprintf", - "RtlAnsiStringToUnicodeString", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", + "IoFreeIrp", "IoBuildAsynchronousFsdRequest", + "ProbeForWrite", "KeBugCheckEx", + "RtlImageNtHeader", + "_stricmp", + "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", + "KeDelayExecutionThread", + "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "RtlEqualUnicodeString", + "IoFileObjectType", "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "IoFreeMdl", + "IoAllocateMdl", "PsGetVersion", "MmGetSystemRoutineAddress", "RtlCompareMemory", + "RtlCopyUnicodeString", + "RtlAppendUnicodeStringToString", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "ProbeForRead", + "IoGetDeviceObjectPointer", + "ExAllocatePool", + "RtlUpperChar", + "RtlCompareUnicodeString", + "PsLookupProcessByProcessId", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "_snwprintf", + "RtlAnsiStringToUnicodeString", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "RtlLengthRequiredSid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ZwSetEvent", - "ZwRequestWaitReplyPort", - "memmove", - "ZwConnectPort", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ExAllocatePool", - "RtlUpperChar", - "RtlCompareUnicodeString", "KeTickCount", + "RtlUnwind", "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", - "RtlUnwind", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", @@ -107115,7 +111049,7 @@ "wcschr", "RtlAbsoluteToSelfRelativeSD", "RtlFreeUnicodeString", - "IoAllocateMdl", + "ZwTerminateProcess", "_purecall", "ClassInitialize" ], @@ -107171,22 +111105,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "9af5ae780b6a9ea485fa15f28ddb20a7", - "SHA1": "6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72", - "SHA256": "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3", + "MD5": "42132c7a755064f94314b01afb80e73c", + "SHA1": "3e790c4e893513566916c76a677b0f98bd7334dd", + "SHA256": "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0", "Authentihash": { - "MD5": "c168260fa4a9a401b55e3b4c5962fa27", - "SHA1": "dac9b99363ccff7b11a53bf98bcaf64f41b66d77", - "SHA256": "45624a7469927b999cce153ff0074f675a8c062c5afa3f0c688b6124874ca27a" + "MD5": "37dd516b2406b4e5d95e260886230437", + "SHA1": "95e72a3ba11c83d127302e8327b2fe9580a61e3f", + "SHA256": "a553ba125adf00a769718d5cd26ed1a59b5e397956ebc6163973b10fe8c58214" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.30.0.1065", + "FileVersion": "7.0.0.1099", "Product": "Trend Micro Eyes", - "ProductVersion": "7.30", - "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "7.0", + "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -107696,225 +111630,982 @@ ], "ImportedFunctions": [ "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObfReferenceObject", + "ObfDereferenceObject", + "ZwClose", + "ZwCreateSection", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenEvent", + "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "ZwSetEvent", + "_allmul", + "memcpy", + "memset", + "PsProcessType", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "swprintf", + "RtlCopyUnicodeString", + "DbgPrint", + "KeDelayExecutionThread", + "KeQuerySystemTime", + "ExAllocatePoolWithTag", + "PsGetVersion", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "PsThreadType", + "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "ExGetPreviousMode", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "towupper", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "ObQueryNameString", + "MmHighestUserAddress", + "_snprintf", + "_vsnprintf", + "RtlInitAnsiString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", + "ExSystemTimeToLocalTime", + "ZwCreateKey", + "PsGetCurrentThreadId", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ZwOpenFile", + "ExFreePoolWithTag", + "mbstowcs", + "_stricmp", + "IoGetDeviceObjectPointer", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "_strnicmp", + "RtlCompareUnicodeString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IofCallDriver", + "IoFreeIrp", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoFileObjectType", + "IoDriverObjectType", + "IoBuildDeviceIoControlRequest", + "IoCreateFile", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlUpcaseUnicodeChar", + "_snwprintf", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "ObOpenObjectByName", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "RtlLengthSecurityDescriptor", + "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "_allrem", + "RtlAppendUnicodeToString", + "ZwFsControlFile", + "ObInsertObject", + "strrchr", + "wcschr", + "wcsncmp", + "RtlQueryRegistryValues", + "IoBuildAsynchronousFsdRequest", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", + "NtClose", + "ZwSetInformationObject", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "wcsstr", + "ExAllocatePool", + "ExInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", + "RtlUnwind", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "KeWaitForSingleObject", + "KeLeaveCriticalRegion", + "KeBugCheckEx", + "KeEnterCriticalRegion", + "KeSetEvent", + "KeClearEvent", + "KeInitializeEvent", + "RtlInitUnicodeString", + "KeGetCurrentThread", + "memmove", + "ZwQueryVolumeInformationFile", + "_purecall", + "ClassInitialize", + "KeRaiseIrqlToDpcLevel", + "KfAcquireSpinLock", + "KeGetCurrentIrql", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "KfLowerIrql", + "KfRaiseIrql", + "KfReleaseSpinLock" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2016-03-29 00:00:00", + "ValidTo": "2017-06-28 23:59:59", + "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "f51065667fb127cf6de984daea2f6b24", + "SHA1": "1768fb2b4796f624fa52b95dfdfbfb922ac21019", + "SHA256": "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad", + "Authentihash": { + "MD5": "671205c31cc873b793bd9922b8c2594e", + "SHA1": "d8dea3a091ef24abd0cee37b74a6e6bf8dccea23", + "SHA256": "9bea1a92c747c203cd3e370f422ed6023787817a5495385e5ca473ef59396a2e" + }, + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.0.0.1072", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.0", + "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_UtilDosPathNameToNtPathName" + ], + "ImportedFunctions": [ + "KeLeaveCriticalRegion", + "wcsncpy", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "wcsrchr", "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", + "_purecall", + "ZwOpenEvent", + "ZwConnectPort", + "KeClearEvent", + "PsProcessType", + "ExFreePoolWithTag", + "RtlInitUnicodeString", + "KeSetEvent", + "ProbeForWrite", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "ZwWaitForSingleObject", + "DbgBreakPoint", + "ZwSetEvent", "IoGetCurrentProcess", + "ZwFreeVirtualMemory", + "ZwClose", "ObfReferenceObject", "ObfDereferenceObject", - "ZwClose", + "RtlUnicodeStringToInteger", "ZwCreateSection", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ZwOpenEvent", - "KePulseEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", "ObOpenObjectByPointer", + "KeStackAttachProcess", + "KePulseEvent", "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "ZwSetEvent", - "_allmul", - "memcpy", - "memset", - "PsProcessType", - "wcsncpy", - "wcsrchr", - "RtlUnicodeStringToInteger", - "ZwWaitForSingleObject", - "ZwRequestWaitReplyPort", - "ZwConnectPort", - "_stricmp", - "ExAllocatePoolWithTag", - "MmIsAddressValid", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "swprintf", - "RtlCopyUnicodeString", - "DbgPrint", - "KeDelayExecutionThread", - "KeQuerySystemTime", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "PsThreadType", - "MmSectionObjectType", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", "ObGetObjectSecurity", + "SeAccessCheck", + "SeReleaseSubjectContext", + "SeCaptureSubjectContext", + "PsThreadType", "ObReleaseObjectSecurity", "PsGetProcessExitTime", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "ExGetPreviousMode", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", - "ExInitializeResourceLite", + "MmSectionObjectType", + "DbgPrint", "ExDeleteResourceLite", + "ExInitializeResourceLite", + "ZwReadFile", + "swprintf", + "ZwSetInformationFile", "ZwCreateFile", "ZwQueryInformationFile", - "ZwSetInformationFile", - "ZwReadFile", "ZwWriteFile", + "_wcsnicmp", "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "ObQueryNameString", - "MmHighestUserAddress", - "PsGetVersion", - "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "ZwCreateEvent", + "ZwCreateKey", "RtlAnsiStringToUnicodeString", + "ZwNotifyChangeKey", + "RtlInitAnsiString", + "_snprintf", "RtlFreeUnicodeString", - "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "ExFreePoolWithTag", - "PsGetCurrentThreadId", - "ZwDeviceIoControlFile", - "ZwNotifyChangeKey", - "ZwOpenFile", - "ZwQueryVolumeInformationFile", - "mbstowcs", - "IoGetDeviceObjectPointer", - "_strnicmp", - "RtlCompareUnicodeString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IofCallDriver", - "IoFreeIrp", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoFileObjectType", - "IoDriverObjectType", - "IoBuildDeviceIoControlRequest", - "IoCreateFile", + "_vsnprintf", + "ObReferenceObjectByHandle", + "RtlTimeToTimeFields", + "ZwDeviceIoControlFile", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeWaitForMultipleObjects", "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "_snwprintf", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "ObOpenObjectByName", - "KeServiceDescriptorTable", - "KeAddSystemServiceTable", + "KeWaitForSingleObject", "KeSetPriorityThread", "PsCreateSystemThread", "PsTerminateSystemThread", + "MmIsAddressValid", + "KeDelayExecutionThread", "KeNumberProcessors", - "RtlLengthSecurityDescriptor", - "ZwOpenKey", - "ZwDeleteKey", + "PsLookupProcessByProcessId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenDirectoryObject", + "ZwQueryInformationProcess", + "ExGetPreviousMode", + "NtSetInformationFile", "ZwDeleteValueKey", - "ZwEnumerateKey", - "ZwEnumerateValueKey", - "ZwQueryKey", - "ZwQueryValueKey", "ZwSetValueKey", - "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", + "ZwQuerySystemInformation", + "NtQueryInformationFile", + "IoFileObjectType", + "ZwQueryValueKey", "ZwQueryDirectoryFile", - "_allrem", + "NtCreateFile", + "ZwEnumerateValueKey", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwTerminateProcess", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwOpenKey", + "ExReleaseFastMutexUnsafe", + "_stricmp", + "_strnicmp", + "mbstowcs", + "ProbeForRead", + "_snwprintf", + "ZwQuerySymbolicLinkObject", + "ZwMapViewOfSection", + "MmGetSystemRoutineAddress", "RtlAppendUnicodeToString", - "ZwFsControlFile", - "ObInsertObject", - "strrchr", - "wcschr", - "wcsncmp", + "IoCreateFile", "RtlQueryRegistryValues", - "IoBuildAsynchronousFsdRequest", + "MmBuildMdlForNonPagedPool", "ZwOpenSymbolicLinkObject", - "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", + "IoFreeMdl", + "ObQueryNameString", + "ZwUnmapViewOfSection", "NtClose", - "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", - "MmSystemRangeStart", + "IoFreeIrp", + "PsGetVersion", + "IoAllocateIrp", + "RtlCompareMemory", + "MmUnlockPages", + "ZwOpenFile", + "wcsncmp", + "RtlImageNtHeader", + "IoAllocateMdl", + "IofCallDriver", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlInitializeSid", + "RtlCreateSecurityDescriptor", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "ExEventObjectType", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "strncpy", + "NtOpenProcess", + "ObInsertObject", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", "IoReleaseVpbSpinLock", - "wcstombs", + "wcschr", "strncat", - "wcsncat", "RtlUnicodeStringToAnsiString", + "wcsncat", "RtlFreeAnsiString", + "wcstombs", + "IoGetConfigurationInformation", + "IoRegisterPlugPlayNotification", + "RtlUpcaseUnicodeString", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "FsRtlIsNameInExpression", "wcsstr", "ExAllocatePool", - "ExInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", - "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", - "FsRtlIsNameInExpression", - "RtlUnwind", - "IoDeviceObjectType", + "MmProbeAndLockPages", + "RtlCompareUnicodeString", + "IoGetDeviceInterfaces", + "DbgPrintEx", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetSaclSecurityDescriptor", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlLengthSid", - "SeExports", - "IoIsWdmVersionAvailable", "RtlAbsoluteToSelfRelativeSD", - "KeWaitForSingleObject", - "KeLeaveCriticalRegion", - "KeBugCheckEx", - "KeEnterCriticalRegion", - "KeSetEvent", - "KeClearEvent", - "KeInitializeEvent", - "RtlInitUnicodeString", - "KeGetCurrentThread", - "memmove", - "ZwCreateKey", - "_purecall", - "ClassInitialize", - "KeRaiseIrqlToDpcLevel", - "KfAcquireSpinLock", - "KeGetCurrentIrql", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "KfLowerIrql", - "KfRaiseIrql", - "KfReleaseSpinLock" + "IoIsWdmVersionAvailable", + "SeExports", + "RtlLengthSid", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "MmSystemRangeStart", + "ExAcquireResourceExclusiveLite", + "__C_specific_handler" ], "Signatures": [ { @@ -107922,44 +112613,37 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2010-05-10 00:00:00", + "ValidTo": "2015-05-10 23:59:59", + "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", + "ValidFrom": "2013-01-17 00:00:00", + "ValidTo": "2014-03-18 23:59:59", + "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", + "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -107968,189 +112652,171 @@ }, { "FileName": "TmComm.sys", - "MD5": "09927915aba84c8acd91efdaac674b86", - "SHA1": "b304cb10c88ddd8461bad429ebfd2fd1b809ac2b", - "SHA256": "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f", + "MD5": "a31246180e61140ad7ff9dd7edf1f6a1", + "SHA1": "fe0afc6dd03a9bd7f6e673cc6b4af2266737e3d1", + "SHA256": "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc", "Authentihash": { - "MD5": "d1f83eec944debf86cb97352d63f8fd3", - "SHA1": "923910c609673b7ffb23a0c3cd9d33aedd69607a", - "SHA256": "6bdf465db8860c80051d4d1b9db1c3153ab65c252f9500b85efc56d255b4cb1d" + "MD5": "9da7d62145d6f4c104da27b797fabc4c", + "SHA1": "597144e2c01496c32aeed3277f8619c229de17b4", + "SHA256": "d3227dc2e8f83258810cf43719f02a8d52648eb17939fddd79fd70155a47305d" }, - "Description": "TrendMicro Common Module", + "Description": "TrendMicro Common Module NoTrap Build", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.30.0.1049", + "FileVersion": "5.0.0.1104", "Product": "Trend Micro Eyes", - "ProductVersion": "7.30", - "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", + "ProductVersion": "5.0", + "Copyright": "Copyright (C) 2005-2011 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS", + "SCSIPORT.SYS" ], "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3@YAXPEAX_K@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -108159,10 +112825,6 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -108183,521 +112845,452 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "??_V@YAXPEAX_K@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "AllocFullFileName", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetBackupCommPortAPIs", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForReady@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_KmCallUmEx@12", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilCleanFileReadOnly@4", + "_UtilDeleteFileForce@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeInitializeEvent", - "KeClearEvent", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", "KeWaitForSingleObject", + "KeReleaseSemaphore", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", "ExFreePoolWithTag", - "ExAcquireFastMutexUnsafe", - "ExReleaseFastMutexUnsafe", - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", "ObfDereferenceObject", + "ZwSetEvent", "ZwClose", - "ZwCreateSection", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ZwOpenEvent", - "KePulseEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", + "ZwRequestWaitReplyPort", + "ProbeForWrite", "ZwFreeVirtualMemory", - "ZwSetEvent", - "__C_specific_handler", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", "PsProcessType", - "wcslen", - "wcsncpy", - "wcsrchr", + "memmove", + "ZwConnectPort", + "RtlInitUnicodeString", "RtlUnicodeStringToInteger", + "ZwCreateSection", "ZwWaitForSingleObject", - "ZwRequestWaitReplyPort", - "ZwConnectPort", - "_stricmp", - "ExAllocatePoolWithTag", - "MmIsAddressValid", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", - "ObGetObjectSecurity", - "ObReleaseObjectSecurity", + "ZwOpenEvent", + "ObfReferenceObject", + "IoGetCurrentProcess", "PsGetProcessExitTime", - "PsThreadType", "MmSectionObjectType", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "KeDelayExecutionThread", - "ExGetPreviousMode", "DbgPrint", - "swprintf", - "RtlCopyUnicodeString", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", + "memset", + "MmIsAddressValid", "ExInitializeResourceLite", "ExDeleteResourceLite", - "ZwCreateFile", + "ZwWriteFile", + "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", + "ZwCreateFile", + "swprintf", "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "PsGetCurrentThreadId", - "ObQueryNameString", - "PsGetVersion", + "_wcsnicmp", + "KeInitializeEvent", "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "wcscat", - "RtlFreeUnicodeString", + "PsGetCurrentProcessId", "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", + "KeQuerySystemTime", "ZwCreateKey", - "ZwDeviceIoControlFile", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "ZwOpenFile", - "ZwQueryVolumeInformationFile", - "mbstowcs", - "IoGetDeviceObjectPointer", - "IoBuildDeviceIoControlRequest", - "IofCallDriver", - "IoCreateFile", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlUpcaseUnicodeChar", - "_snwprintf", - "strlen", - "_strnicmp", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "ObOpenObjectByName", + "PsGetCurrentThreadId", + "_vsnprintf", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", + "PsCreateSystemThread", "KeNumberProcessors", - "RtlLengthSecurityDescriptor", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "KeDelayExecutionThread", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", "ZwEnumerateKey", "ZwEnumerateValueKey", - "ZwQueryKey", "ZwQueryValueKey", - "ZwSetValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", "ZwTerminateProcess", "ZwOpenProcess", - "ZwDuplicateObject", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", - "NtCreateFile", - "NtQueryInformationFile", - "NtSetInformationFile", - "IoFileObjectType", - "ObInsertObject", - "wcschr", - "wcsncmp", + "ZwQueryKey", + "ZwSetValueKey", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "MmUnlockPages", + "KeInitializeSemaphore", + "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IoFreeIrp", - "ZwOpenSymbolicLinkObject", + "mbstowcs", "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", + "ZwOpenSymbolicLinkObject", "NtClose", "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", - "MmSystemRangeStart", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", + "RtlCompareMemory", + "_snwprintf", + "RtlImageNtHeader", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "ObQueryNameString", + "IoBuildDeviceIoControlRequest", + "IofCompleteRequest", + "ExEventObjectType", + "_allmul", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "RtlUpperChar", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "IoDriverObjectType", + "RtlAppendUnicodeStringToString", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "PsThreadType", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", "IoGetFileObjectGenericMapping", + "RtlUpcaseUnicodeString", "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "strcpy", - "wcsstr", - "RtlCompareUnicodeString", - "DbgPrintEx", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "ExAllocatePool", - "ExpInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", - "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", - "FsRtlIsNameInExpression", + "_allshr", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmFreeContiguousMemory", + "MmAllocateContiguousMemory", + "MmMapIoSpace", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "KeClearEvent", + "KePulseEvent", + "KeSetEvent", + "wcsrchr", + "memcpy", + "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlLengthSid", "SeExports", "IoIsWdmVersionAvailable", + "RtlLengthSid", + "wcschr", "RtlAbsoluteToSelfRelativeSD", - "RtlAnsiStringToUnicodeString", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", "_purecall", - "KeBugCheckEx" + "IoBuildAsynchronousFsdRequest", + "KeGetCurrentThread", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "ClassInitialize", + "ScsiPortReadPortBufferUshort", + "ScsiPortReadPortUchar", + "ScsiPortWritePortUchar", + "ScsiPortStallExecution", + "ScsiPortWritePortBufferUshort" ], "Signatures": [ { @@ -108705,44 +113298,44 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2017-04-27 00:00:00", - "ValidTo": "2018-07-16 23:59:59", - "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-01-31 00:00:00", + "ValidTo": "2012-02-16 23:59:59", + "Signature": "5ae5a2abcc8bbf832dd651a0cb396ee5af87305e67d20288d6d830699286ce0b1b3ec77c732d80564e6a482461bda52329dc301ec6286011fe60413c97f4207bf675a71460365e9d917b19d7b5e7c49ff035a5488f8fc703a61512b1588cb6fc8ceef0f6353d47c66a5edbef40e53197431ada77acef71cca7db0dbaa88d02355af0a62a7901e91bc8c59ad48b4ecfd67f137023601c308691ad14d6859c9d6b28c6a3e15314e55832cea94793436a5610bbe5f0901cedc6796c9ca53b5d55f79974cd6be7093bba119675614c1654139096e506c3fb92460d45879bdbc196bd833ae4dc31da6e14130df14a20c05615db7ea7e25aa0fe59801ec30a56501e56", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "497c4fad471540e6e453d0cafb155740", + "SerialNumber": "24e3d70b86ed54d0b22c3450b960984e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -108751,22 +113344,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "113056ec5c679b6f74c9556339ebf962", - "SHA1": "e7d8fc86b90f75864b7e2415235e17df4d85ee31", - "SHA256": "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd", + "MD5": "569676d3d45b0964ac6dd0815be8ff8c", + "SHA1": "58b31fb2b623bd2c5d5c8c49b657a14a674664a4", + "SHA256": "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524", "Authentihash": { - "MD5": "df0c799f44b29f166c1457111f1e2e44", - "SHA1": "8f304036c7dc0ba138cba81a45a8b0f9336231d4", - "SHA256": "13002b14aa6e63dc7117e2969d038beb009dbd6093a4590c6913b426d773dea3" + "MD5": "6d3193458659666e4c86ec1b9fb06bf9", + "SHA1": "ef123d041e10d8a0b22786f6e471d0c18bc13167", + "SHA256": "83a67b544982a2fd1484af752cc4ab2f6c0b50cb3c9dba60b888c2c2e37d1036" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.60.0.1084", + "FileVersion": "6.20.0.1008", "Product": "Trend Micro Eyes", - "ProductVersion": "6.60", - "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.20", + "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -109217,13 +113810,11 @@ "_DeInitKmLPC@0", "_DuplicateFullFileName@4", "_FreeFullFileName@4", - "_GetFileVersionOfNtoskrnl@16", "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", "_InitKm2UmCommunication@8", "_InitKmLPC@0", - "_IsWindows8_1_update@4", "_KmCallUm@8", "_KmCallUmByLPC@8", "_KmCallUmEx@12", @@ -109241,7 +113832,6 @@ "_UtilAddDeviceInDriveTable@4", "_UtilAddReparsePointMapping@8", "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", "_UtilCreateDosFileName@8", "_UtilDeleteFileForce@4", "_UtilGetDeviceObjectName@8", @@ -109259,7 +113849,6 @@ "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", @@ -109268,10 +113857,11 @@ "_UtilbuildDynamicDiskMappingTable@0", "_UtlWriteBinValueKeyToRegistry@16", "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ + "wcsrchr", + "KeSetEvent", "KePulseEvent", "KeClearEvent", "KeStackAttachProcess", @@ -109299,7 +113889,6 @@ "PsGetProcessExitTime", "MmSectionObjectType", "PsThreadType", - "MmGetSystemRoutineAddress", "ObReleaseObjectSecurity", "SeReleaseSubjectContext", "SeAccessCheck", @@ -109340,7 +113929,6 @@ "RtlAppendUnicodeStringToString", "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", @@ -109361,28 +113949,27 @@ "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", + "ExGetPreviousMode", "ZwTerminateProcess", "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", "IoFileObjectType", - "KeSetEvent", - "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", - "MmHighestUserAddress", + "_allrem", + "memcpy", "IoFreeIrp", - "_purecall", + "IoFreeMdl", "MmUnlockPages", "IoBuildAsynchronousFsdRequest", "_strnicmp", - "RtlQueryRegistryValues", + "_purecall", "RtlAppendUnicodeToString", "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", "ObQueryNameString", + "MmGetSystemRoutineAddress", "ZwSetInformationObject", "_stricmp", "ZwUnmapViewOfSection", @@ -109395,13 +113982,11 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", - "RtlImageNtHeader", "RtlCompareMemory", - "RtlUpcaseUnicodeString", "_snwprintf", "MmSystemRangeStart", + "RtlImageNtHeader", "wcsncmp", - "RtlCompareUnicodeString", "strrchr", "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", @@ -109417,15 +114002,16 @@ "RtlAddAccessAllowedAce", "RtlCreateAcl", "KeInitializeSemaphore", - "IoGetDeviceObjectPointer", "IofCompleteRequest", "ExEventObjectType", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", "RtlUpperChar", "ObReferenceObjectByName", "IoDriverObjectType", + "RtlCompareUnicodeString", "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", @@ -109434,7 +114020,7 @@ "PsIsThreadTerminating", "KeAddSystemServiceTable", "ZwQueryObject", - "ZwFsControlFile", + "ZwQuerySecurityObject", "ObInsertObject", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", @@ -109446,6 +114032,7 @@ "IoGetStackLimits", "IoBuildSynchronousFsdRequest", "wcsstr", + "RtlUpcaseUnicodeString", "IoUnregisterPlugPlayNotification", "FsRtlIsNameInExpression", "IoGetConfigurationInformation", @@ -109453,12 +114040,15 @@ "IoGetDeviceInterfaces", "IoRegisterPlugPlayNotification", "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", "KeBugCheckEx", "RtlUnwind", - "wcsrchr", - "memcpy", "wcsncpy", "ExReleaseResourceLite", "ExAcquireResourceExclusiveLite", @@ -109466,27 +114056,27 @@ "ExReleaseFastMutexUnsafe", "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "_allrem", + "MmHighestUserAddress", "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "IoFreeMdl", + "RtlQueryRegistryValues", "KeGetCurrentThread", "KfAcquireSpinLock", "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", "ExAcquireFastMutex", "ExReleaseFastMutex", "KeGetCurrentIrql", @@ -109499,45 +114089,38 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", - "ValidFrom": "2019-07-12 00:00:00", - "ValidTo": "2020-07-10 12:00:00", - "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2010-05-10 00:00:00", + "ValidTo": "2015-05-10 23:59:59", + "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", + "ValidFrom": "2013-01-17 00:00:00", + "ValidTo": "2014-03-18 23:59:59", + "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -109545,25 +114128,27 @@ }, { "FileName": "TmComm.sys", - "MD5": "c42caa9cdcc50c01cb2fed985a03fe23", - "SHA1": "b3c111d7192cfa8824e5c9b7c0660c37978025d6", - "SHA256": "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c", + "MD5": "df9953fa93e1793456a8d428ba7e5700", + "SHA1": "8db4376a86bd2164513c178a578a0bf8d90e7292", + "SHA256": "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408", "Authentihash": { - "MD5": "eee43fab6af4ff34b0c35892e7765798", - "SHA1": "a8baa1f52375ab24150d0cba4c62a4b0f5080ef4", - "SHA256": "81c301c77dbfff44567165139e9a5ee3af2aee838298451c7075dc6e1aae489f" + "MD5": "33de043781d74ef12f02411b9944186e", + "SHA1": "a405bb5d0ca4862f40a0f9eadce8ef068f421004", + "SHA256": "d74599ab8960f16e8026dcd564c5407956444c46c3dea6b38b1c243fbbbdc517" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "2.0.0.1118", - "Product": "AEGIS", - "ProductVersion": "2.0", - "Copyright": "Copyright (C) 2005-2007 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "6.60.0.1056", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.60", + "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", @@ -109576,6 +114161,10 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", "??0CExclusionExtConfig@@QAE@KKE@Z", "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", @@ -109590,6 +114179,14 @@ "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -109614,16 +114211,19 @@ "??0CModuleMultiStringConfig@@QAE@KK@Z", "??0CModuleStringConfig@@QAE@ABV0@@Z", "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", "??0CSmartLock@@QAE@XZ", "??0CSmartReference@@QAE@AAJ@Z", "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", "??0CStrList@@QAE@ABV0@@Z", "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -109632,6 +114232,8 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", @@ -109639,6 +114241,8 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", "??1CExclusionFilePathConfig@@UAE@XZ", @@ -109646,6 +114250,10 @@ "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -109658,8 +114266,10 @@ "??1CModuleFlagConfig@@UAE@XZ", "??1CModuleMultiStringConfig@@UAE@XZ", "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", "??1CSmartLock@@QAE@XZ", "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", "??1CStrList@@UAE@XZ", "??1CSystemThread@@UAE@XZ", "??1CUserFuncAdapterJob@@UAE@XZ", @@ -109667,6 +114277,7 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", @@ -109677,6 +114288,8 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", "??4CLockEvent@@QAEAAV0@ABV0@@Z", @@ -109687,6 +114300,7 @@ "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", "??4CSystemThread@@QAEAAV0@ABV0@@Z", "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", "??4CWorkerThread@@QAEAAV0@ABV0@@Z", @@ -109697,6 +114311,8 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", "??_7CExclusionFilePathConfig@@6B@", @@ -109704,6 +114320,10 @@ "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -109716,6 +114336,7 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -109723,6 +114344,7 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -109740,12 +114362,15 @@ "?Add@CFileExtension@@QAEEPBGK@Z", "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", "?Cancel@CWorkerThreadJob@@QAEXXZ", "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", "?Cleanup@CBlobConfig@@AAEXXZ", "?Cleanup@CModuleFileExtConfig@@IAEXXZ", @@ -109753,17 +114378,22 @@ "?Cleanup@CModuleStringConfig@@AAEXXZ", "?Close@CFile@@QAEJXZ", "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", "?Create@CFile@@QAEJPBGKKKK@Z", "?Create@CSystemThread@@QAEEXZ", "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", "?Delete@CStrList@@QAEEPBG@Z", "?DeleteAll@CList@@UAEXXZ", "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", "?DeleteNode@CContextList@@MAEXPAX@Z", "?DeleteNode@CList@@UAEXPAX@Z", "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", @@ -109778,8 +114408,11 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", "?Free@CMemoryAllocator@@UAEXPAX@Z", "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", "?GetAttributes@CFile@@QAEKXZ", @@ -109799,24 +114432,31 @@ "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", @@ -109824,27 +114464,38 @@ "?InitializeStringConfig@CContext@@QAEHKPBG@Z", "?Insert@CList@@UAEXQAXE@Z", "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", "?InsertAfter@CList@@UAEXPAX0@Z", "?InsertBefore@CList@@UAEXPAX0@Z", "?Instance@CWorkerThreadPool@@SGPAV1@XZ", "?IsEmpty@CList@@UAEEXZ", "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", "?MatchNoExtensions@CFileExtension@@QAEEXZ", "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", @@ -109856,26 +114507,38 @@ "?NewNodeVariant@CList@@IAEPAXK@Z", "?Next@CList@@UBEPAXQAX@Z", "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", "?Remove@CList@@UAEEQAX@Z", "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", "?RemoveHead@CList@@UAEPAXXZ", "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", "?RemoveTail@CList@@UAEPAXXZ", "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", "?Run@CWorkerThread@@UAEXXZ", "?SeekToEnd@CFile@@QAEJXZ", "?Set@CKEvent@@QAEJJE@Z", @@ -109884,13 +114547,14 @@ "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", "?SetEngineContext@CContext@@QAEXPAX@Z", "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", "?SetFlagConfig@CContext@@UAEJKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", @@ -109903,201 +114567,311 @@ "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", "_KmCallUm@8", - "_MapMem@12", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UnMapMem@8", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8" + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "_purecall", - "ExAcquireFastMutexUnsafe", - "KeEnterCriticalRegion", - "KeGetCurrentThread", - "KeLeaveCriticalRegion", - "ExReleaseFastMutexUnsafe", - "wcsncpy", - "memcpy", "wcsrchr", "KeSetEvent", "KePulseEvent", "KeClearEvent", - "IofCompleteRequest", - "ZwClose", - "KeDelayExecutionThread", + "KeStackAttachProcess", + "KeUnstackDetachProcess", "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExEventObjectType", - "ZwCreateEvent", + "ZwSetEvent", + "ZwClose", + "ZwConnectPort", "RtlInitUnicodeString", - "swprintf", - "KeQuerySystemTime", - "KeWaitForSingleObject", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "DbgPrint", - "RtlCopyUnicodeString", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", + "ZwRequestWaitReplyPort", + "ExFreePoolWithTag", "ProbeForWrite", - "ProbeForRead", - "ExGetPreviousMode", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "MmGetSystemRoutineAddress", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", + "DbgPrint", "memset", "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", "ZwWriteFile", "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", + "swprintf", "towupper", "_wcsnicmp", + "ExAllocatePoolWithTag", + "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", - "IoGetCurrentProcess", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", "ZwCreateKey", - "KeInitializeEvent", + "ZwCreateEvent", "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "PsGetCurrentThreadId", "_vsnprintf", - "MmMapLockedPagesSpecifyCache", - "MmBuildMdlForNonPagedPool", - "MmCreateMdl", - "ExFreePoolWithTag", - "MmUnmapLockedPages", - "ExAllocatePoolWithTag", - "RtlImageNtHeader", - "mbstowcs", - "_stricmp", - "ZwQuerySystemInformation", - "IoGetDeviceObjectPointer", - "KeServiceDescriptorTable", - "KeAddSystemServiceTable", - "_strnicmp", - "PsLookupProcessByProcessId", - "KeUnstackDetachProcess", - "KeStackAttachProcess", - "ZwQueryObject", - "ZwDuplicateObject", - "ZwOpenProcess", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "ExGetPreviousMode", + "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", + "KeDelayExecutionThread", "KeNumberProcessors", - "ZwQueryDirectoryFile", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", "ZwQueryDirectoryObject", - "IoFreeIrp", - "IoFreeMdl", - "IofCallDriver", - "IoAllocateMdl", - "IoAllocateIrp", - "IoFileObjectType", + "ZwDuplicateObject", "ZwOpenKey", "ZwEnumerateKey", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", + "ZwTerminateProcess", + "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", - "ZwQuerySecurityObject", - "ObInsertObject", + "IoFileObjectType", "_allrem", - "strncpy", - "NtOpenProcess", - "ObOpenObjectByPointer", - "PsProcessType", - "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", - "ObOpenObjectByName", - "RtlAppendUnicodeStringToString", - "ObfReferenceObject", - "NtQueryInformationProcess", - "_snwprintf", - "RtlAnsiStringToUnicodeString", + "memcpy", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "_purecall", + "IoBuildAsynchronousFsdRequest", + "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", + "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", - "RtlEqualUnicodeString", + "NtClose", + "ObQueryNameString", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", "PsGetVersion", - "MmGetSystemRoutineAddress", + "RtlImageNtHeader", "RtlCompareMemory", - "IoReleaseVpbSpinLock", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "KeInitializeSemaphore", + "RtlUpcaseUnicodeString", + "_snwprintf", + "MmSystemRangeStart", + "wcsncmp", + "RtlCompareUnicodeString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", "KeReleaseSemaphore", - "RtlSubAuthoritySid", - "RtlInitializeSid", "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", "RtlSetDaclSecurityDescriptor", "RtlCreateSecurityDescriptor", "RtlAddAccessAllowedAce", "RtlCreateAcl", - "ZwSetEvent", - "ZwRequestWaitReplyPort", - "memmove", - "ZwConnectPort", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ExAllocatePool", - "KeBugCheckEx", + "KeInitializeSemaphore", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", "RtlUpperChar", - "RtlCompareUnicodeString", + "ObReferenceObjectByName", + "IoDriverObjectType", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "wcsstr", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", - "ZwSetSecurityObject", + "KeBugCheckEx", + "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ZwQuerySecurityObject", + "ExAcquireFastMutexUnsafe", "IoDeviceObjectType", "IoCreateDevice", - "RtlUnwind", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", - "wcschr", "RtlAbsoluteToSelfRelativeSD", - "RtlFreeUnicodeString" + "MmUnlockPages", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -110105,45 +114879,38 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2016-03-29 00:00:00", + "ValidTo": "2017-06-28 23:59:59", + "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2007-01-30 00:00:00", - "ValidTo": "2008-02-15 23:59:59", - "Signature": "ad2b4e7b5257d4923230029228ae497edd7f8fb5694b021ef1e8a7dbc6c11f7302b8f8d07e7364296d45081c37e0a861df51e62a158847d4925dc5b78da837b24edcd18e671ff0ccbe56e7327437091db3a24e4f471c45cac3916132d2e9b721410b24e83b89779e73b6fef1f026cf155587e0610f872a87321afab6c53ec7a2cfe2048b5928b919e56223762d9c5ce4e2f09ee9a3a6933fb3453a4c808a41a47d245e1ddc951f57ee62ef636ff79e061ce084668d58f3a9f4e1b839af75204b203b7d827b037f3ebc19383e69c6540a780b75d6d22d5e05614665cfa12ca2fe65146d9d684c5a3377c79acc86723943bc522064ac4b545e1a13e88ee4b6fe76", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "225c8b52640584163ec1835017ded781", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -110151,22 +114918,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "d79b8b7bed8d30387c22663b24e8c191", - "SHA1": "af5b7556706e09ee9e74ee2e87eab5c0a49d2d35", - "SHA256": "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f", + "MD5": "58a92520dda53166e322118ee0503364", + "SHA1": "d2be76e79741454b4611675b58446e10fc3d0c6c", + "SHA256": "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b", "Authentihash": { - "MD5": "ab680a8ed6b727bb2a4e27d124191b89", - "SHA1": "62fe5d3ebcd192fcf985f2e3a27c214051ecf854", - "SHA256": "44120b712e4b5ef3b302f03b7aa61f9f6fe6820d966addbcc43d8e09402e5906" + "MD5": "7311c7bcd55dd7a769f43b480c1978d8", + "SHA1": "390bd5d395784a675a3b62929407a4f83e0bcc87", + "SHA256": "2175f4289f3bae19b058e5a4f590c200bede255cd2716dfb054d5e0840f70359" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "5.50.0.1033", + "FileVersion": "6.70.0.1129", "Product": "Trend Micro Eyes", - "ProductVersion": "5.50", - "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -110184,6 +114951,8 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", "??0CDelayLoadThread@@QAE@ABV0@@Z", "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", @@ -110244,7 +115013,7 @@ "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -110253,6 +115022,8 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", @@ -110260,6 +115031,7 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", @@ -110295,6 +115067,7 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", @@ -110305,6 +115078,7 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", @@ -110327,6 +115101,7 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -110359,6 +115134,7 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -110398,7 +115174,9 @@ "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", @@ -110420,6 +115198,8 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", "?First@CNoLockList@@UAEPAXXZ", @@ -110442,24 +115222,31 @@ "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", @@ -110488,12 +115275,15 @@ "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", @@ -110511,11 +115301,14 @@ "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", @@ -110551,6 +115344,7 @@ "?SetFlagConfig@CContext@@UAEJKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", @@ -110563,38 +115357,64 @@ "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", "?WaitForInit@CDelayLoadThread@@QAEEXZ", "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetFileVersionOfNtoskrnl@16", + "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", "_InitKmLPC@0", + "_IsWindows8_1_update@4", "_KmCallUm@8", + "_KmCallUmByLPC@8", "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", + "_NormalizeFileName1@8", "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName1@8", "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", "_UtilGetFileObjectForProcessByEPROC@8", "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", @@ -110607,6 +115427,8 @@ "_UtilKeGetLowFileDevice@16", "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", @@ -110614,48 +115436,43 @@ "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "wcsrchr", - "KeSetEvent", "KePulseEvent", "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "KeReleaseSemaphore", "KeStackAttachProcess", "KeUnstackDetachProcess", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", - "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", "ObfDereferenceObject", "ZwSetEvent", "ZwClose", - "ZwRequestWaitReplyPort", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", "ZwConnectPort", "RtlInitUnicodeString", "RtlUnicodeStringToInteger", "ZwCreateSection", "ZwWaitForSingleObject", "ZwOpenEvent", - "ObfReferenceObject", "IoGetCurrentProcess", + "ObfReferenceObject", "DbgBreakPoint", + "ZwRequestWaitReplyPort", + "ExFreePoolWithTag", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", "PsGetProcessExitTime", "MmSectionObjectType", + "PsThreadType", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", "DbgPrint", "memset", "MmIsAddressValid", @@ -110669,62 +115486,77 @@ "swprintf", "towupper", "_wcsnicmp", + "ExAllocatePoolWithTag", "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", "ZwCreateKey", "ZwCreateEvent", "KeWaitForMultipleObjects", "ObReferenceObjectByHandle", "ZwNotifyChangeKey", - "PsGetCurrentThreadId", "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "RtlPrefixUnicodeString", + "ExGetPreviousMode", + "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", + "KeDelayExecutionThread", "KeNumberProcessors", "ZwQueryInformationProcess", "PsLookupProcessByProcessId", - "KeDelayExecutionThread", "ZwOpenDirectoryObject", "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", "ZwQueryDirectoryFile", "ZwQueryDirectoryObject", - "ZwDuplicateObject", "ZwOpenKey", "ZwEnumerateKey", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", - "ExGetPreviousMode", "ZwTerminateProcess", "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", + "IoFileObjectType", + "KeSetEvent", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", "MmHighestUserAddress", "IoFreeIrp", - "memcpy", + "_purecall", "MmUnlockPages", "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", "mbstowcs", - "_purecall", + "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", + "ObQueryNameString", + "MmGetSystemRoutineAddress", "ZwSetInformationObject", "_stricmp", "ZwUnmapViewOfSection", "ZwMapViewOfSection", "ZwOpenFile", - "RtlEqualUnicodeString", - "IoFileObjectType", "IoCreateFile", "IofCallDriver", "IoAllocateIrp", @@ -110732,74 +115564,69 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", - "MmGetSystemRoutineAddress", - "RtlCopyUnicodeString", + "RtlImageNtHeader", "RtlCompareMemory", + "RtlUpcaseUnicodeString", "_snwprintf", - "RtlImageNtHeader", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", + "MmSystemRangeStart", + "wcsncmp", "strrchr", "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", - "ObQueryNameString", "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IoGetDeviceObjectPointer", "IofCompleteRequest", "ExEventObjectType", - "_allmul", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", - "IoGetDeviceObjectPointer", "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", "RtlCompareUnicodeString", "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", "ObOpenObjectByName", - "IoDriverObjectType", - "RtlAppendUnicodeStringToString", - "strncmp", "NtQueryInformationProcess", "PsIsThreadTerminating", - "PsThreadType", "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", + "ZwFsControlFile", "ObInsertObject", - "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", - "RtlUpcaseUnicodeString", "ObCreateObject", "_allshr", "ExInterlockedPopEntrySList", "IoGetStackLimits", "IoBuildSynchronousFsdRequest", - "MmSystemRangeStart", + "wcsstr", "IoUnregisterPlugPlayNotification", "FsRtlIsNameInExpression", - "wcsstr", "IoGetConfigurationInformation", "MmProbeAndLockPages", "IoGetDeviceInterfaces", "IoRegisterPlugPlayNotification", "ExAllocatePool", - "RtlFreeAnsiString", - "RtlUnicodeStringToAnsiString", - "strncat", "wcschr", - "wcsncat", - "KeCancelTimer", - "KeSetTimerEx", - "KeInitializeTimer", - "wcstombs", "KeTickCount", "KeBugCheckEx", "RtlUnwind", + "wcsrchr", + "memcpy", "wcsncpy", "ExReleaseResourceLite", "ExAcquireResourceExclusiveLite", @@ -110807,30 +115634,30 @@ "ExReleaseFastMutexUnsafe", "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "IoFreeMdl", + "_allrem", "ExAcquireFastMutexUnsafe", - "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "ZwQuerySymbolicLinkObject", + "IoFreeMdl", "KeGetCurrentThread", "KfAcquireSpinLock", "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", - "KeGetCurrentIrql", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", "ExAcquireFastMutex", "ExReleaseFastMutex", + "KeGetCurrentIrql", "KfRaiseIrql", "ClassInitialize" ], @@ -110840,45 +115667,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "??=TW, ??=Private Organization, serialNumber=23310837, C=TW, ST=Taipei City, L=Da???an District, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2020-08-07 00:00:00", + "ValidTo": "2021-04-15 12:00:00", + "Signature": "578aa329d98f23e576b6937a3146ca65f1ec8da04b5ec5f4c499436cfe710be5660f7c864950d9276a6dfdd2341048e6fe4f51044e7fce164f3b9203035bc3d311991685fbce0d90a4c7b2b511d0d3ba37b3558eae76db3ab30f4a2ef102faad1820e26b5fcbc216b368980655de80fe7177f9f1a80c75e4a0a21451a59c86986e5348318da4d295e8d02520fa674ce89756903b25521b5ad358f8328c5591a9702494cc24e340418dbcf08ef06214a8e90c4836dc6f8465fd59385bd56407d83bfc8a633e8125c523ff23dd8c669169848668d5aefe059ee5091e1776ec4686efd0d6ccee0e0bea5922ee41fb36e63d5704633f85115f9584926bdb708a9edb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-09-30 00:00:00", - "ValidTo": "2014-01-01 23:59:59", - "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", - "ValidFrom": "2011-12-27 00:00:00", - "ValidTo": "2013-02-15 23:59:59", - "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0f6146af9397c7fa04b13c2d0279a1ba", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" } ] } @@ -110886,22 +115713,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "e28ce623e3e5fa1d2fe16c721efad4c2", - "SHA1": "4cd5bf02edf6883a08dfed7702267612e21ed56e", - "SHA256": "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed", + "MD5": "4c6d311e0b13c4f469f717db4ab4d0e7", + "SHA1": "6da2dd8a0b4c0e09a04613bbabfc07c0b848ec77", + "SHA256": "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085", "Authentihash": { - "MD5": "ae1b6ea856ae1be7cf1929618e5d78ad", - "SHA1": "93d07ce0258ae8595833b8c5c6aee14b1a210405", - "SHA256": "6d6fe20c9f7ccfe723bf7feecb5acf773a85cb61286452dc4001589f82b1a424" + "MD5": "8dfae750a79d89ab846e49f1f587a361", + "SHA1": "1d11a90b1d32a812a7dd36a886254d446cdd823a", + "SHA256": "af45d91fefd4dfffda0ce70957a542b68775368432e52d20dfdf0fc159495c7f" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.50.0.1041", + "FileVersion": "5.50.0.1091", "Product": "Trend Micro Eyes", - "ProductVersion": "6.50", - "Copyright": "Copyright (C) 2014 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2013 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -110919,8 +115746,6 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", "??0CDelayLoadThread@@QAE@ABV0@@Z", "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", @@ -110981,7 +115806,7 @@ "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -110990,8 +115815,6 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", @@ -110999,7 +115822,6 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", @@ -111035,7 +115857,6 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", @@ -111046,7 +115867,6 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", @@ -111069,7 +115889,6 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -111102,7 +115921,6 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -111142,9 +115960,7 @@ "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", @@ -111166,8 +115982,6 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", "?First@CNoLockList@@UAEPAXXZ", @@ -111190,31 +116004,24 @@ "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", @@ -111243,15 +116050,12 @@ "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", @@ -111269,14 +116073,11 @@ "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", @@ -111312,7 +116113,6 @@ "?SetFlagConfig@CContext@@UAEJKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", @@ -111325,45 +116125,27 @@ "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", "?WaitForInit@CDelayLoadThread@@QAEEXZ", "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", "_InitKmLPC@0", - "_IsWindows8_1_update@4", "_KmCallUm@8", - "_KmCallUmByLPC@8", "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", "_ModLoadDLLToBufferWithImageSize@8", @@ -111373,12 +116155,8 @@ "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", "_UtilCleanFileReadOnly@4", - "_UtilCreateDosFileName@8", "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", "_UtilGetFileObjectForProcessByEPROC@8", "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", @@ -111391,7 +116169,6 @@ "_UtilKeGetLowFileDevice@16", "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", "_UtilQueryKeyValue@24", "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", @@ -111399,7 +116176,6 @@ "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ @@ -111407,36 +116183,42 @@ "KeSetEvent", "KePulseEvent", "KeClearEvent", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "KeReleaseSemaphore", "KeStackAttachProcess", "KeUnstackDetachProcess", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", + "ExFreePoolWithTag", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", "ObfDereferenceObject", "ZwSetEvent", "ZwClose", + "ZwRequestWaitReplyPort", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", "ZwConnectPort", "RtlInitUnicodeString", "RtlUnicodeStringToInteger", "ZwCreateSection", "ZwWaitForSingleObject", "ZwOpenEvent", - "IoGetCurrentProcess", "ObfReferenceObject", + "IoGetCurrentProcess", "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", "PsGetProcessExitTime", "MmSectionObjectType", "PsThreadType", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", "DbgPrint", "memset", "MmIsAddressValid", @@ -111450,36 +116232,26 @@ "swprintf", "towupper", "_wcsnicmp", - "ExAllocatePoolWithTag", "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", "ZwCreateKey", "ZwCreateEvent", "KeWaitForMultipleObjects", "ObReferenceObjectByHandle", "ZwNotifyChangeKey", + "PsGetCurrentThreadId", "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", - "KeDelayExecutionThread", "KeNumberProcessors", "ZwQueryInformationProcess", "PsLookupProcessByProcessId", + "KeDelayExecutionThread", "ZwOpenDirectoryObject", "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", @@ -111497,30 +116269,25 @@ "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "ZwQuerySecurityObject", - "memcpy", - "RtlLengthSecurityDescriptor", "MmHighestUserAddress", "IoFreeIrp", - "IoFreeMdl", + "memcpy", "MmUnlockPages", - "_purecall", + "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "mbstowcs", + "_purecall", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", - "ObQueryNameString", - "MmGetSystemRoutineAddress", "ZwSetInformationObject", "_stricmp", "ZwUnmapViewOfSection", "ZwMapViewOfSection", "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", "IoCreateFile", "IofCallDriver", "IoAllocateIrp", @@ -111528,57 +116295,55 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", - "RtlImageNtHeader", + "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", "RtlCompareMemory", "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", + "RtlImageNtHeader", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", "strrchr", "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", + "ObQueryNameString", "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", "IofCompleteRequest", "ExEventObjectType", + "_allmul", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", "IoGetDeviceObjectPointer", "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", "RtlCompareUnicodeString", "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", "ObOpenObjectByName", + "IoDriverObjectType", + "RtlAppendUnicodeStringToString", + "strncmp", "NtQueryInformationProcess", + "IoThreadToProcess", "PsIsThreadTerminating", "KeAddSystemServiceTable", "ZwQueryObject", - "ZwFsControlFile", + "ZwQuerySecurityObject", "ObInsertObject", + "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", + "RtlUpcaseUnicodeString", "ObCreateObject", "_allshr", "ExInterlockedPopEntrySList", "IoGetStackLimits", "IoBuildSynchronousFsdRequest", + "MmSystemRangeStart", "wcsstr", - "RtlUpcaseUnicodeString", "IoUnregisterPlugPlayNotification", "FsRtlIsNameInExpression", "IoGetConfigurationInformation", @@ -111602,28 +116367,30 @@ "ExReleaseFastMutexUnsafe", "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "ZwSetSecurityObject", + "IoFreeMdl", "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "IoBuildAsynchronousFsdRequest", + "mbstowcs", "KeGetCurrentThread", "KfAcquireSpinLock", "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", + "KeGetCurrentIrql", "ExAcquireFastMutex", "ExReleaseFastMutex", - "KeGetCurrentIrql", "KfRaiseIrql", "ClassInitialize" ], @@ -111640,10 +116407,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -111655,22 +116422,15 @@ }, { "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", - "ValidFrom": "2014-02-07 00:00:00", - "ValidTo": "2015-04-08 23:59:59", - "Signature": "95676d657200d1a91b1629ed0bb118cc53bbacd5393d361300de6c1107b5007664bf846a75e03f5f4c9d6d9882cbb744621deee429f37c0695f829dace5b0f44309bdaa5a132dfbd8161e0a490752ecc340e7ae1c40c01c2029b7d8c0ecc9a717843e22a7a7232b64dfdec2f1312a6fd514a59d27eb2486dc5e9cbe7aa1ea6e21598f06bbd3faf3c37073e2f363b4133336ecb536a7735f53ddd666509cef465ae1c5e01a23b674a7bf4a8835c3ddd85168f84ff5c63a1685a15939bc0c7e5dd92bc95e41a0fd443d384e328be7374e95e28230365a7489d114009911ecee502afe8dbcdb44055df9b59feebc6d05eeffba205a4d62574936463bb05f79b5be4", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "ValidFrom": "2013-01-17 00:00:00", + "ValidTo": "2014-03-18 23:59:59", + "Signature": "65c7e1e0f4051179852b819153b528c88db47ef50e897cd8ce0d03a7cc2dc896c89790410182186fecaf9da5c317bf57b5038311c10c2ec5ddb5c18165a7e92f92a6f39c042262126c714337a7c528041a04679217c1475a30231c967ca63b4430ccea52fe4f16fabb5c454d2aa8cdde347b8beaa973d76b3f9ba99d2597939a33d67ec4abc3974ef3792b8bc90d092cce62309d205129bbcbd3554382f24b2911b4904b09e7f52f24f2cc5a52fa49f3a163c32fde076e917301f22dd45d643b95319bae922bc861e5a8f90d4dd72603c7b1ea0229eca869ab8d086ae5286baeba9b99a12856dc1d3cd9f6d9da4b8d5a85896ba4587d8eba506a4fbba4a7bb49", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "5bb307b9e6fbf0c0fd40f5772d1ad8e3", + "SerialNumber": "1a9d178ad334acdf47c8a0d15bb50e6e", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -111679,22 +116439,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "62eed4173c566a248531fb6f20a5900d", - "SHA1": "0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0", - "SHA256": "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918", + "MD5": "1db988eb9ac5f99756c33b91830a9cf6", + "SHA1": "4471935df0e68fe149425703b66f1efca3d82168", + "SHA256": "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01", "Authentihash": { - "MD5": "8b3b8e708437670247e2e8af98e9c269", - "SHA1": "c9fd7be77bad0db66831c5fdaef66d96574ae2e4", - "SHA256": "d33fe3bbcdf1ef7e42faf4ac81d7da3a6451eb67b477e78b75506b0df21cf598" + "MD5": "a134546e7fd28a27327fd6e4c7ddad9e", + "SHA1": "3f0972132e791e4b24c6a390633aff670afd7ccc", + "SHA256": "3912c38f4c09b107ee9bbb60f43a8193d6bacf00bfb3b59b7b146d76594797cf" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.0.0.1101", + "FileVersion": "7.30.0.1078", "Product": "Trend Micro Eyes", - "ProductVersion": "7.0", - "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "7.30", + "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" @@ -112247,6 +117007,11 @@ "ZwWaitForSingleObject", "ZwRequestWaitReplyPort", "ZwConnectPort", + "_stricmp", + "ExAllocatePoolWithTag", + "MmIsAddressValid", + "RtlImageNtHeader", + "ZwQuerySystemInformation", "SeCaptureSubjectContext", "SeReleaseSubjectContext", "SeAccessCheck", @@ -112259,7 +117024,6 @@ "RtlSetDaclSecurityDescriptor", "KeInitializeSemaphore", "KeReleaseSemaphore", - "ExAllocatePoolWithTag", "ExAcquireFastMutex", "ExReleaseFastMutex", "RtlCreateAcl", @@ -112272,7 +117036,6 @@ "DbgPrint", "swprintf", "RtlCopyUnicodeString", - "PsGetVersion", "IofCompleteRequest", "IoCreateSymbolicLink", "IoDeleteDevice", @@ -112296,27 +117059,24 @@ "towupper", "MmGetSystemRoutineAddress", "ObReferenceObjectByPointer", - "MmIsAddressValid", "PsGetCurrentThreadId", "ObQueryNameString", + "PsGetVersion", "_snprintf", "_vsnprintf", "RtlInitAnsiString", - "RtlAnsiStringToUnicodeString", + "wcscat", "RtlFreeUnicodeString", "RtlTimeToTimeFields", "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "wcscat", + "ZwCreateKey", "ZwDeviceIoControlFile", "ZwNotifyChangeKey", "ZwOpenFile", "ZwQueryVolumeInformationFile", "mbstowcs", - "_stricmp", "IoGetDeviceObjectPointer", - "RtlImageNtHeader", - "ZwQuerySystemInformation", "IoBuildDeviceIoControlRequest", "IofCallDriver", "IoCreateFile", @@ -112406,7 +117166,7 @@ "SeExports", "IoIsWdmVersionAvailable", "RtlAbsoluteToSelfRelativeSD", - "ZwCreateKey", + "RtlAnsiStringToUnicodeString", "_purecall", "KeBugCheckEx" ], @@ -112416,17 +117176,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2016-03-29 00:00:00", - "ValidTo": "2017-06-28 23:59:59", - "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -112446,7 +117213,7 @@ ], "Signer": [ { - "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "SerialNumber": "497c4fad471540e6e453d0cafb155740", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -112455,22 +117222,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "8cb2ffb8bb0bbf8cd0dd685611854637", - "SHA1": "3ca51b23f8562485820883e894b448413891183a", - "SHA256": "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036", + "MD5": "f33c3f08536f988aac84d72d83b139a6", + "SHA1": "07f60b2b0e56cb15aad3ca8a96d9fe3a91491329", + "SHA256": "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10", "Authentihash": { - "MD5": "cc40deb90f473e8cc92ba1440f546068", - "SHA1": "0a8f087ac86cb29b206c436f8b2ce58c7f43ec7d", - "SHA256": "ab3e5217c5ec836a882d68a23b017de5b4f88328510e4bcb9564759926aec89f" + "MD5": "9c5ecf2cf0ba2a3297f9677d514c2a39", + "SHA1": "01df70bdb08dda678118d4449b6171fe387b5d0c", + "SHA256": "35a7be9b0cde8c3d409a472a320541df070d7af6008e6458a05947f2591da9b5" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.50.0.1058", + "FileVersion": "5.50.0.1070", "Product": "Trend Micro Eyes", - "ProductVersion": "6.50", - "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", @@ -112488,8 +117255,6 @@ "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", "??0CDelayLoadThread@@QAE@ABV0@@Z", "??0CDelayLoadThread@@QAE@XZ", "??0CExclusionExtConfig@@QAE@ABV0@@Z", @@ -112550,7 +117315,7 @@ "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -112559,8 +117324,6 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", @@ -112568,7 +117331,6 @@ "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", "??1CDelayLoadThread@@UAE@XZ", "??1CExclusionExtConfig@@UAE@XZ", "??1CExclusionFileNameConfig@@UAE@XZ", @@ -112604,7 +117366,6 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", @@ -112615,7 +117376,6 @@ "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", @@ -112638,7 +117398,6 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -112671,7 +117430,6 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -112711,9 +117469,7 @@ "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", @@ -112735,8 +117491,6 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", "?First@CNoLockList@@UAEPAXXZ", @@ -112759,31 +117513,24 @@ "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UAEJKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", @@ -112812,15 +117559,12 @@ "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", @@ -112838,14 +117582,11 @@ "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", @@ -112881,7 +117622,6 @@ "?SetFlagConfig@CContext@@UAEJKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", @@ -112894,45 +117634,27 @@ "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", "?WaitForInit@CDelayLoadThread@@QAEEXZ", "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_DeInitKm2UmCommunication@0", "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", "_InitKmLPC@0", - "_IsWindows8_1_update@4", "_KmCallUm@8", - "_KmCallUmByLPC@8", "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetCommPortAPIs@4", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", "_ModLoadDLLToBufferWithImageSize@8", @@ -112942,12 +117664,8 @@ "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", "_UtilCleanFileReadOnly@4", - "_UtilCreateDosFileName@8", "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", "_UtilGetFileObjectForProcessByEPROC@8", "_UtilGetFileObjectFromFileName@12", "_UtilGetProcessName@12", @@ -112960,7 +117678,6 @@ "_UtilKeGetLowFileDevice@16", "_UtilModuleIATHook@24", "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", "_UtilQueryKeyValue@24", "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", @@ -112968,7 +117685,6 @@ "_UtilWriteVersionToRegistry@8", "_UtilbuildDynamicDiskMappingTable@0", "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ @@ -112976,37 +117692,42 @@ "KeSetEvent", "KePulseEvent", "KeClearEvent", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "KeReleaseSemaphore", "KeStackAttachProcess", "KeUnstackDetachProcess", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", + "ExFreePoolWithTag", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", "ObfDereferenceObject", "ZwSetEvent", "ZwClose", + "ZwRequestWaitReplyPort", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", "ZwConnectPort", "RtlInitUnicodeString", "RtlUnicodeStringToInteger", "ZwCreateSection", "ZwWaitForSingleObject", "ZwOpenEvent", - "IoGetCurrentProcess", "ObfReferenceObject", + "IoGetCurrentProcess", "DbgBreakPoint", - "ZwRequestWaitReplyPort", - "ExFreePoolWithTag", - "ProbeForWrite", - "ZwFreeVirtualMemory", - "ZwAllocateVirtualMemory", - "ObOpenObjectByPointer", - "PsProcessType", - "memmove", "PsGetProcessExitTime", "MmSectionObjectType", "PsThreadType", - "MmGetSystemRoutineAddress", - "ObReleaseObjectSecurity", - "SeReleaseSubjectContext", - "SeAccessCheck", - "SeCaptureSubjectContext", - "ObGetObjectSecurity", "DbgPrint", "memset", "MmIsAddressValid", @@ -113020,37 +117741,26 @@ "swprintf", "towupper", "_wcsnicmp", - "ExAllocatePoolWithTag", "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", "KeQuerySystemTime", - "PsGetCurrentThreadId", - "RtlInitAnsiString", - "ZwDeviceIoControlFile", "ZwCreateKey", "ZwCreateEvent", "KeWaitForMultipleObjects", "ObReferenceObjectByHandle", "ZwNotifyChangeKey", + "PsGetCurrentThreadId", "_vsnprintf", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "ExGetPreviousMode", - "KeWaitForSingleObject", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", - "KeDelayExecutionThread", "KeNumberProcessors", "ZwQueryInformationProcess", "PsLookupProcessByProcessId", + "KeDelayExecutionThread", "ZwOpenDirectoryObject", "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", @@ -113063,33 +117773,30 @@ "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", + "ExGetPreviousMode", "ZwTerminateProcess", - "ZwOpenProcess", - "ZwQueryKey", - "ZwSetValueKey", - "IoFileObjectType", - "_allrem", - "memcpy", - "ZwSetSecurityObject", - "RtlLengthSecurityDescriptor", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", "MmHighestUserAddress", - "IoFreeIrp", + "memcpy", "IoFreeMdl", - "_purecall", + "MmUnlockPages", "IoBuildAsynchronousFsdRequest", "_strnicmp", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "mbstowcs", + "_purecall", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", "NtClose", - "ObQueryNameString", "ZwSetInformationObject", "_stricmp", "ZwUnmapViewOfSection", "ZwMapViewOfSection", "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", "IoCreateFile", "IofCallDriver", "IoAllocateIrp", @@ -113097,59 +117804,56 @@ "IoAllocateMdl", "ProbeForRead", "PsGetVersion", - "RtlImageNtHeader", + "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", "RtlCompareMemory", - "RtlUpcaseUnicodeString", "_snwprintf", - "MmSystemRangeStart", - "wcsncmp", + "RtlImageNtHeader", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", "strrchr", "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", + "ObQueryNameString", "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "_allmul", - "KeReleaseSemaphore", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "KeInitializeSemaphore", "IofCompleteRequest", "ExEventObjectType", + "_allmul", "IoDeleteDevice", "IoDeleteSymbolicLink", "IoCreateSymbolicLink", "IoGetDeviceObjectPointer", "RtlUpperChar", - "ObReferenceObjectByName", - "IoDriverObjectType", "RtlCompareUnicodeString", "strncpy", "KeServiceDescriptorTable", "NtOpenProcess", "ObOpenObjectByName", + "IoDriverObjectType", + "RtlAppendUnicodeStringToString", + "strncmp", "NtQueryInformationProcess", "PsIsThreadTerminating", "KeAddSystemServiceTable", "ZwQueryObject", - "ZwFsControlFile", + "ZwQuerySecurityObject", "ObInsertObject", + "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", + "RtlUpcaseUnicodeString", "ObCreateObject", "_allshr", "ExInterlockedPopEntrySList", "IoGetStackLimits", "IoBuildSynchronousFsdRequest", - "wcsstr", + "MmSystemRangeStart", "IoUnregisterPlugPlayNotification", "FsRtlIsNameInExpression", + "wcsstr", "IoGetConfigurationInformation", "MmProbeAndLockPages", "IoGetDeviceInterfaces", @@ -113171,28 +117875,30 @@ "ExReleaseFastMutexUnsafe", "KeLeaveCriticalRegion", "KeEnterCriticalRegion", - "ZwQuerySecurityObject", + "IoFreeIrp", "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", "SeExports", "IoIsWdmVersionAvailable", "RtlLengthSid", "RtlAbsoluteToSelfRelativeSD", - "MmUnlockPages", + "mbstowcs", "KeGetCurrentThread", "KfAcquireSpinLock", "KfReleaseSpinLock", "KeRaiseIrqlToDpcLevel", "KfLowerIrql", + "KeGetCurrentIrql", "ExAcquireFastMutex", "ExReleaseFastMutex", - "KeGetCurrentIrql", "KfRaiseIrql", "ClassInitialize" ], @@ -113202,17 +117908,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2015-05-05 00:00:00", - "ValidTo": "2015-12-31 23:59:59", - "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -113223,23 +117936,16 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2015-02-20 00:00:00", - "ValidTo": "2016-05-21 23:59:59", - "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-12-27 00:00:00", + "ValidTo": "2013-02-15 23:59:59", + "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", + "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -113248,22 +117954,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "59f6320772a2e6b0b3587536be4cc022", - "SHA1": "fc8fbd92f6e64682360885c188d1bdfbc14ca579", - "SHA256": "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5", + "MD5": "46edb648c1b5c3abd76bd5e912dac026", + "SHA1": "3f43412c563889a5f5350f415f7040a71cc25221", + "SHA256": "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd", "Authentihash": { - "MD5": "d47678b2b6a24ffb8778d44bb2245abf", - "SHA1": "27ac9d934e3a700c1d391cfbaecff8049a6ed97c", - "SHA256": "cb21a13819bf295f34f5b34e3e566d25d880b045831e90ff610daf9e8b1f15cd" + "MD5": "24d18871ef8362a3fc2296f859f34793", + "SHA1": "fcd9d88abae49a60c462fdfb0cca8f1d105eb3b1", + "SHA256": "92bb92314ad69e9d118df55924ddab76b983029f1eae7739bbb098c6bea86ca1" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1078", + "FileVersion": "5.50.0.1070", "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" @@ -113279,8 +117985,6 @@ "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", "??0CDebugLog@@QEAA@AEBV0@@Z", "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", "??0CDelayLoadThread@@QEAA@AEBV0@@Z", "??0CDelayLoadThread@@QEAA@XZ", "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", @@ -113341,7 +118045,7 @@ "??0CSystemThread@@QEAA@AEBV0@@Z", "??0CSystemThread@@QEAA@K@Z", "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z0@Z", "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QEAA@AEBV0@@Z", "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", @@ -113350,8 +118054,6 @@ "??0CWorkerThreadJobQueue@@QEAA@K@Z", "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", "??0IMemoryAllocator@@QEAA@AEBV0@@Z", "??0IMemoryAllocator@@QEAA@XZ", "??1CAutoUpdateConfigThread@@UEAA@XZ", @@ -113359,7 +118061,6 @@ "??1CContext@@UEAA@XZ", "??1CContextList@@UEAA@XZ", "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", "??1CDelayLoadThread@@UEAA@XZ", "??1CExclusionExtConfig@@UEAA@XZ", "??1CExclusionFileNameConfig@@UEAA@XZ", @@ -113395,7 +118096,6 @@ "??1CWorkerThreadJob@@UEAA@XZ", "??1CWorkerThreadJobQueue@@UEAA@XZ", "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", "??1IMemoryAllocator@@UEAA@XZ", "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", "??2CMemoryAllocator@@SAPEAX_K@Z", @@ -113406,7 +118106,6 @@ "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", "??4CContext@@QEAAAEAV0@AEBV0@@Z", "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", "??4CFile@@QEAAAEAV0@AEBV0@@Z", "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", @@ -113429,7 +118128,6 @@ "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", "??_7CDelayLoadThread@@6B@", "??_7CExclusionExtConfig@@6B@", "??_7CExclusionFileNameConfig@@6B@", @@ -113462,7 +118160,6 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QEAAXXZ", "??_FCFile@@QEAAXXZ", @@ -113502,9 +118199,7 @@ "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", "?Delete@CFile@@QEAAJXZ", "?Delete@CFileExtension@@QEAAEPEBGK@Z", @@ -113526,8 +118221,6 @@ "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", "?FindNode@CContextList@@IEAAPEAXPEAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", "?First@CList@@UEAAPEAXXZ", "?First@CLockList@@UEAAPEAXXZ", "?First@CNoLockList@@UEAAPEAXXZ", @@ -113550,31 +118243,24 @@ "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", "?GetID@CModuleConfig@@QEAAKXZ", "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QEAAKXZ", "?GetLinkContext@CContext@@QEAAPEAXXZ", "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", "?GetModuleId@CModuleConfig@@QEAAKXZ", "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", "?GetSize@CBlobConfig@@QEAAKXZ", "?GetStringConfig@CContext@@QEAAPEAGK@Z", "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", "?GetThreadID@CSystemThread@@QEAA_KXZ", "?GetType@CContext@@QEAAKXZ", "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", "?InitializeFlagConfig@CContext@@QEAAHKK@Z", @@ -113603,15 +118289,12 @@ "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", "?IsOpened@CFile@@QEAAEXZ", "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", "?IsValid@CMemoryAllocator@@UEAAEXZ", "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", "?IsValid@IMemoryAllocator@@UEAAEXZ", "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QEAAKXZ", "?Limit@CNoLockList@@QEAAKXZ", "?MatchAllExtensions@CFileExtension@@QEAAEXZ", @@ -113629,14 +118312,11 @@ "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", "?NotityTerminate@CWorkerThread@@QEAAXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", "?Pulse@CKEvent@@QEAAJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", "?ReferenceCount@CContext@@QEAAAEAKXZ", "?Release@CLockEvent@@QEAAXXZ", "?Remove@CContextList@@UEAAEQEAX@Z", @@ -113672,7 +118352,6 @@ "?SetFlagConfig@CContext@@UEAAJKK@Z", "?SetLinkContext@CContext@@QEAAXPEAX@Z", "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", @@ -113685,46 +118364,27 @@ "?TearDown@CSystemThread@@MEAAXXZ", "?Terminate@CSystemThread@@QEAAXE@Z", "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", "?WaitForInit@CDelayLoadThread@@QEAAEXZ", "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "DeInitKm2UmCommunication", "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", "GetModuleInfoByAddress", "GetModuleInfoByModuleName", - "InitKm2UmCommunication", "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", "KmCallUm", - "KmCallUmByLPC", "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetCommPortAPIs", "ModGetExportProcAddress", "ModLoadDLLToBuffer", "ModLoadDLLToBufferWithImageSize", @@ -113734,13 +118394,7 @@ "NormalizeFullNtPathToDosName", "TmCommConfigRoutine", "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", "UtilGetFileObjectForProcessByEPROC", "UtilGetFileObjectFromFileName", "UtilGetProcessName", @@ -113753,8 +118407,6 @@ "UtilKeGetLowFileDevice", "UtilModuleIATHook", "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", "UtilQueryKeyValue", "UtilRemoveDeviceFromDriveTable", "UtilVolumeDeviceToDosName", @@ -113762,213 +118414,772 @@ "UtilWriteVersionToRegistry", "UtilbuildDynamicDiskMappingTable", "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", "_UtilDosPathNameToNtPathName" ], "ImportedFunctions": [ "KeLeaveCriticalRegion", "wcsncpy", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "wcsrchr", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "_purecall", + "ZwOpenEvent", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ZwConnectPort", + "ExAllocatePoolWithTag", + "KeClearEvent", + "PsProcessType", + "ExFreePoolWithTag", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlInitUnicodeString", + "KeSetEvent", + "ProbeForWrite", + "KeUnstackDetachProcess", + "RtlAddAccessAllowedAce", + "ZwRequestWaitReplyPort", + "ZwWaitForSingleObject", + "DbgBreakPoint", + "ZwSetEvent", + "IoGetCurrentProcess", + "ZwFreeVirtualMemory", + "ZwClose", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "KeReleaseSemaphore", + "RtlInitializeSid", + "ObfReferenceObject", + "ObfDereferenceObject", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "RtlCreateSecurityDescriptor", + "KePulseEvent", + "ZwAllocateVirtualMemory", + "PsThreadType", + "PsGetProcessExitTime", + "MmSectionObjectType", + "DbgPrint", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "ZwReadFile", + "swprintf", + "ZwSetInformationFile", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwWriteFile", + "_wcsnicmp", + "towupper", + "KeInitializeEvent", + "ZwCreateEvent", + "ZwCreateKey", + "ZwNotifyChangeKey", + "_snprintf", + "ExSystemTimeToLocalTime", + "_vsnprintf", + "ObReferenceObjectByHandle", + "RtlTimeToTimeFields", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "MmIsAddressValid", + "KeWaitForMultipleObjects", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "PsLookupProcessByProcessId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenDirectoryObject", + "KeDelayExecutionThread", + "ZwQueryInformationProcess", + "ExGetPreviousMode", + "ExReleaseFastMutexUnsafe", + "ZwQuerySystemInformation", + "ZwQueryValueKey", + "ZwOpenKey", + "_stricmp", + "_strnicmp", + "mbstowcs", + "ProbeForRead", + "_snwprintf", + "ZwQuerySymbolicLinkObject", + "ZwMapViewOfSection", + "MmGetSystemRoutineAddress", + "RtlAppendUnicodeToString", + "IoCreateFile", + "RtlQueryRegistryValues", + "RtlEqualUnicodeString", + "MmBuildMdlForNonPagedPool", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "RtlFreeUnicodeString", + "IoFileObjectType", + "ZwUnmapViewOfSection", + "NtClose", + "IoFreeIrp", + "PsGetVersion", + "IoAllocateIrp", + "RtlCopyUnicodeString", + "ZwOpenFile", + "RtlImageNtHeader", + "IoAllocateMdl", + "IofCallDriver", + "ZwQueryVolumeInformationFile", + "ObQueryNameString", + "ObReferenceObjectByPointer", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "ExEventObjectType", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "ObInsertObject", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "IoReleaseVpbSpinLock", + "KeBugCheckEx", + "IoCreateDevice", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "wcschr", + "RtlLengthSid", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwSetValueKey", + "ExAcquireResourceExclusiveLite", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-12-27 00:00:00", + "ValidTo": "2013-02-15 23:59:59", + "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "2ddd3c0e23bc0fd63702910c597298b4", + "SHA1": "3fd7fda9c7dfdb2a845c39971572bd090bee3b1d", + "SHA256": "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e", + "Authentihash": { + "MD5": "007d2afd1aa5ebcd3cfa447087156319", + "SHA1": "a3e23bd4ea435781eb394581ac3fa1fe27e074ec", + "SHA256": "886b28af7d2907a61720da0b6ea5d88a9a8512ceb120e88889f3fedd6bf313b4" + }, + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "2.5.0.1121", + "Product": "AEGIS", + "ProductVersion": "2.5", + "Copyright": "Copyright (C) 2005-2008 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", + "Imports": [ + "ntoskrnl.exe", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?InsertEx@CLockList@@UAEEQAXE@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_MapMem@12", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UnMapMem@8", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetProcessName@12", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilQueryKeyValue@24", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "__UtilDosPathNameToNtPathName@12" + ], + "ImportedFunctions": [ + "KeEnterCriticalRegion", + "KeGetCurrentThread", + "KeLeaveCriticalRegion", + "ExReleaseFastMutexUnsafe", + "wcsncpy", + "memcpy", "wcsrchr", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "_purecall", - "ZwOpenEvent", - "ZwConnectPort", + "KeSetEvent", + "KePulseEvent", "KeClearEvent", - "PsProcessType", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "DbgPrint", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", "ExFreePoolWithTag", - "RtlInitUnicodeString", - "KeSetEvent", - "ProbeForWrite", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ObfDereferenceObject", + "ZwSetEvent", + "ZwClose", "KeUnstackDetachProcess", "ZwRequestWaitReplyPort", + "memmove", + "KeStackAttachProcess", + "ZwConnectPort", + "RtlInitUnicodeString", + "ZwCreateSection", "ZwWaitForSingleObject", - "DbgBreakPoint", - "ZwSetEvent", - "IoGetCurrentProcess", - "ZwFreeVirtualMemory", - "ZwClose", + "ZwOpenEvent", "ObfReferenceObject", - "ObfDereferenceObject", - "RtlUnicodeStringToInteger", - "ZwCreateSection", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "KePulseEvent", - "ZwAllocateVirtualMemory", - "ObGetObjectSecurity", - "SeAccessCheck", - "SeReleaseSubjectContext", - "SeCaptureSubjectContext", - "PsThreadType", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "MmSectionObjectType", - "DbgPrint", - "ExDeleteResourceLite", - "ExInitializeResourceLite", + "IoGetCurrentProcess", + "memset", + "MmIsAddressValid", + "ZwWriteFile", "ZwReadFile", - "swprintf", + "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", - "ZwQueryInformationFile", - "ZwWriteFile", - "_wcsnicmp", + "swprintf", "towupper", - "ExAllocatePoolWithTag", + "_wcsnicmp", "KeInitializeEvent", - "ZwCreateEvent", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwNotifyChangeKey", - "RtlInitAnsiString", "_snprintf", - "RtlFreeUnicodeString", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", - "_vsnprintf", + "KeQuerySystemTime", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", "ObReferenceObjectByHandle", - "RtlTimeToTimeFields", - "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", "PsGetCurrentThreadId", - "PsGetCurrentProcessId", - "KeWaitForMultipleObjects", - "ExGetPreviousMode", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", - "RtlUpcaseUnicodeChar", - "KeWaitForSingleObject", + "_vsnprintf", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "MmUnmapLockedPages", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", - "MmIsAddressValid", - "KeDelayExecutionThread", + "PsCreateSystemThread", "KeNumberProcessors", - "PsLookupProcessByProcessId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenDirectoryObject", - "ZwQueryInformationProcess", - "ZwQuerySecurityObject", - "NtSetInformationFile", - "ZwDeleteValueKey", - "ZwSetValueKey", "ZwQuerySystemInformation", - "NtQueryInformationFile", - "IoFileObjectType", - "ZwQueryValueKey", "ZwQueryDirectoryFile", - "NtCreateFile", - "ZwEnumerateValueKey", - "RtlLengthSecurityDescriptor", + "ZwOpenDirectoryObject", "ZwQueryDirectoryObject", - "ZwSetSecurityObject", "ZwDuplicateObject", - "ZwOpenProcess", - "ZwTerminateProcess", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", "ZwDeleteKey", - "ExReleaseFastMutexUnsafe", + "ExGetPreviousMode", + "ExAcquireFastMutexUnsafe", + "ObOpenObjectByPointer", + "PsProcessType", + "ZwOpenProcess", "ZwQueryKey", - "ZwOpenKey", - "MmSystemRangeStart", + "ZwSetValueKey", + "IoFreeIrp", + "IoBuildAsynchronousFsdRequest", + "ProbeForWrite", "_stricmp", + "RtlImageNtHeader", "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "KeDelayExecutionThread", "mbstowcs", - "ProbeForRead", - "RtlUpcaseUnicodeString", - "_snwprintf", "ZwQuerySymbolicLinkObject", - "ZwMapViewOfSection", - "MmGetSystemRoutineAddress", - "RtlAppendUnicodeToString", - "IoCreateFile", - "RtlQueryRegistryValues", - "MmBuildMdlForNonPagedPool", "ZwOpenSymbolicLinkObject", + "RtlEqualUnicodeString", + "IoFileObjectType", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", "IoFreeMdl", - "ObQueryNameString", - "ZwUnmapViewOfSection", - "NtClose", - "IoFreeIrp", + "IoAllocateMdl", "PsGetVersion", - "IoAllocateIrp", + "MmGetSystemRoutineAddress", "RtlCompareMemory", - "MmUnlockPages", - "ZwSetInformationObject", - "ZwOpenFile", - "wcsncmp", - "RtlImageNtHeader", - "IoAllocateMdl", - "IofCallDriver", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlInitializeSid", - "RtlCreateSecurityDescriptor", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "ExEventObjectType", + "RtlCopyUnicodeString", + "KeBugCheckEx", + "RtlAppendUnicodeStringToString", "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IoCreateSymbolicLink", + "ProbeForRead", "IoGetDeviceObjectPointer", - "ObOpenObjectByName", - "NtQueryInformationProcess", + "ExAllocatePool", + "RtlUpperChar", + "RtlCompareUnicodeString", + "PsLookupProcessByProcessId", "strncpy", + "KeServiceDescriptorTable", "NtOpenProcess", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "_snwprintf", + "RtlAnsiStringToUnicodeString", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", "ObInsertObject", + "_allrem", + "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "IoReleaseVpbSpinLock", - "wcschr", - "strncat", - "RtlUnicodeStringToAnsiString", - "wcsncat", - "RtlFreeAnsiString", - "wcstombs", - "IoGetConfigurationInformation", - "IoRegisterPlugPlayNotification", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "FsRtlIsNameInExpression", - "wcsstr", - "ExAllocatePool", - "IoUnregisterPlugPlayNotification", - "MmProbeAndLockPages", - "RtlCompareUnicodeString", - "IoGetDeviceInterfaces", - "DbgPrintEx", - "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoCreateDevice", + "KeTickCount", + "RtlUnwind", + "ZwSetSecurityObject", "IoDeviceObjectType", - "SeCaptureSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "RtlLengthSid", - "RtlGetSaclSecurityDescriptor", + "IoCreateDevice", "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "ZwEnumerateKey", - "ExAcquireResourceExclusiveLite", - "__C_specific_handler" + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlFreeUnicodeString", + "ZwTerminateProcess", + "_purecall", + "ClassInitialize" ], "Signatures": [ { @@ -113976,45 +119187,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", - "ValidFrom": "2015-05-05 00:00:00", - "ValidTo": "2015-12-31 23:59:59", - "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2015-02-20 00:00:00", - "ValidTo": "2016-05-21 23:59:59", - "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2008-01-16 00:00:00", + "ValidTo": "2011-02-16 23:59:59", + "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "645212f783f4d7aba3555729e99ce065", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -114022,65 +119233,39 @@ }, { "FileName": "TmComm.sys", - "MD5": "c006d1844f20b91d0ea52bf32d611f30", - "SHA1": "70258117b5efe65476f85143fd14fa0b7f148adb", - "SHA256": "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566", + "MD5": "3e4a1384a27013ab7b767a88b8a1bd34", + "SHA1": "ae344c123ef6d206235f2a8448d07f86433db5a6", + "SHA256": "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e", "Authentihash": { - "MD5": "893a04662ec3207278510b671992072d", - "SHA1": "61ec0fdef8d1c5248fab9a3cf0764b7be9ddea37", - "SHA256": "2c1b6a278ff90171a7472423a2626edcf75233aacac1bd7d1995716ef26f8dcf" + "MD5": "32f1d8b0fca32fd72a762cfa58870978", + "SHA1": "aef6765d5e4281854562e8e88cc09f5571ab17bc", + "SHA256": "2ffbb534c73106a2879d5a9d4ad3436c8d3ab8ac6aa8b217e26a6492fa1d16d0" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.0.0.1176", - "Product": "Trend Micro Eyes", - "ProductVersion": "7.0", - "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "1.6.0.1052", + "Product": "ActiveClean", + "ProductVersion": "1.6", + "Copyright": "Copyright (C) 2005-2007 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ - "ntoskrnl.exe", - "CLASSPNP.SYS", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": [ "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", - "??0CBlobConfig@@QAE@ABV0@@Z", - "??0CBlobConfig@@QAE@K@Z", "??0CContext@@QAE@ABV0@@Z", - "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContext@@QAE@KP6GXPAU_TMCE_EVENT_REPORT@@PAX@Z1@Z", "??0CContextList@@QAE@ABV0@@Z", "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CDebugLog@@QAE@ABV0@@Z", "??0CDebugLog@@QAE@PBG@Z", - "??0CDebugLogEx@@QAE@ABV0@@Z", - "??0CDebugLogEx@@QAE@K@Z", - "??0CDelayLoadThread@@QAE@ABV0@@Z", - "??0CDelayLoadThread@@QAE@XZ", - "??0CExclusionExtConfig@@QAE@ABV0@@Z", - "??0CExclusionExtConfig@@QAE@KKE@Z", - "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CExclusionFileNameConfig@@QAE@KK@Z", - "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CExclusionFilePathConfig@@QAE@KK@Z", - "??0CExclusionFolderConfig@@QAE@ABV0@@Z", - "??0CExclusionFolderConfig@@QAE@KK@Z", - "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", - "??0CExclusionRegistryConfig@@QAE@KK@Z", "??0CFile@@QAE@ABV0@@Z", "??0CFile@@QAE@E@Z", "??0CFileExtension@@QAE@ABV0@@Z", "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QAE@ABV0@@Z", - "??0CInclusionExtConfig@@QAE@KKE@Z", - "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", - "??0CInclusionFileNameConfig@@QAE@KK@Z", - "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", - "??0CInclusionFilePathConfig@@QAE@KK@Z", - "??0CInclusionFolderConfig@@QAE@ABV0@@Z", - "??0CInclusionFolderConfig@@QAE@KK@Z", "??0CKEvent@@QAE@ABV0@@Z", "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", "??0CList@@QAE@ABV0@@Z", @@ -114098,26 +119283,23 @@ "??0CModuleConfigList@@QAE@ABV0@@Z", "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CModuleFileExtConfig@@QAE@ABV0@@Z", - "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFileExtConfig@@QAE@K@Z", "??0CModuleFlagConfig@@QAE@ABV0@@Z", "??0CModuleFlagConfig@@QAE@K@Z", "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", - "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleMultiStringConfig@@QAE@K@Z", "??0CModuleStringConfig@@QAE@ABV0@@Z", "??0CModuleStringConfig@@QAE@K@Z", - "??0CNoLockList@@QAE@ABV0@@Z", - "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", "??0CSmartLock@@QAE@XZ", "??0CSmartReference@@QAE@AAJ@Z", "??0CSmartReference@@QAE@AAK@Z", - "??0CSmartResource@@QAE@AAVCResource@@E@Z", "??0CStrList@@QAE@ABV0@@Z", "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", "??0CSystemThread@@QAE@ABV0@@Z", "??0CSystemThread@@QAE@K@Z", "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", - "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", "??0CWorkerThread@@QAE@ABV0@@Z", "??0CWorkerThreadJob@@QAE@ABV0@@Z", @@ -114126,28 +119308,14 @@ "??0CWorkerThreadJobQueue@@QAE@K@Z", "??0CWorkerThreadPool@@QAE@ABV0@@Z", "??0CWorkerThreadPool@@QAE@K@Z", - "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", - "??0CWorkerThreadPoolEx@@QAE@KK@Z", "??0IMemoryAllocator@@QAE@ABV0@@Z", "??0IMemoryAllocator@@QAE@XZ", "??1CAutoUpdateConfigThread@@UAE@XZ", - "??1CBlobConfig@@UAE@XZ", "??1CContext@@UAE@XZ", "??1CContextList@@UAE@XZ", "??1CDebugLog@@UAE@XZ", - "??1CDebugLogEx@@UAE@XZ", - "??1CDelayLoadThread@@UAE@XZ", - "??1CExclusionExtConfig@@UAE@XZ", - "??1CExclusionFileNameConfig@@UAE@XZ", - "??1CExclusionFilePathConfig@@UAE@XZ", - "??1CExclusionFolderConfig@@UAE@XZ", - "??1CExclusionRegistryConfig@@UAE@XZ", "??1CFile@@UAE@XZ", "??1CFileExtension@@UAE@XZ", - "??1CInclusionExtConfig@@UAE@XZ", - "??1CInclusionFileNameConfig@@UAE@XZ", - "??1CInclusionFilePathConfig@@UAE@XZ", - "??1CInclusionFolderConfig@@UAE@XZ", "??1CKEvent@@UAE@XZ", "??1CList@@UAE@XZ", "??1CLockEvent@@UAE@XZ", @@ -114160,10 +119328,8 @@ "??1CModuleFlagConfig@@UAE@XZ", "??1CModuleMultiStringConfig@@UAE@XZ", "??1CModuleStringConfig@@UAE@XZ", - "??1CNoLockList@@UAE@XZ", "??1CSmartLock@@QAE@XZ", "??1CSmartReference@@QAE@XZ", - "??1CSmartResource@@QAE@XZ", "??1CStrList@@UAE@XZ", "??1CSystemThread@@UAE@XZ", "??1CUserFuncAdapterJob@@UAE@XZ", @@ -114171,20 +119337,15 @@ "??1CWorkerThreadJob@@UAE@XZ", "??1CWorkerThreadJobQueue@@UAE@XZ", "??1CWorkerThreadPool@@UAE@XZ", - "??1CWorkerThreadPoolEx@@UAE@XZ", "??1IMemoryAllocator@@UAE@XZ", "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", "??2CMemoryAllocator@@SGPAXI@Z", "??2CMemoryPoolAllocator@@SGPAXI@Z", "??3@YAXPAX@Z", - "??3@YAXPAXI@Z", "??3IMemoryAllocator@@SGXPAX@Z", "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", - "??4CBlobConfig@@QAEAAV0@ABV0@@Z", "??4CContext@@QAEAAV0@ABV0@@Z", "??4CDebugLog@@QAEAAV0@ABV0@@Z", - "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", - "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", "??4CFile@@QAEAAV0@ABV0@@Z", "??4CKEvent@@QAEAAV0@ABV0@@Z", "??4CLockEvent@@QAEAAV0@ABV0@@Z", @@ -114195,30 +119356,17 @@ "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEAAV0@ABV0@@Z", "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", - "??4CSmartResource@@QAEAAV0@ABV0@@Z", "??4CSystemThread@@QAEAAV0@ABV0@@Z", "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", "??4CWorkerThread@@QAEAAV0@ABV0@@Z", "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", - "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", "??_7CContextList@@6B@", "??_7CDebugLog@@6B@", - "??_7CDebugLogEx@@6B@", - "??_7CDelayLoadThread@@6B@", - "??_7CExclusionExtConfig@@6B@", - "??_7CExclusionFileNameConfig@@6B@", - "??_7CExclusionFilePathConfig@@6B@", - "??_7CExclusionFolderConfig@@6B@", - "??_7CExclusionRegistryConfig@@6B@", "??_7CFile@@6B@", "??_7CFileExtension@@6B@", - "??_7CInclusionExtConfig@@6B@", - "??_7CInclusionFileNameConfig@@6B@", - "??_7CInclusionFilePathConfig@@6B@", - "??_7CInclusionFolderConfig@@6B@", "??_7CKEvent@@6B@", "??_7CList@@6B@", "??_7CLockEvent@@6B@", @@ -114231,7 +119379,6 @@ "??_7CModuleFlagConfig@@6B@", "??_7CModuleMultiStringConfig@@6B@", "??_7CModuleStringConfig@@6B@", - "??_7CNoLockList@@6B@", "??_7CStrList@@6B@", "??_7CSystemThread@@6B@", "??_7CUserFuncAdapterJob@@6B@", @@ -114239,7 +119386,6 @@ "??_7CWorkerThreadJob@@6B@", "??_7CWorkerThreadJobQueue@@6B@", "??_7CWorkerThreadPool@@6B@", - "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", "??_FCContextList@@QAEXXZ", "??_FCFile@@QAEXXZ", @@ -114257,43 +119403,32 @@ "?Add@CFileExtension@@QAEEPBGK@Z", "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", - "?AddNode@CNoLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", "?Cancel@CWorkerThreadJob@@QAEXXZ", - "?CheckNode@CLockList@@UAEHQAX@Z", - "?CheckNode@CNoLockList@@UAEHQAX@Z", "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", - "?Cleanup@CBlobConfig@@AAEXXZ", - "?Cleanup@CModuleFileExtConfig@@IAEXXZ", - "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleFileExtConfig@@AAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@AAEXXZ", "?Cleanup@CModuleStringConfig@@AAEXXZ", "?Close@CFile@@QAEJXZ", "?Count@CLockList@@QAEKXZ", - "?Count@CNoLockList@@QAEKXZ", "?Create@CFile@@QAEJPBGKKKK@Z", "?Create@CSystemThread@@QAEEXZ", "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", "?CreatePool@CWorkerThreadPool@@QAEEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", - "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", "?Delete@CFile@@QAEJXZ", "?Delete@CFileExtension@@QAEEPBGK@Z", "?Delete@CStrList@@QAEEPBG@Z", "?DeleteAll@CList@@UAEXXZ", "?DeleteAll@CLockList@@UAEXXZ", - "?DeleteAll@CNoLockList@@UAEXXZ", "?DeleteNode@CContextList@@MAEXPAX@Z", "?DeleteNode@CList@@UAEXPAX@Z", "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", "?DoIt@CWorkerThreadJob@@QAEJXZ", "?EntryPoint@CSystemThread@@KGXPAX@Z", "?Find@CContextList@@QAEPAVCContext@@K@Z", @@ -114303,18 +119438,14 @@ "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", "?FindNode@CContextList@@IAEPAXPAX@Z", "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", - "?FinishIt@CWorkerThreadJob@@QAEJXZ", "?First@CList@@UAEPAXXZ", "?First@CLockList@@UAEPAXXZ", - "?First@CNoLockList@@UAEPAXXZ", "?Free@CMemoryAllocator@@UAEXPAX@Z", "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", "?GetAttributes@CFile@@QAEKXZ", "?GetBasicInfomration@CFile@@IAEJXZ", - "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", "?GetCategory@CContext@@QAEKXZ", - "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetCatetory@CModuleConfig@@QAEKXZ", "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", "?GetData@CModuleFlagConfig@@QAEKXZ", @@ -114322,75 +119453,48 @@ "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", "?GetData@CModuleStringConfig@@QAEPAGXZ", "?GetData@CStrList@@QAEEPAGPAK@Z", - "?GetDataType@CModuleConfig@@QAEKXZ", - "?GetEngineContext@CContext@@QAEPAXXZ", "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileExtensionConfig@CContext@@UAEHKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetFlagConfig@CContext@@UAEHKPAK@Z", "?GetID@CModuleConfig@@QAEKXZ", "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", "?GetLength@CModuleStringConfig@@QAEKXZ", "?GetLinkContext@CContext@@QAEPAXXZ", "?GetLogFlag@CDebugLog@@QAEKXZ", - "?GetLogFlag@CDebugLogEx@@QAEKXZ", - "?GetModuleId@CModuleConfig@@QAEKXZ", "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetMultiStringConfig@CContext@@UAEHKPAGPAK@Z", "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", "?GetReportCallBackRoutine@CContext@@QAEKXZ", - "?GetSize@CBlobConfig@@QAEKXZ", "?GetStringConfig@CContext@@QAEPAGK@Z", - "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetStringConfig@CContext@@UAEHKPAGPAK@Z", "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", "?GetThreadID@CSystemThread@@QAEKXZ", "?GetType@CContext@@QAEKXZ", + "?GetType@CModuleConfig@@QAEKXZ", "?GetUserParameter@CContext@@QAEKXZ", - "?InitProcMon@CDebugLogEx@@IAEXXZ", - "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", "?InitializeFlagConfig@CContext@@QAEHKK@Z", "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", "?InitializeStringConfig@CContext@@QAEHKPBG@Z", "?Insert@CList@@UAEXQAXE@Z", "?Insert@CLockList@@UAEXQAXE@Z", - "?Insert@CNoLockList@@UAEXQAXE@Z", "?InsertAfter@CList@@UAEXPAX0@Z", "?InsertBefore@CList@@UAEXPAX0@Z", "?Instance@CWorkerThreadPool@@SGPAV1@XZ", "?IsEmpty@CList@@UAEEXZ", "?IsEmpty@CLockList@@UAEEXZ", - "?IsEmpty@CNoLockList@@UAEEXZ", "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", "?IsFull@CLockList@@QBEEXZ", - "?IsFull@CNoLockList@@QBEEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", "?IsOpened@CFile@@QAEEXZ", "?IsTerminated@CWorkerThreadPool@@QAEEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", "?IsValid@CMemoryAllocator@@UAEEXZ", "?IsValid@CMemoryPoolAllocator@@UAEEXZ", "?IsValid@IMemoryAllocator@@UAEEXZ", "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", "?Limit@CLockList@@QAEKXZ", - "?Limit@CNoLockList@@QAEKXZ", "?MatchAllExtensions@CFileExtension@@QAEEXZ", "?MatchNoExtensions@CFileExtension@@QAEEXZ", "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", @@ -114402,373 +119506,217 @@ "?NewNodeVariant@CList@@IAEPAXK@Z", "?Next@CList@@UBEPAXQAX@Z", "?Next@CLockList@@UBEPAXQAX@Z", - "?Next@CNoLockList@@UBEPAXQAX@Z", "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", "?NotityTerminate@CWorkerThread@@QAEXXZ", "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", "?Pulse@CKEvent@@QAEJJE@Z", "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", "?Read@CFile@@QAEJPADKPAK@Z", - "?ReadWIRP@CFile@@QAEJPADKPAK@Z", "?ReferenceCount@CContext@@QAEAAKXZ", "?Release@CLockEvent@@QAEXXZ", "?Remove@CContextList@@UAEEQAX@Z", "?Remove@CList@@UAEEQAX@Z", "?Remove@CLockList@@UAEEQAX@Z", - "?Remove@CNoLockList@@UAEEQAX@Z", "?RemoveHead@CList@@UAEPAXXZ", "?RemoveHead@CLockList@@UAEPAXXZ", - "?RemoveHead@CNoLockList@@UAEPAXXZ", "?RemoveTail@CList@@UAEPAXXZ", "?RemoveTail@CLockList@@UAEPAXXZ", - "?RemoveTail@CNoLockList@@UAEPAXXZ", "?Reset@CKEvent@@QAEXXZ", - "?ResetData@CInclusionExtConfig@@QAEXXZ", - "?ResetData@CInclusionFileNameConfig@@QAEXXZ", - "?ResetData@CInclusionFilePathConfig@@QAEXXZ", - "?ResetData@CInclusionFolderConfig@@QAEXXZ", - "?RestoreCR0@@YGXPAX@Z", "?Run@CAutoUpdateConfigThread@@UAEXXZ", - "?Run@CDelayLoadThread@@UAEXXZ", "?Run@CWorkerThread@@UAEXXZ", "?SeekToEnd@CFile@@QAEJXZ", "?Set@CKEvent@@QAEJJE@Z", "?SetAttributes@CFile@@QAEJK@Z", - "?SetBlobCofig@CContext@@UAEJKPAXK@Z", - "?SetData@CBlobConfig@@QAEHPAXK@Z", "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", "?SetData@CModuleFlagConfig@@QAEHK@Z", - "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", "?SetData@CModuleStringConfig@@QAEHPBG@Z", - "?SetEngineContext@CContext@@QAEXPAX@Z", - "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", - "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetFileExtensionConfig@CContext@@UAEHKPBG@Z", + "?SetFlagConfig@CContext@@UAEHKK@Z", "?SetLinkContext@CContext@@QAEXPAX@Z", "?SetLogFlag@CDebugLog@@QAEEK@Z", - "?SetLogFlag@CDebugLogEx@@QAEEK@Z", "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", - "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetMultiStringConfig@CContext@@UAEHKPBG@Z", "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", "?SetPriority@CSystemThread@@QAEXK@Z", "?SetStopUse@CContext@@QAEXXZ", - "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?SetStringConfig@CContext@@UAEHKPBG@Z", "?Setup@CSystemThread@@MAEXXZ", "?StopUse@CContext@@QAEHXZ", "?TearDown@CSystemThread@@MAEXXZ", "?Terminate@CSystemThread@@QAEXE@Z", "?Terminate@CWorkerThreadPool@@QAEEXZ", - "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", "?WaitFinish@CWorkerThreadJob@@QAEXXZ", - "?WaitForInit@CDelayLoadThread@@QAEEXZ", - "?WaitForLoad@CDelayLoadThread@@QAEEXZ", "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", "?Write@CDebugLog@@QAAXPBDZZ", - "?Write@CDebugLogEx@@QAAXPBDZZ", "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", - "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", "?WriteSystemInformation@CDebugLog@@QAEXXZ", - "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", "?WriteToFile@CDebugLog@@IAEXPADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", - "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", - "_AllocFullFileName@8", - "_DeInitKm2UmCommunication@0", - "_DeInitKmLPC@0", - "_DuplicateFullFileName@4", - "_FreeFullFileName@4", - "_GetKm2UmMode@0", "_GetModuleInfoByAddress@8", "_GetModuleInfoByModuleName@8", - "_InitKm2UmCommunication@8", - "_InitKmLPC@0", - "_IsVerifierCodeCheckFlagOn@0", - "_IsWindows8_1_update@4", - "_KmCallUm@8", - "_KmCallUmByLPC@8", - "_KmCallUmEx@12", - "_KmCleanupCommPortAPIs@0", - "_KmGetUmInitProcess@0", - "_KmSetBackupCommPortAPIs@4", - "_KmSetCommPortAPIs@4", + "_MapMem@12", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", - "_ModLoadDLLToBufferWithImageSize@8", "_ModLoadModule@8", "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UtilAddDeviceInDriveTable@4", - "_UtilAddReparsePointMapping@8", - "_UtilCleanFileReadOnly@4", - "_UtilCloseExclusiveHandle@12", - "_UtilCreateDosFileName@8", - "_UtilDeleteFileForce@4", - "_UtilGetDeviceObjectName@8", - "_UtilGetFileNameFromFileObject@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", - "_UtilGetProcessName@12", - "_UtilGetSystemDirectory@4", - "_UtilGetSystemDirectoryEx@0", - "_UtilGetSystemDirectoryLength@0", + "_UnMapMem@8", + "_UtilGetProcessName@8", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", - "_UtilPostJobToWorkerThread@12", - "_UtilQueryExclusiveHandle@12", "_UtilQueryKeyValue@24", - "_UtilRemoveDeviceFromDriveTable@4", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "_UtlWriteBinValueKeyToRegistry@16", - "_ValidateAddressWithSize@20", - "__ResetProtectFromClose@4", - "__UtilDosPathNameToNtPathName@12" + "_UtilWriteVersionToRegistry@8" ], "ImportedFunctions": [ - "ProbeForRead", - "ProbeForWrite", - "ExAcquireResourceSharedLite", - "ExAcquireResourceExclusiveLite", - "ExReleaseResourceLite", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmMapLockedPagesSpecifyCache", - "IoAllocateMdl", - "IoFreeMdl", - "IoGetCurrentProcess", - "ObfReferenceObject", - "ObfDereferenceObject", - "ZwClose", - "ZwCreateSection", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "ZwOpenEvent", - "KePulseEvent", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "ObOpenObjectByPointer", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "ZwSetEvent", - "_allmul", - "memcpy", - "memset", - "PsProcessType", + "KeInitializeEvent", + "_purecall", + "ExAcquireFastMutexUnsafe", + "KeEnterCriticalRegion", + "KeGetCurrentThread", + "KeLeaveCriticalRegion", + "ExReleaseFastMutexUnsafe", "wcsncpy", - "wcsrchr", - "RtlUnicodeStringToInteger", - "ZwWaitForSingleObject", - "ZwRequestWaitReplyPort", - "ZwConnectPort", - "swprintf", - "RtlCopyUnicodeString", - "DbgPrint", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "IofCompleteRequest", + "ZwClose", "KeDelayExecutionThread", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExEventObjectType", + "ZwCreateEvent", + "RtlInitUnicodeString", + "swprintf", "KeQuerySystemTime", - "ExAllocatePoolWithTag", - "ExInitializeResourceLite", - "ExDeleteResourceLite", - "PsGetVersion", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "KeWaitForSingleObject", "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoGetDeviceObjectPointer", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", - "MmSectionObjectType", - "PsThreadType", - "SeCaptureSubjectContext", - "SeReleaseSubjectContext", - "SeAccessCheck", - "ObGetObjectSecurity", - "ObReleaseObjectSecurity", - "PsGetProcessExitTime", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlCreateAcl", - "RtlAddAccessAllowedAce", - "RtlLengthRequiredSid", - "RtlInitializeSid", - "RtlSubAuthoritySid", + "IoCreateSymbolicLink", + "RtlCopyUnicodeString", + "ProbeForWrite", + "ProbeForRead", "ExGetPreviousMode", - "_wcsnicmp", - "PsSetCreateProcessNotifyRoutine", - "ZwQueryInformationProcess", - "PsLookupProcessByProcessId", - "ZwOpenDirectoryObject", + "DbgPrint", + "memset", "MmIsAddressValid", - "ZwCreateFile", + "ZwWriteFile", + "ZwReadFile", "ZwQueryInformationFile", "ZwSetInformationFile", - "ZwReadFile", - "ZwWriteFile", + "ZwCreateFile", "towupper", - "MmGetSystemRoutineAddress", - "ObReferenceObjectByPointer", - "ObQueryNameString", - "MmHighestUserAddress", - "_snprintf", - "_vsnprintf", - "RtlInitAnsiString", - "RtlAnsiStringToUnicodeString", - "RtlFreeUnicodeString", + "_wcsnicmp", + "memcpy", + "sprintf", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", "RtlTimeToTimeFields", - "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", "ZwCreateKey", - "PsGetCurrentThreadId", - "ZwDeviceIoControlFile", + "KeWaitForMultipleObjects", "ZwNotifyChangeKey", - "ExReleaseFastMutexUnsafe", - "ZwQueryVolumeInformationFile", + "PsGetCurrentThreadId", + "vsprintf", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ExFreePoolWithTag", + "MmUnmapLockedPages", + "ExAllocatePoolWithTag", + "RtlImageNtHeader", "mbstowcs", "_stricmp", - "RtlImageNtHeader", "ZwQuerySystemInformation", - "_strnicmp", - "RtlCompareUnicodeString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IofCallDriver", - "IoFreeIrp", - "RtlUpperChar", - "ObReferenceObjectByName", - "IoFileObjectType", - "IoDriverObjectType", - "IoBuildDeviceIoControlRequest", - "IoCreateFile", - "RtlEqualUnicodeString", - "RtlAppendUnicodeStringToString", - "RtlUpcaseUnicodeChar", - "RtlPrefixUnicodeString", - "_snwprintf", - "strncpy", - "NtOpenProcess", - "NtQueryInformationProcess", - "PsIsThreadTerminating", - "ObOpenObjectByName", + "IoGetDeviceObjectPointer", "KeServiceDescriptorTable", - "KeAddSystemServiceTable", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", + "PsCreateSystemThread", "KeNumberProcessors", - "RtlLengthSecurityDescriptor", + "ZwQueryDirectoryFile", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", "ZwOpenKey", - "ZwDeleteKey", - "ZwDeleteValueKey", "ZwEnumerateKey", "ZwEnumerateValueKey", - "ZwQueryKey", "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ZwQueryKey", "ZwSetValueKey", - "ZwTerminateProcess", - "ZwOpenProcess", "ZwQuerySecurityObject", - "ZwSetSecurityObject", - "ZwQueryDirectoryObject", - "ZwQueryDirectoryFile", - "_allrem", - "RtlAppendUnicodeToString", - "ZwFsControlFile", "ObInsertObject", - "strrchr", - "wcschr", - "wcsncmp", + "IoFileObjectType", + "_allrem", + "PsLookupProcessByProcessId", + "strncpy", + "NtOpenProcess", + "ObOpenObjectByPointer", + "PsProcessType", + "ObReferenceObjectByPointer", + "KeUnstackDetachProcess", + "MmSectionObjectType", + "KeStackAttachProcess", + "ObQueryNameString", + "ObOpenObjectByName", + "RtlAppendUnicodeStringToString", + "NtQueryInformationProcess", + "RtlAnsiStringToUnicodeString", + "_strnicmp", "RtlQueryRegistryValues", - "IoBuildAsynchronousFsdRequest", - "ZwOpenSymbolicLinkObject", + "RtlAppendUnicodeToString", "ZwQuerySymbolicLinkObject", - "RtlUpcaseUnicodeString", - "NtClose", - "ZwSetInformationObject", - "SeQueryAuthenticationIdToken", - "MmSystemRangeStart", + "ZwOpenSymbolicLinkObject", + "RtlEqualUnicodeString", + "IoCreateFile", + "IoFreeIrp", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "IofCallDriver", + "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", - "SeCreateAccessState", - "IoAcquireVpbSpinLock", - "IoReleaseVpbSpinLock", - "wcstombs", - "strncat", - "wcsncat", - "RtlUnicodeStringToAnsiString", - "RtlFreeAnsiString", - "wcsstr", - "ExAllocatePool", - "ExInterlockedPopEntrySList", - "IoBuildSynchronousFsdRequest", - "IoGetStackLimits", - "IoGetDeviceInterfaces", - "IoRegisterPlugPlayNotification", - "IoUnregisterPlugPlayNotification", - "IoGetConfigurationInformation", - "FsRtlIsNameInExpression", - "RtlUnwind", + "IoAllocateIrp", + "IoFreeMdl", + "IoAllocateMdl", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "KeTickCount", + "KeBugCheckEx", + "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", - "RtlGetOwnerSecurityDescriptor", + "RtlUnwind", "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "_snwprintf", + "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "RtlLengthSid", "SeExports", "IoIsWdmVersionAvailable", + "RtlAddAccessAllowedAce", + "RtlLengthSid", + "wcschr", "RtlAbsoluteToSelfRelativeSD", - "ExAcquireFastMutexUnsafe", - "ExFreePoolWithTag", - "KeBugCheckEx", - "KeWaitForSingleObject", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "KeSetEvent", - "KeClearEvent", - "KeInitializeEvent", - "RtlInitUnicodeString", - "KeGetCurrentThread", - "memmove", - "ZwOpenFile", - "_purecall", - "ClassInitialize", - "KfRaiseIrql", - "KeReleaseQueuedSpinLock", - "KeAcquireQueuedSpinLock", - "KfAcquireSpinLock", - "KfLowerIrql", - "KeGetCurrentIrql", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "KeRaiseIrqlToDpcLevel", - "KfReleaseSpinLock" + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlFreeUnicodeString" ], "Signatures": [ { @@ -114776,45 +119724,38 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", - "ValidFrom": "2019-07-12 00:00:00", - "ValidTo": "2020-07-10 12:00:00", - "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2008-12-03 23:59:59", + "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", - "ValidFrom": "2011-02-11 12:00:00", - "ValidTo": "2026-02-10 12:00:00", - "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2006-01-20 00:00:00", + "ValidTo": "2007-02-14 23:59:59", + "Signature": "1cac25cad86c51f4576b3418ffcb10db11a2c24511d265ae343a6ea1cbd451223028151c63d1d75b95464083978c405a14fba8d2a2832c631a4c627cba1c9a2e957c381e24aa49cde6d45788e3ad48f0525db52080a83c55fb558cab104f1a3f9fd24fd3b2875132c02e709bd81cb750bc0f498267b1c28f9187eb63f7ac8217947b0275175dab5b8b6b57f8f785e38a38e851a0ec096eab530b219e9e9c5c2460ac97d5977cc90ab4cd9fcfd02b79b4099f099fb81910c680ff181f6c9baaf33fb128b18ee7939f45e537191e2f202fc358aed24b37a0d669a024cdb8630c99390e248e2907c25e5c9ca75008e0f915cfd5388cc889e6335e85de06a5e7fe97", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + "SerialNumber": "681ce312057f03f206153b679ec06cb9", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } @@ -114822,26 +119763,25 @@ }, { "FileName": "TmComm.sys", - "MD5": "949ef0df929a71d6cc77494dfcb1ddeb", - "SHA1": "a34adabde63514e1916713a588905c4019f83efb", - "SHA256": "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39", + "MD5": "f65e545771fd922693f0ec68b2141012", + "SHA1": "850f15fd67d9177a50f3efef07a805b9613f50d6", + "SHA256": "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee", "Authentihash": { - "MD5": "aa72488d023f12e4252ac8c34499bc3c", - "SHA1": "f3beb6685e5b2a2492d1da242c6e1e15a32b1c4f", - "SHA256": "a4a7794cdb933d71f57cf9f31188c1152bdc9fc429e17a84c4f639942965311d" + "MD5": "18831ebdbd1eb06f09fe812e958dd2e0", + "SHA1": "5d39543a15234f7d472d5d9132bd0d0faa7cdcd3", + "SHA256": "c264c3d71a57a5dff031d74bd2f6ef715eff603cc8078df123e862603e096be4" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "2.80.0.1063", - "Product": "Trend Micro AEGIS", - "ProductVersion": "2.80", - "Copyright": "Copyright (C) 2005-2009 Trend Micro Incorporated. All rights reserved.", + "FileVersion": "2.2.0.1016", + "Product": "AEGIS", + "ProductVersion": "2.2", + "Copyright": "Copyright (C) 2005-2008 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll", "CLASSPNP.SYS" ], "ExportedFunctions": [ @@ -115019,7 +119959,6 @@ "?Add@CFileExtension@@QAEEPBGK@Z", "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", "?Add@CStrList@@QAEEPBG@Z", - "?AddNode@CLockList@@UAEEQAXE@Z", "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", @@ -115077,7 +120016,6 @@ "?GetData@CStrList@@QAEEPAGPAK@Z", "?GetDataType@CModuleConfig@@QAEKXZ", "?GetEngineContext@CContext@@QAEPAXXZ", - "?GetFBCallBackRoutine@CContext@@QAEKXZ", "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", @@ -115203,32 +120141,27 @@ "_GetModuleInfoByModuleName@8", "_InitKmLPC@0", "_KmCallUm@8", + "_MapMem@12", "_ModGetExportProcAddress@8", "_ModLoadDLLToBuffer@4", "_ModLoadModule@8", "_ModUnLoadModule@4", - "_NormalizeFileName@4", - "_NormalizeFullNtPathToDosName@4", "_TmCommConfigRoutine@4", - "_UtilCleanFileReadOnly@4", - "_UtilDeleteFileForce@4", - "_UtilGetFileObjectForProcessByEPROC@8", - "_UtilGetFileObjectFromFileName@12", + "_UnMapMem@8", "_UtilGetProcessName@12", "_UtilGetSystemTime@4", "_UtilIoSetFileInfo@24", "_UtilIopCreateFileIRP@40", "_UtilKeGetLowFileDevice@16", - "_UtilModuleIATHook@24", - "_UtilModuleIATUnHook@8", "_UtilQueryKeyValue@24", "_UtilVolumeDeviceToDosName@8", "_UtilWaitValueChangeToZero@8", - "_UtilWriteVersionToRegistry@8", - "_UtilbuildDynamicDiskMappingTable@0", - "__UtilDosPathNameToNtPathName@12" + "_UtilWriteVersionToRegistry@8" ], "ImportedFunctions": [ + "KeEnterCriticalRegion", + "KeGetCurrentThread", + "KeLeaveCriticalRegion", "ExReleaseFastMutexUnsafe", "wcsncpy", "memcpy", @@ -115236,33 +120169,25 @@ "KeSetEvent", "KePulseEvent", "KeClearEvent", - "KeInitializeSemaphore", - "KeWaitForSingleObject", - "DbgPrint", - "KeReleaseSemaphore", - "RtlSubAuthoritySid", - "RtlInitializeSid", - "ExAllocatePoolWithTag", - "RtlLengthRequiredSid", - "ExFreePoolWithTag", - "RtlSetDaclSecurityDescriptor", - "RtlCreateSecurityDescriptor", - "RtlAddAccessAllowedAce", - "RtlCreateAcl", - "ObfDereferenceObject", - "ZwSetEvent", + "IofCompleteRequest", "ZwClose", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "memmove", - "KeStackAttachProcess", - "ZwConnectPort", + "KeDelayExecutionThread", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExEventObjectType", + "ZwCreateEvent", "RtlInitUnicodeString", - "ZwCreateSection", - "ZwWaitForSingleObject", - "ZwOpenEvent", - "ObfReferenceObject", - "IoGetCurrentProcess", + "swprintf", + "KeQuerySystemTime", + "KeWaitForSingleObject", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "DbgPrint", + "RtlCopyUnicodeString", + "ProbeForWrite", + "ProbeForRead", + "ExGetPreviousMode", "memset", "MmIsAddressValid", "ZwWriteFile", @@ -115270,118 +120195,116 @@ "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", - "swprintf", "towupper", "_wcsnicmp", - "KeInitializeEvent", "_snprintf", "PsGetCurrentProcessId", + "IoGetCurrentProcess", "RtlTimeToTimeFields", "ExSystemTimeToLocalTime", - "KeQuerySystemTime", "ZwCreateKey", - "ZwCreateEvent", + "KeInitializeEvent", "KeWaitForMultipleObjects", - "ObReferenceObjectByHandle", "ZwNotifyChangeKey", "PsGetCurrentThreadId", "_vsnprintf", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", + "ExFreePoolWithTag", + "MmUnmapLockedPages", + "ExAllocatePoolWithTag", + "RtlImageNtHeader", + "mbstowcs", + "_stricmp", + "ZwQuerySystemInformation", + "IoGetDeviceObjectPointer", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", + "_strnicmp", + "PsLookupProcessByProcessId", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcess", "KeSetPriorityThread", "PsTerminateSystemThread", "PsCreateSystemThread", "KeNumberProcessors", - "ZwQuerySystemInformation", "ZwQueryDirectoryFile", "ZwOpenDirectoryObject", "ZwQueryDirectoryObject", - "ZwDuplicateObject", + "IoFreeIrp", + "IoFreeMdl", + "IofCallDriver", + "ExAcquireFastMutexUnsafe", + "IoAllocateIrp", + "IoFileObjectType", "ZwOpenKey", "ZwEnumerateKey", "ZwEnumerateValueKey", "ZwQueryValueKey", "ZwDeleteValueKey", "ZwDeleteKey", - "ExGetPreviousMode", - "ZwTerminateProcess", - "KeLeaveCriticalRegion", - "PsProcessType", - "ZwOpenProcess", "ZwQueryKey", "ZwSetValueKey", - "IoFreeIrp", - "_purecall", - "MmUnlockPages", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "strncpy", + "NtOpenProcess", + "ObOpenObjectByPointer", + "PsProcessType", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "RtlAppendUnicodeStringToString", + "ObfReferenceObject", + "NtQueryInformationProcess", + "_snwprintf", + "RtlAnsiStringToUnicodeString", "IoBuildAsynchronousFsdRequest", - "ProbeForWrite", - "_strnicmp", + "KeBugCheckEx", "RtlQueryRegistryValues", "RtlAppendUnicodeToString", - "KeDelayExecutionThread", - "mbstowcs", "ZwQuerySymbolicLinkObject", "ZwOpenSymbolicLinkObject", - "NtClose", - "ZwSetInformationObject", - "_stricmp", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ZwOpenFile", "RtlEqualUnicodeString", - "IoFileObjectType", "IoCreateFile", - "IofCallDriver", - "IoAllocateIrp", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", "PsGetVersion", "MmGetSystemRoutineAddress", "RtlCompareMemory", - "RtlCopyUnicodeString", - "RtlImageNtHeader", - "PsLookupProcessByProcessId", - "RtlFreeUnicodeString", - "RtlAnsiStringToUnicodeString", - "RtlInitAnsiString", - "strrchr", - "KeBugCheckEx", - "RtlAppendUnicodeStringToString", - "IofCompleteRequest", - "ExEventObjectType", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoCreateSymbolicLink", - "ProbeForRead", - "IoGetDeviceObjectPointer", - "RtlUpperChar", - "RtlCompareUnicodeString", - "strncpy", - "KeServiceDescriptorTable", - "NtOpenProcess", - "ObReferenceObjectByPointer", - "MmSectionObjectType", - "ObQueryNameString", - "ObOpenObjectByName", - "IoDriverObjectType", - "NtQueryInformationProcess", - "_snwprintf", - "KeAddSystemServiceTable", - "ZwQueryObject", - "ZwQuerySecurityObject", - "ObInsertObject", - "_allrem", "IoReleaseVpbSpinLock", "IoAcquireVpbSpinLock", "SeCreateAccessState", "IoGetFileObjectGenericMapping", "ObCreateObject", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "RtlLengthRequiredSid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ZwSetEvent", + "ZwRequestWaitReplyPort", + "memmove", + "ZwConnectPort", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ExAllocatePool", + "RtlUpperChar", + "RtlCompareUnicodeString", "KeTickCount", - "RtlUnwind", - "KeEnterCriticalRegion", - "ObOpenObjectByPointer", - "ExAcquireFastMutexUnsafe", "ZwSetSecurityObject", "IoDeviceObjectType", "IoCreateDevice", + "RtlUnwind", "RtlGetDaclSecurityDescriptor", "RtlGetSaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", @@ -115393,10 +120316,9 @@ "RtlLengthSid", "wcschr", "RtlAbsoluteToSelfRelativeSD", - "IoFreeMdl", - "KeGetCurrentThread", - "KfLowerIrql", - "KeRaiseIrqlToDpcLevel", + "RtlFreeUnicodeString", + "IoAllocateMdl", + "_purecall", "ClassInitialize" ], "Signatures": [ @@ -115451,183 +120373,185 @@ }, { "FileName": "TmComm.sys", - "MD5": "d6b259b2dfe80bdf4d026063accd752c", - "SHA1": "0adc1320421f02f2324e764aa344018758514436", - "SHA256": "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7", + "MD5": "9af5ae780b6a9ea485fa15f28ddb20a7", + "SHA1": "6a60c5dc7d881ddb5d6fe954f10b8aa10d214e72", + "SHA256": "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3", "Authentihash": { - "MD5": "451feb7fca0b5d5816babd65d34074c4", - "SHA1": "84913e5e61158fa8ff45dffb4e60cd589a9e69a9", - "SHA256": "03192bacd96989bad4181609295764f61a86d2ec9f7918a90a219e674ae3097f" + "MD5": "c168260fa4a9a401b55e3b4c5962fa27", + "SHA1": "dac9b99363ccff7b11a53bf98bcaf64f41b66d77", + "SHA256": "45624a7469927b999cce153ff0074f675a8c062c5afa3f0c688b6124874ca27a" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "7.0.0.1099", + "FileVersion": "7.30.0.1065", "Product": "Trend Micro Eyes", - "ProductVersion": "7.0", - "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", + "ProductVersion": "7.30", + "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "CLASSPNP.SYS", + "HAL.dll" ], "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3@YAXPEAX_K@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3@YAXPAXI@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", @@ -115668,320 +120592,311 @@ "??_7CWorkerThreadPool@@6B@", "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "??_V@YAXPEAX_K@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "AllocFullFileName", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetBackupCommPortAPIs", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_AllocFullFileName@8", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetBackupCommPortAPIs@4", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeInitializeEvent", - "KeClearEvent", - "KeSetEvent", - "KeEnterCriticalRegion", - "KeLeaveCriticalRegion", - "KeWaitForSingleObject", - "ExFreePoolWithTag", "ExAcquireFastMutexUnsafe", "ExReleaseFastMutexUnsafe", "ProbeForRead", @@ -116010,49 +120925,52 @@ "ZwAllocateVirtualMemory", "ZwFreeVirtualMemory", "ZwSetEvent", - "__C_specific_handler", + "_allmul", + "memcpy", + "memset", "PsProcessType", - "wcslen", "wcsncpy", "wcsrchr", "RtlUnicodeStringToInteger", "ZwWaitForSingleObject", "ZwRequestWaitReplyPort", "ZwConnectPort", + "_stricmp", + "ExAllocatePoolWithTag", + "MmIsAddressValid", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "swprintf", + "RtlCopyUnicodeString", + "DbgPrint", + "KeDelayExecutionThread", + "KeQuerySystemTime", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "PsThreadType", + "MmSectionObjectType", "SeCaptureSubjectContext", "SeReleaseSubjectContext", "SeAccessCheck", "ObGetObjectSecurity", "ObReleaseObjectSecurity", "PsGetProcessExitTime", - "PsThreadType", - "MmSectionObjectType", "RtlCreateSecurityDescriptor", "RtlSetDaclSecurityDescriptor", "KeInitializeSemaphore", "KeReleaseSemaphore", - "ExAllocatePoolWithTag", - "ExAcquireFastMutex", - "ExReleaseFastMutex", "RtlCreateAcl", "RtlAddAccessAllowedAce", "RtlLengthRequiredSid", "RtlInitializeSid", "RtlSubAuthoritySid", - "KeDelayExecutionThread", "ExGetPreviousMode", - "DbgPrint", - "swprintf", - "RtlCopyUnicodeString", - "PsGetVersion", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "PsGetCurrentProcessId", - "ZwCreateEvent", - "ExEventObjectType", "_wcsnicmp", "PsSetCreateProcessNotifyRoutine", "ZwQueryInformationProcess", @@ -116068,9 +120986,9 @@ "towupper", "MmGetSystemRoutineAddress", "ObReferenceObjectByPointer", - "MmIsAddressValid", - "PsGetCurrentThreadId", "ObQueryNameString", + "MmHighestUserAddress", + "PsGetVersion", "_snprintf", "_vsnprintf", "RtlInitAnsiString", @@ -116079,29 +120997,38 @@ "RtlTimeToTimeFields", "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "wcscat", + "ExFreePoolWithTag", + "PsGetCurrentThreadId", "ZwDeviceIoControlFile", "ZwNotifyChangeKey", "ZwOpenFile", "ZwQueryVolumeInformationFile", "mbstowcs", - "_stricmp", "IoGetDeviceObjectPointer", - "RtlImageNtHeader", - "ZwQuerySystemInformation", - "IoBuildDeviceIoControlRequest", + "_strnicmp", + "RtlCompareUnicodeString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", "IofCallDriver", + "IoFreeIrp", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoFileObjectType", + "IoDriverObjectType", + "IoBuildDeviceIoControlRequest", "IoCreateFile", "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", "RtlUpcaseUnicodeChar", "_snwprintf", - "strlen", - "_strnicmp", "strncpy", "NtOpenProcess", "NtQueryInformationProcess", + "PsIsThreadTerminating", "ObOpenObjectByName", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", "KeSetPriorityThread", "PsCreateSystemThread", "PsTerminateSystemThread", @@ -116117,24 +121044,19 @@ "ZwSetValueKey", "ZwTerminateProcess", "ZwOpenProcess", - "ZwDuplicateObject", "ZwQuerySecurityObject", "ZwSetSecurityObject", "ZwQueryDirectoryObject", "ZwQueryDirectoryFile", - "NtCreateFile", - "NtQueryInformationFile", - "NtSetInformationFile", - "IoFileObjectType", + "_allrem", + "RtlAppendUnicodeToString", + "ZwFsControlFile", "ObInsertObject", + "strrchr", "wcschr", "wcsncmp", "RtlQueryRegistryValues", - "RtlAppendUnicodeToString", - "RtlCompareMemory", - "MmBuildMdlForNonPagedPool", - "IoAllocateIrp", - "IoFreeIrp", + "IoBuildAsynchronousFsdRequest", "ZwOpenSymbolicLinkObject", "ZwQuerySymbolicLinkObject", "RtlUpcaseUnicodeString", @@ -116152,14 +121074,9 @@ "wcsncat", "RtlUnicodeStringToAnsiString", "RtlFreeAnsiString", - "strcpy", "wcsstr", - "RtlCompareUnicodeString", - "DbgPrintEx", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", "ExAllocatePool", - "ExpInterlockedPopEntrySList", + "ExInterlockedPopEntrySList", "IoBuildSynchronousFsdRequest", "IoGetStackLimits", "IoGetDeviceInterfaces", @@ -116167,6 +121084,7 @@ "IoUnregisterPlugPlayNotification", "IoGetConfigurationInformation", "FsRtlIsNameInExpression", + "RtlUnwind", "IoDeviceObjectType", "IoCreateDevice", "RtlGetOwnerSecurityDescriptor", @@ -116178,9 +121096,27 @@ "SeExports", "IoIsWdmVersionAvailable", "RtlAbsoluteToSelfRelativeSD", + "KeWaitForSingleObject", + "KeLeaveCriticalRegion", + "KeBugCheckEx", + "KeEnterCriticalRegion", + "KeSetEvent", + "KeClearEvent", + "KeInitializeEvent", + "RtlInitUnicodeString", + "KeGetCurrentThread", + "memmove", "ZwCreateKey", "_purecall", - "KeBugCheckEx" + "ClassInitialize", + "KeRaiseIrqlToDpcLevel", + "KfAcquireSpinLock", + "KeGetCurrentIrql", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "KfLowerIrql", + "KfRaiseIrql", + "KfReleaseSpinLock" ], "Signatures": [ { @@ -116188,17 +121124,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", - "ValidFrom": "2015-12-31 00:00:00", - "ValidTo": "2019-07-09 18:40:36", - "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2016-03-29 00:00:00", - "ValidTo": "2017-06-28 23:59:59", - "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -116218,7 +121161,7 @@ ], "Signer": [ { - "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "SerialNumber": "497c4fad471540e6e453d0cafb155740", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] @@ -116227,22 +121170,22 @@ }, { "FileName": "TmComm.sys", - "MD5": "996ded363410dfd38af50c76bd5b4fbc", - "SHA1": "d7597d27eeb2658a7c7362193f4e5c813c5013e5", - "SHA256": "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c", + "MD5": "09927915aba84c8acd91efdaac674b86", + "SHA1": "b304cb10c88ddd8461bad429ebfd2fd1b809ac2b", + "SHA256": "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f", "Authentihash": { - "MD5": "8668e5f58ae2a95ada7f83f280974cba", - "SHA1": "0ad65356dae97eebd80c059e1ee1ec39c8119b95", - "SHA256": "683f0af364f8a19f81d2e095e17de6d403ba3672bdf4a1caf601bca5b57454df" + "MD5": "d1f83eec944debf86cb97352d63f8fd3", + "SHA1": "923910c609673b7ffb23a0c3cd9d33aedd69607a", + "SHA256": "6bdf465db8860c80051d4d1b9db1c3153ab65c252f9500b85efc56d255b4cb1d" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1129", + "FileVersion": "7.30.0.1049", "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", + "ProductVersion": "7.30", + "Copyright": "Copyright (C) 2017 Trend Micro Incorporated. All rights reserved.", "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" @@ -116380,6 +121323,7 @@ "??2CMemoryAllocator@@SAPEAX_K@Z", "??2CMemoryPoolAllocator@@SAPEAX_K@Z", "??3@YAXPEAX@Z", + "??3@YAXPEAX_K@Z", "??3IMemoryAllocator@@SAXPEAX@Z", "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", @@ -116454,6 +121398,7 @@ "??_FCWorkerThreadJobQueue@@QEAAXXZ", "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", "??_V@YAXPEAX@Z", + "??_V@YAXPEAX_K@Z", "?Acquire@CLockEvent@@QEAAXXZ", "?Add@CContextList@@QEAAEPEAVCContext@@@Z", "?Add@CFileExtension@@QEAAEPEBGK@Z", @@ -116687,22 +121632,24 @@ "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "AllocFullFileName", "DeInitKm2UmCommunication", "DeInitKmLPC", "DuplicateFullFileName", "FreeFullFileName", - "GetFileVersionOfNtoskrnl", "GetKm2UmMode", "GetModuleInfoByAddress", "GetModuleInfoByModuleName", "InitKm2UmCommunication", "InitKmLPC", + "IsVerifierCodeCheckFlagOn", "IsWindows8_1_update", "KmCallUm", "KmCallUmByLPC", "KmCallUmEx", "KmCleanupCommPortAPIs", "KmGetUmInitProcess", + "KmSetBackupCommPortAPIs", "KmSetCommPortAPIs", "ModGetExportProcAddress", "ModLoadDLLToBuffer", @@ -116710,9 +121657,7 @@ "ModLoadModule", "ModUnLoadModule", "NormalizeFileName", - "NormalizeFileName1", "NormalizeFullNtPathToDosName", - "NormalizeFullNtPathToDosName1", "TmCommConfigRoutine", "UtilAddDeviceInDriveTable", "UtilAddReparsePointMapping", @@ -116748,205 +121693,213 @@ "_UtilDosPathNameToNtPathName" ], "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "wcsncpy", + "RtlInitUnicodeString", + "KeInitializeEvent", + "KeClearEvent", + "KeSetEvent", "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", + "ExFreePoolWithTag", "ExAcquireFastMutexUnsafe", - "wcsrchr", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", "ExReleaseResourceLite", - "_purecall", - "ZwOpenEvent", - "ZwConnectPort", - "KeClearEvent", - "PsProcessType", - "ExFreePoolWithTag", - "RtlInitUnicodeString", - "KeSetEvent", - "ProbeForWrite", - "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "ZwWaitForSingleObject", - "DbgBreakPoint", - "ZwSetEvent", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoFreeMdl", "IoGetCurrentProcess", - "ZwFreeVirtualMemory", - "ZwClose", "ObfReferenceObject", "ObfDereferenceObject", - "RtlUnicodeStringToInteger", + "ZwClose", "ZwCreateSection", - "ObOpenObjectByPointer", - "KeStackAttachProcess", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenEvent", "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", "ZwAllocateVirtualMemory", - "ObGetObjectSecurity", - "SeAccessCheck", - "SeReleaseSubjectContext", + "ZwFreeVirtualMemory", + "ZwSetEvent", + "__C_specific_handler", + "PsProcessType", + "wcslen", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "_stricmp", + "ExAllocatePoolWithTag", + "MmIsAddressValid", + "RtlImageNtHeader", + "ZwQuerySystemInformation", "SeCaptureSubjectContext", - "PsThreadType", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", "ObReleaseObjectSecurity", "PsGetProcessExitTime", + "PsThreadType", "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "KeDelayExecutionThread", + "ExGetPreviousMode", "DbgPrint", - "ExDeleteResourceLite", + "swprintf", + "RtlCopyUnicodeString", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", "ExInitializeResourceLite", - "ZwReadFile", - "swprintf", - "ZwSetInformationFile", + "ExDeleteResourceLite", "ZwCreateFile", "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", "ZwWriteFile", - "_wcsnicmp", "towupper", - "ExAllocatePoolWithTag", - "KeInitializeEvent", - "ZwCreateEvent", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwNotifyChangeKey", - "RtlInitAnsiString", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "PsGetCurrentThreadId", + "ObQueryNameString", + "PsGetVersion", "_snprintf", - "RtlFreeUnicodeString", - "ExSystemTimeToLocalTime", "_vsnprintf", - "ObReferenceObjectByHandle", + "RtlInitAnsiString", + "wcscat", + "RtlFreeUnicodeString", "RtlTimeToTimeFields", - "ZwDeviceIoControlFile", - "PsGetCurrentThreadId", - "PsGetCurrentProcessId", "KeWaitForMultipleObjects", - "ExGetPreviousMode", + "ExSystemTimeToLocalTime", + "ZwCreateKey", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ZwOpenFile", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "IoGetDeviceObjectPointer", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "IoCreateFile", "RtlEqualUnicodeString", - "RtlPrefixUnicodeString", "RtlAppendUnicodeStringToString", - "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", - "KeWaitForSingleObject", + "_snwprintf", + "strlen", + "_strnicmp", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "ObOpenObjectByName", "KeSetPriorityThread", "PsCreateSystemThread", "PsTerminateSystemThread", - "MmIsAddressValid", - "KeDelayExecutionThread", "KeNumberProcessors", - "PsLookupProcessByProcessId", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenDirectoryObject", - "ZwQueryInformationProcess", - "ZwQuerySecurityObject", - "NtSetInformationFile", - "ZwDeleteValueKey", - "ZwSetValueKey", - "ZwQuerySystemInformation", - "NtQueryInformationFile", - "IoFileObjectType", - "ZwQueryValueKey", - "ZwQueryDirectoryFile", - "NtCreateFile", - "ZwEnumerateValueKey", "RtlLengthSecurityDescriptor", - "ZwQueryDirectoryObject", - "ZwSetSecurityObject", - "ZwDuplicateObject", - "ZwOpenProcess", - "ExReleaseFastMutexUnsafe", + "ZwOpenKey", "ZwDeleteKey", + "ZwDeleteValueKey", "ZwEnumerateKey", + "ZwEnumerateValueKey", "ZwQueryKey", - "ZwOpenKey", - "MmSystemRangeStart", - "_stricmp", - "_strnicmp", - "mbstowcs", - "ProbeForRead", - "RtlUpcaseUnicodeString", - "_snwprintf", - "ZwQuerySymbolicLinkObject", - "ZwMapViewOfSection", - "MmGetSystemRoutineAddress", - "RtlAppendUnicodeToString", - "IoCreateFile", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwDuplicateObject", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "NtCreateFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "IoFileObjectType", + "ObInsertObject", + "wcschr", + "wcsncmp", "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "RtlCompareMemory", "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IoFreeIrp", "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "ObQueryNameString", - "ZwUnmapViewOfSection", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", "NtClose", - "IoFreeIrp", - "PsGetVersion", - "IoAllocateIrp", - "RtlCompareMemory", - "MmUnlockPages", "ZwSetInformationObject", - "ZwOpenFile", - "wcsncmp", - "RtlImageNtHeader", - "IoAllocateMdl", - "IofCallDriver", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlInitializeSid", - "RtlCreateSecurityDescriptor", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IoGetDeviceObjectPointer", - "ExEventObjectType", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "strncpy", - "NtOpenProcess", - "ObInsertObject", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", "IoGetFileObjectGenericMapping", "ObCreateObject", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", "IoReleaseVpbSpinLock", - "wcschr", - "IoGetConfigurationInformation", - "IoRegisterPlugPlayNotification", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "FsRtlIsNameInExpression", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "strcpy", "wcsstr", - "ExAllocatePool", - "IoUnregisterPlugPlayNotification", - "MmProbeAndLockPages", "RtlCompareUnicodeString", - "IoGetDeviceInterfaces", + "DbgPrintEx", "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoCreateDevice", + "KeReleaseSpinLock", + "ExAllocatePool", + "ExpInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", "IoDeviceObjectType", - "SeCaptureSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "RtlLengthSid", - "RtlGetSaclSecurityDescriptor", + "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", "RtlGetDaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwTerminateProcess", - "ExAcquireResourceExclusiveLite", - "__C_specific_handler" + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "RtlAnsiStringToUnicodeString", + "_purecall", + "KeBugCheckEx" ], "Signatures": [ { @@ -116954,45 +121907,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=TW, ??=Private Organization, serialNumber=23310837, C=TW, ST=Taipei City, L=Da???an District, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2020-08-07 00:00:00", - "ValidTo": "2021-04-15 12:00:00", - "Signature": "578aa329d98f23e576b6937a3146ca65f1ec8da04b5ec5f4c499436cfe710be5660f7c864950d9276a6dfdd2341048e6fe4f51044e7fce164f3b9203035bc3d311991685fbce0d90a4c7b2b511d0d3ba37b3558eae76db3ab30f4a2ef102faad1820e26b5fcbc216b368980655de80fe7177f9f1a80c75e4a0a21451a59c86986e5348318da4d295e8d02520fa674ce89756903b25521b5ad358f8328c5591a9702494cc24e340418dbcf08ef06214a8e90c4836dc6f8465fd59385bd56407d83bfc8a633e8125c523ff23dd8c669169848668d5aefe059ee5091e1776ec4686efd0d6ccee0e0bea5922ee41fb36e63d5704633f85115f9584926bdb708a9edb", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2017-04-27 00:00:00", + "ValidTo": "2018-07-16 23:59:59", + "Signature": "f3b20c020c826fd9e2629408ffc97c9e245959d1050c9ce7708069d366d26af191812e16fce674eaca0d8f05b2a796280831737299800d2bfe0071efecf655117b7952a4d7c0701b97de034a1d42e928fd1a2082b081f9d22e9d39af3233cf05c1e61ae1f8fbfec872e78d9a0b29b4f147f1a053d1757a824601df2bb07c75c591fe7efbaf0021764b90cd446f85f80d14bc2cd42c83edfa7d2510f8f94c82d1b3ea999b1cff9093291977c7e996dc32904d3934f167077684ff76aa5327654a0bd7223d9d67657b47c5b46012dca6723d89e7fa051b3380d0c4977b9df537e75da3186ab149b27c089715a01bd695f408f7ded66bfbe920d27a6f6a7d4cc8b3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0f6146af9397c7fa04b13c2d0279a1ba", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + "SerialNumber": "497c4fad471540e6e453d0cafb155740", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -117000,182 +121953,184 @@ }, { "FileName": "TmComm.sys", - "MD5": "148bd10da8c8d64928a213c7bf1f2fca", - "SHA1": "dfd801b6c2715f5525f8ffb38e3396a5ad9b831d", - "SHA256": "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280", + "MD5": "113056ec5c679b6f74c9556339ebf962", + "SHA1": "e7d8fc86b90f75864b7e2415235e17df4d85ee31", + "SHA256": "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd", "Authentihash": { - "MD5": "4fdf46c89a0eb3a5482552a69bd4e21e", - "SHA1": "1a45053380feb519b9388c513b8867b0b40d8b8b", - "SHA256": "ef0dbc4c4735f30e96e16375b18c2f5fa58e15ef60d17786e39e616a4438e264" + "MD5": "df0c799f44b29f166c1457111f1e2e44", + "SHA1": "8f304036c7dc0ba138cba81a45a8b0f9336231d4", + "SHA256": "13002b14aa6e63dc7117e2969d038beb009dbd6093a4590c6913b426d773dea3" }, "Description": "TrendMicro Common Module", "Company": "Trend Micro Inc.", "InternalName": "TmComm.sys", "OriginalFilename": "TmComm.sys", - "FileVersion": "6.70.0.1117", + "FileVersion": "6.60.0.1084", "Product": "Trend Micro Eyes", - "ProductVersion": "6.70", - "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", - "MachineType": "AMD64", + "ProductVersion": "6.60", + "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "CLASSPNP.SYS" ], "ExportedFunctions": [ - "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", - "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", - "??0CBlobConfig@@QEAA@AEBV0@@Z", - "??0CBlobConfig@@QEAA@K@Z", - "??0CContext@@QEAA@AEBV0@@Z", - "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", - "??0CContextList@@QEAA@AEBV0@@Z", - "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CDebugLog@@QEAA@AEBV0@@Z", - "??0CDebugLog@@QEAA@PEBG@Z", - "??0CDebugLogEx@@QEAA@AEBV0@@Z", - "??0CDebugLogEx@@QEAA@K@Z", - "??0CDelayLoadThread@@QEAA@AEBV0@@Z", - "??0CDelayLoadThread@@QEAA@XZ", - "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CExclusionExtConfig@@QEAA@KKE@Z", - "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFileNameConfig@@QEAA@KK@Z", - "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFilePathConfig@@QEAA@KK@Z", - "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CExclusionFolderConfig@@QEAA@KK@Z", - "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", - "??0CExclusionRegistryConfig@@QEAA@KK@Z", - "??0CFile@@QEAA@AEBV0@@Z", - "??0CFile@@QEAA@E@Z", - "??0CFileExtension@@QEAA@AEBV0@@Z", - "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", - "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", - "??0CInclusionExtConfig@@QEAA@KKE@Z", - "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFileNameConfig@@QEAA@KK@Z", - "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFilePathConfig@@QEAA@KK@Z", - "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", - "??0CInclusionFolderConfig@@QEAA@KK@Z", - "??0CKEvent@@QEAA@AEBV0@@Z", - "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", - "??0CList@@QEAA@AEBV0@@Z", - "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CLockEvent@@QEAA@AEBV0@@Z", - "??0CLockEvent@@QEAA@XZ", - "??0CLockList@@QEAA@AEBV0@@Z", - "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", - "??0CMemoryAllocator@@QEAA@AEBV0@@Z", - "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", - "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@AEBV0@@Z", - "??0CModuleConfig@@QEAA@XZ", - "??0CModuleConfigList@@QEAA@AEBV0@@Z", - "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", - "??0CModuleFileExtConfig@@QEAA@KKE@Z", - "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", - "??0CModuleFlagConfig@@QEAA@K@Z", - "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleMultiStringConfig@@QEAA@KK@Z", - "??0CModuleStringConfig@@QEAA@AEBV0@@Z", - "??0CModuleStringConfig@@QEAA@K@Z", - "??0CNoLockList@@QEAA@AEBV0@@Z", - "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", - "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", - "??0CSmartLock@@QEAA@XZ", - "??0CSmartReference@@QEAA@AEAJ@Z", - "??0CSmartReference@@QEAA@AEAK@Z", - "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", - "??0CStrList@@QEAA@AEBV0@@Z", - "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", - "??0CSystemThread@@QEAA@AEBV0@@Z", - "??0CSystemThread@@QEAA@K@Z", - "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", - "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", - "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", - "??0CWorkerThread@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJob@@QEAA@E@Z", - "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", - "??0CWorkerThreadJobQueue@@QEAA@K@Z", - "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPool@@QEAA@K@Z", - "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", - "??0CWorkerThreadPoolEx@@QEAA@KK@Z", - "??0IMemoryAllocator@@QEAA@AEBV0@@Z", - "??0IMemoryAllocator@@QEAA@XZ", - "??1CAutoUpdateConfigThread@@UEAA@XZ", - "??1CBlobConfig@@UEAA@XZ", - "??1CContext@@UEAA@XZ", - "??1CContextList@@UEAA@XZ", - "??1CDebugLog@@UEAA@XZ", - "??1CDebugLogEx@@UEAA@XZ", - "??1CDelayLoadThread@@UEAA@XZ", - "??1CExclusionExtConfig@@UEAA@XZ", - "??1CExclusionFileNameConfig@@UEAA@XZ", - "??1CExclusionFilePathConfig@@UEAA@XZ", - "??1CExclusionFolderConfig@@UEAA@XZ", - "??1CExclusionRegistryConfig@@UEAA@XZ", - "??1CFile@@UEAA@XZ", - "??1CFileExtension@@UEAA@XZ", - "??1CInclusionExtConfig@@UEAA@XZ", - "??1CInclusionFileNameConfig@@UEAA@XZ", - "??1CInclusionFilePathConfig@@UEAA@XZ", - "??1CInclusionFolderConfig@@UEAA@XZ", - "??1CKEvent@@UEAA@XZ", - "??1CList@@UEAA@XZ", - "??1CLockEvent@@UEAA@XZ", - "??1CLockList@@UEAA@XZ", - "??1CMemoryAllocator@@UEAA@XZ", - "??1CMemoryPoolAllocator@@UEAA@XZ", - "??1CModuleConfig@@UEAA@XZ", - "??1CModuleConfigList@@UEAA@XZ", - "??1CModuleFileExtConfig@@UEAA@XZ", - "??1CModuleFlagConfig@@UEAA@XZ", - "??1CModuleMultiStringConfig@@UEAA@XZ", - "??1CModuleStringConfig@@UEAA@XZ", - "??1CNoLockList@@UEAA@XZ", - "??1CSmartLock@@QEAA@XZ", - "??1CSmartReference@@QEAA@XZ", - "??1CSmartResource@@QEAA@XZ", - "??1CStrList@@UEAA@XZ", - "??1CSystemThread@@UEAA@XZ", - "??1CUserFuncAdapterJob@@UEAA@XZ", - "??1CWorkerThread@@UEAA@XZ", - "??1CWorkerThreadJob@@UEAA@XZ", - "??1CWorkerThreadJobQueue@@UEAA@XZ", - "??1CWorkerThreadPool@@UEAA@XZ", - "??1CWorkerThreadPoolEx@@UEAA@XZ", - "??1IMemoryAllocator@@UEAA@XZ", - "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??2CMemoryAllocator@@SAPEAX_K@Z", - "??2CMemoryPoolAllocator@@SAPEAX_K@Z", - "??3@YAXPEAX@Z", - "??3IMemoryAllocator@@SAXPEAX@Z", - "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", - "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CContext@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", - "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", - "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", - "??4CFile@@QEAAAEAV0@AEBV0@@Z", - "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", - "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", - "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", - "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", - "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", - "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", - "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", "??_7CAutoUpdateConfigThread@@6B@", "??_7CBlobConfig@@6B@", "??_7CContext@@6B@", @@ -117216,982 +122171,1135 @@ "??_7CWorkerThreadPool@@6B@", "??_7CWorkerThreadPoolEx@@6B@", "??_7IMemoryAllocator@@6B@", - "??_FCContextList@@QEAAXXZ", - "??_FCFile@@QEAAXXZ", - "??_FCFileExtension@@QEAAXXZ", - "??_FCModuleConfigList@@QEAAXXZ", - "??_FCStrList@@QEAAXXZ", - "??_FCSystemThread@@QEAAXXZ", - "??_FCWorkerThread@@QEAAXXZ", - "??_FCWorkerThreadJob@@QEAAXXZ", - "??_FCWorkerThreadJobQueue@@QEAAXXZ", - "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", - "??_V@YAXPEAX@Z", - "?Acquire@CLockEvent@@QEAAXXZ", - "?Add@CContextList@@QEAAEPEAVCContext@@@Z", - "?Add@CFileExtension@@QEAAEPEBGK@Z", - "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", - "?Add@CStrList@@QEAAEPEBG@Z", - "?AddNode@CLockList@@UEAAEQEAXE@Z", - "?AddNode@CNoLockList@@UEAAEQEAXE@Z", - "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", - "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", - "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", - "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", - "?Cancel@CWorkerThreadJob@@QEAAXXZ", - "?CheckNode@CLockList@@UEAAHQEAX@Z", - "?CheckNode@CNoLockList@@UEAAHQEAX@Z", - "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", - "?Cleanup@CBlobConfig@@AEAAXXZ", - "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", - "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", - "?Cleanup@CModuleStringConfig@@AEAAXXZ", - "?Close@CFile@@QEAAJXZ", - "?Count@CLockList@@QEAAKXZ", - "?Count@CNoLockList@@QEAAKXZ", - "?Create@CFile@@QEAAJPEBGKKKK@Z", - "?Create@CSystemThread@@QEAAEXZ", - "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", - "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", - "?CreatePool@CWorkerThreadPool@@QEAAEXZ", - "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", - "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", - "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", - "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", - "?Delete@CFile@@QEAAJXZ", - "?Delete@CFileExtension@@QEAAEPEBGK@Z", - "?Delete@CStrList@@QEAAEPEBG@Z", - "?DeleteAll@CList@@UEAAXXZ", - "?DeleteAll@CLockList@@UEAAXXZ", - "?DeleteAll@CNoLockList@@UEAAXXZ", - "?DeleteNode@CContextList@@MEAAXPEAX@Z", - "?DeleteNode@CList@@UEAAXPEAX@Z", - "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", - "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", - "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", - "?DoIt@CWorkerThreadJob@@QEAAJXZ", - "?EntryPoint@CSystemThread@@KAXPEAX@Z", - "?Find@CContextList@@QEAAPEAVCContext@@K@Z", - "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", - "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", - "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", - "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FindNode@CContextList@@IEAAPEAXPEAX@Z", - "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", - "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?FinishIt@CWorkerThreadJob@@QEAAJXZ", - "?First@CList@@UEAAPEAXXZ", - "?First@CLockList@@UEAAPEAXXZ", - "?First@CNoLockList@@UEAAPEAXXZ", - "?Free@CMemoryAllocator@@UEAAXPEAX@Z", - "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", - "?GetAttributes@CFile@@QEAAKXZ", - "?GetBasicInfomration@CFile@@IEAAJXZ", - "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", - "?GetCategory@CContext@@QEAAKXZ", - "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", - "?GetData@CModuleFlagConfig@@QEAAKXZ", - "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", - "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", - "?GetData@CModuleStringConfig@@QEAAPEAGXZ", - "?GetData@CStrList@@QEAAEPEAGPEAK@Z", - "?GetDataType@CModuleConfig@@QEAAKXZ", - "?GetEngineContext@CContext@@QEAAPEAXXZ", - "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", - "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", - "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", - "?GetID@CModuleConfig@@QEAAKXZ", - "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", - "?GetLength@CModuleStringConfig@@QEAAKXZ", - "?GetLinkContext@CContext@@QEAAPEAXXZ", - "?GetLogFlag@CDebugLog@@QEAAKXZ", - "?GetLogFlag@CDebugLogEx@@QEAAKXZ", - "?GetModuleId@CModuleConfig@@QEAAKXZ", - "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", - "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", - "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", - "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", - "?GetSize@CBlobConfig@@QEAAKXZ", - "?GetStringConfig@CContext@@QEAAPEAGK@Z", - "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", - "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", - "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", - "?GetThreadID@CSystemThread@@QEAA_KXZ", - "?GetType@CContext@@QEAAKXZ", - "?GetUserParameter@CContext@@QEAA_KXZ", - "?InitProcMon@CDebugLogEx@@IEAAXXZ", - "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", - "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeFlagConfig@CContext@@QEAAHKK@Z", - "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", - "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", - "?Insert@CList@@UEAAXQEAXE@Z", - "?Insert@CLockList@@UEAAXQEAXE@Z", - "?Insert@CNoLockList@@UEAAXQEAXE@Z", - "?InsertAfter@CList@@UEAAXPEAX0@Z", - "?InsertBefore@CList@@UEAAXPEAX0@Z", - "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", - "?IsEmpty@CList@@UEAAEXZ", - "?IsEmpty@CLockList@@UEAAEXZ", - "?IsEmpty@CNoLockList@@UEAAEXZ", - "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", - "?IsFull@CLockList@@QEBAEXZ", - "?IsFull@CNoLockList@@QEBAEXZ", - "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", - "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", - "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", - "?IsOpened@CFile@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", - "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", - "?IsValid@CMemoryAllocator@@UEAAEXZ", - "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", - "?IsValid@IMemoryAllocator@@UEAAEXZ", - "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", - "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", - "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", - "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", - "?Limit@CLockList@@QEAAKXZ", - "?Limit@CNoLockList@@QEAAKXZ", - "?MatchAllExtensions@CFileExtension@@QEAAEXZ", - "?MatchNoExtensions@CFileExtension@@QEAAEXZ", - "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", - "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", - "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", - "?NewNode@CList@@UEAAPEAXXZ", - "?NewNode@CStrList@@EEAAPEAXXZ", - "?NewNodeVariant@CList@@IEAAPEAXK@Z", - "?Next@CList@@UEBAPEAXQEAX@Z", - "?Next@CLockList@@UEBAPEAXQEAX@Z", - "?Next@CNoLockList@@UEBAPEAXQEAX@Z", - "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", - "?NotityTerminate@CWorkerThread@@QEAAXXZ", - "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", - "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", - "?Pulse@CKEvent@@QEAAJJE@Z", - "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", - "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", - "?Read@CFile@@QEAAJPEADKPEAK@Z", - "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", - "?ReferenceCount@CContext@@QEAAAEAKXZ", - "?Release@CLockEvent@@QEAAXXZ", - "?Remove@CContextList@@UEAAEQEAX@Z", - "?Remove@CList@@UEAAEQEAX@Z", - "?Remove@CLockList@@UEAAEQEAX@Z", - "?Remove@CNoLockList@@UEAAEQEAX@Z", - "?RemoveHead@CList@@UEAAPEAXXZ", - "?RemoveHead@CLockList@@UEAAPEAXXZ", - "?RemoveHead@CNoLockList@@UEAAPEAXXZ", - "?RemoveTail@CList@@UEAAPEAXXZ", - "?RemoveTail@CLockList@@UEAAPEAXXZ", - "?RemoveTail@CNoLockList@@UEAAPEAXXZ", - "?Reset@CKEvent@@QEAAXXZ", - "?ResetData@CInclusionExtConfig@@QEAAXXZ", - "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", - "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", - "?ResetData@CInclusionFolderConfig@@QEAAXXZ", - "?RestoreCR0@@YAXPEAX@Z", - "?Run@CAutoUpdateConfigThread@@UEAAXXZ", - "?Run@CDelayLoadThread@@UEAAXXZ", - "?Run@CWorkerThread@@UEAAXXZ", - "?SeekToEnd@CFile@@QEAAJXZ", - "?Set@CKEvent@@QEAAJJE@Z", - "?SetAttributes@CFile@@QEAAJK@Z", - "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", - "?SetData@CBlobConfig@@QEAAHPEAXK@Z", - "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", - "?SetData@CModuleFlagConfig@@QEAAHK@Z", - "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", - "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", - "?SetEngineContext@CContext@@QEAAXPEAX@Z", - "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", - "?SetFlagConfig@CContext@@UEAAJKK@Z", - "?SetLinkContext@CContext@@QEAAXPEAX@Z", - "?SetLogFlag@CDebugLog@@QEAAEK@Z", - "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", - "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", - "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", - "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", - "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", - "?SetPriority@CSystemThread@@QEAAXK@Z", - "?SetStopUse@CContext@@QEAAXXZ", - "?SetStringConfig@CContext@@UEAAJKPEBG@Z", - "?Setup@CSystemThread@@MEAAXXZ", - "?StopUse@CContext@@QEAAHXZ", - "?TearDown@CSystemThread@@MEAAXXZ", - "?Terminate@CSystemThread@@QEAAXE@Z", - "?Terminate@CWorkerThreadPool@@QEAAEXZ", - "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", - "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", - "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", - "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", - "?WaitForInit@CDelayLoadThread@@QEAAEXZ", - "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", - "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", - "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", - "?Write@CDebugLog@@QEAAXPEBDZZ", - "?Write@CDebugLogEx@@QEAAXPEBDZZ", - "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", - "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", - "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", - "?WriteSystemInformation@CDebugLog@@QEAAXXZ", - "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", - "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", - "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", - "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", - "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", - "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", - "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", - "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", - "DeInitKm2UmCommunication", - "DeInitKmLPC", - "DuplicateFullFileName", - "FreeFullFileName", - "GetKm2UmMode", - "GetModuleInfoByAddress", - "GetModuleInfoByModuleName", - "InitKm2UmCommunication", - "InitKmLPC", - "IsVerifierCodeCheckFlagOn", - "IsWindows8_1_update", - "KmCallUm", - "KmCallUmByLPC", - "KmCallUmEx", - "KmCleanupCommPortAPIs", - "KmGetUmInitProcess", - "KmSetCommPortAPIs", - "ModGetExportProcAddress", - "ModLoadDLLToBuffer", - "ModLoadDLLToBufferWithImageSize", - "ModLoadModule", - "ModUnLoadModule", - "NormalizeFileName", - "NormalizeFullNtPathToDosName", - "TmCommConfigRoutine", - "UtilAddDeviceInDriveTable", - "UtilAddReparsePointMapping", - "UtilCleanFileReadOnly", - "UtilCloseExclusiveHandle", - "UtilCreateDosFileName", - "UtilDeleteFileForce", - "UtilGetDeviceObjectName", - "UtilGetFileNameFromFileObject", - "UtilGetFileObjectForProcessByEPROC", - "UtilGetFileObjectFromFileName", - "UtilGetProcessName", - "UtilGetSystemDirectory", - "UtilGetSystemDirectoryEx", - "UtilGetSystemDirectoryLength", - "UtilGetSystemTime", - "UtilIoSetFileInfo", - "UtilIopCreateFileIRP", - "UtilKeGetLowFileDevice", - "UtilModuleIATHook", - "UtilModuleIATUnHook", - "UtilPostJobToWorkerThread", - "UtilQueryExclusiveHandle", - "UtilQueryKeyValue", - "UtilRemoveDeviceFromDriveTable", - "UtilVolumeDeviceToDosName", - "UtilWaitValueChangeToZero", - "UtilWriteVersionToRegistry", - "UtilbuildDynamicDiskMappingTable", - "UtlWriteBinValueKeyToRegistry", - "ValidateAddressWithSize", - "_ResetProtectFromClose", - "_UtilDosPathNameToNtPathName" + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetFileVersionOfNtoskrnl@16", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" ], "ImportedFunctions": [ - "KeLeaveCriticalRegion", - "wcsncpy", - "KeEnterCriticalRegion", - "ExAcquireFastMutexUnsafe", - "wcsrchr", - "ExAcquireResourceSharedLite", - "ExReleaseResourceLite", - "_purecall", - "ZwOpenEvent", - "ZwConnectPort", + "KePulseEvent", "KeClearEvent", - "PsProcessType", - "ExFreePoolWithTag", - "RtlInitUnicodeString", - "KeSetEvent", - "ProbeForWrite", + "KeStackAttachProcess", "KeUnstackDetachProcess", - "ZwRequestWaitReplyPort", - "ZwWaitForSingleObject", - "DbgBreakPoint", + "ObfDereferenceObject", "ZwSetEvent", - "IoGetCurrentProcess", - "ZwFreeVirtualMemory", "ZwClose", - "ObfReferenceObject", - "ObfDereferenceObject", + "ZwConnectPort", + "RtlInitUnicodeString", "RtlUnicodeStringToInteger", "ZwCreateSection", - "ObOpenObjectByPointer", - "KeStackAttachProcess", - "KePulseEvent", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", + "ZwRequestWaitReplyPort", + "ExFreePoolWithTag", + "ProbeForWrite", + "ZwFreeVirtualMemory", "ZwAllocateVirtualMemory", - "ObGetObjectSecurity", - "SeAccessCheck", - "SeReleaseSubjectContext", - "SeCaptureSubjectContext", - "PsThreadType", - "ObReleaseObjectSecurity", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", "PsGetProcessExitTime", "MmSectionObjectType", + "PsThreadType", + "MmGetSystemRoutineAddress", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", "DbgPrint", - "ExDeleteResourceLite", + "memset", + "MmIsAddressValid", "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwWriteFile", "ZwReadFile", - "swprintf", + "ZwQueryInformationFile", "ZwSetInformationFile", "ZwCreateFile", - "ZwQueryInformationFile", - "ZwWriteFile", - "_wcsnicmp", + "swprintf", "towupper", + "_wcsnicmp", "ExAllocatePoolWithTag", "KeInitializeEvent", - "ZwCreateEvent", - "ZwCreateKey", - "RtlAnsiStringToUnicodeString", - "ZwNotifyChangeKey", - "RtlInitAnsiString", "_snprintf", - "RtlFreeUnicodeString", - "ExSystemTimeToLocalTime", - "_vsnprintf", - "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", "RtlTimeToTimeFields", - "ZwDeviceIoControlFile", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", "PsGetCurrentThreadId", - "PsGetCurrentProcessId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", + "ZwCreateKey", + "ZwCreateEvent", "KeWaitForMultipleObjects", - "ExGetPreviousMode", + "ObReferenceObjectByHandle", + "ZwNotifyChangeKey", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", "RtlEqualUnicodeString", - "RtlPrefixUnicodeString", "RtlAppendUnicodeStringToString", "RtlCopyUnicodeString", "RtlUpcaseUnicodeChar", + "ExGetPreviousMode", "KeWaitForSingleObject", "KeSetPriorityThread", - "PsCreateSystemThread", "PsTerminateSystemThread", - "MmIsAddressValid", + "PsCreateSystemThread", "KeDelayExecutionThread", "KeNumberProcessors", + "ZwQueryInformationProcess", "PsLookupProcessByProcessId", - "PsSetCreateProcessNotifyRoutine", "ZwOpenDirectoryObject", - "ZwQueryInformationProcess", - "ZwQuerySecurityObject", - "NtSetInformationFile", - "ZwDeleteValueKey", - "ZwSetValueKey", + "PsSetCreateProcessNotifyRoutine", "ZwQuerySystemInformation", - "NtQueryInformationFile", - "IoFileObjectType", - "ZwQueryValueKey", "ZwQueryDirectoryFile", - "NtCreateFile", - "ZwEnumerateValueKey", - "RtlLengthSecurityDescriptor", "ZwQueryDirectoryObject", - "ZwSetSecurityObject", "ZwDuplicateObject", - "ZwOpenProcess", - "ZwTerminateProcess", - "ExReleaseFastMutexUnsafe", + "ZwOpenKey", "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ZwTerminateProcess", + "ZwOpenProcess", "ZwQueryKey", - "ZwOpenKey", - "MmSystemRangeStart", - "_stricmp", + "ZwSetValueKey", + "IoFileObjectType", + "KeSetEvent", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "_purecall", + "MmUnlockPages", + "IoBuildAsynchronousFsdRequest", "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", "mbstowcs", - "ProbeForRead", - "RtlUpcaseUnicodeString", - "_snwprintf", "ZwQuerySymbolicLinkObject", - "ZwMapViewOfSection", - "MmGetSystemRoutineAddress", - "RtlAppendUnicodeToString", - "IoCreateFile", - "RtlQueryRegistryValues", - "MmBuildMdlForNonPagedPool", "ZwOpenSymbolicLinkObject", - "IoFreeMdl", - "ObQueryNameString", - "ZwUnmapViewOfSection", "NtClose", - "IoFreeIrp", - "PsGetVersion", - "IoAllocateIrp", - "RtlCompareMemory", - "MmUnlockPages", + "ObQueryNameString", "ZwSetInformationObject", - "ZwOpenFile", - "wcsncmp", - "RtlImageNtHeader", - "IoAllocateMdl", - "IofCallDriver", - "ZwQueryVolumeInformationFile", - "ObReferenceObjectByPointer", - "IoBuildDeviceIoControlRequest", - "ZwOpenSection", - "RtlSubAuthoritySid", - "RtlLengthRequiredSid", - "ExReleaseFastMutex", - "ExAcquireFastMutex", - "RtlCreateAcl", - "RtlSetDaclSecurityDescriptor", - "RtlAddAccessAllowedAce", - "KeInitializeSemaphore", - "KeReleaseSemaphore", - "RtlInitializeSid", - "RtlCreateSecurityDescriptor", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "IoGetDeviceObjectPointer", - "ExEventObjectType", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "ObOpenObjectByName", - "NtQueryInformationProcess", - "strncpy", - "NtOpenProcess", - "ObInsertObject", - "IoAcquireVpbSpinLock", - "SeCreateAccessState", - "IoGetFileObjectGenericMapping", - "ObCreateObject", - "KeAcquireQueuedSpinLock", - "KeReleaseQueuedSpinLock", - "IoReleaseVpbSpinLock", - "wcschr", - "strncat", - "RtlUnicodeStringToAnsiString", - "wcsncat", - "RtlFreeAnsiString", - "wcstombs", - "IoGetConfigurationInformation", - "IoRegisterPlugPlayNotification", - "IoGetStackLimits", - "IoBuildSynchronousFsdRequest", - "KeReleaseSpinLock", - "ExpInterlockedPopEntrySList", - "FsRtlIsNameInExpression", - "wcsstr", - "ExAllocatePool", - "IoUnregisterPlugPlayNotification", - "MmProbeAndLockPages", - "RtlCompareUnicodeString", - "IoGetDeviceInterfaces", - "KeAcquireSpinLockRaiseToDpc", - "KeBugCheckEx", - "IoCreateDevice", - "IoDeviceObjectType", - "SeCaptureSecurityDescriptor", - "RtlAbsoluteToSelfRelativeSD", - "IoIsWdmVersionAvailable", - "SeExports", - "RtlLengthSid", - "RtlGetSaclSecurityDescriptor", - "RtlGetDaclSecurityDescriptor", - "RtlGetGroupSecurityDescriptor", - "RtlGetOwnerSecurityDescriptor", - "ZwDeleteKey", - "ExAcquireResourceExclusiveLite", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", - "ValidFrom": "2018-05-22 00:00:00", - "ValidTo": "2019-07-16 23:59:59", - "Signature": "f51f3f5ad8cfb51aee3156e1761cf440c448eda8ccacbc48cda1a43f3478a66508bf41a9080e901c134a5d067db2b1175f7352e2b1212a89b0860a46d610412556c2edc049b661d682b418501a89b1e8334ef89be22cc41286eb88be9d529466c5f7455be0a55046c78a77c839524125351d8468b822584925a1466f81e631794b8bfb9f3844b8249cfa8b4fc5ab102cfe61dc182a24fcd1eb15043d98615a5fe574a64af3c9f83621fd4f74be0cce77fa3a7fc5d17b07bbbb034163dbc573be495ebc59b7ea9f4bfde65cb16125195ac4cf2d9d4a50c8c3bcf120cd3b26a5194c0672dd1349fe432df6c6afcc4f82700df8f899dbf035a70c8b294466bf3ae6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "60d927b542b7d1147fb2f0c4b9c1bbb2", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "TmComm.sys" - ] - }, - { - "Id": "79692987-1dd0-41a0-a560-9a0441922e5a", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create AsIO64.sys binPath=C:\\windows\\temp\\AsIO64.sys type=kernel && sc.exe start AsIO64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "AsIO64.sys", - "MD5": "8065a7659562005127673ac52898675f", - "SHA1": "fcde5275ee1913509927ce5f0f85e6681064c9d2", - "SHA256": "b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "d593aec08f96fe410f7a6b53e49551a0", - "SHA1": "2ea631bfe3fd765e3a03b3165790faf8fdd8286b", - "SHA256": "906d8412b357379db9512e3f584fcda1f788acc1337e5b4d4eff5e6fa59324a6" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", + "_stricmp", + "ZwUnmapViewOfSection", "ZwMapViewOfSection", - "ObReferenceObjectByHandle", + "ZwOpenFile", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "RtlUpcaseUnicodeString", + "_snwprintf", + "MmSystemRangeStart", + "wcsncmp", + "RtlCompareUnicodeString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", "ZwOpenSection", - "RtlInitUnicodeString", - "IoDeleteDevice", - "KeDelayExecutionThread", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IoGetDeviceObjectPointer", "IofCompleteRequest", - "ZwUnmapViewOfSection", - "IoIs32bitProcess", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IoCreateSymbolicLink", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "wcsstr", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "wcschr", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "wcsrchr", + "memcpy", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "_allrem", + "ExAcquireFastMutexUnsafe", + "IoDeviceObjectType", "IoCreateDevice", - "IoDeleteSymbolicLink", - "DbgPrint", - "HalTranslateBusAddress" + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "IoFreeMdl", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", + "ValidFrom": "2019-07-12 00:00:00", + "ValidTo": "2020-07-10 12:00:00", + "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2007-07-03 00:00:00", - "ValidTo": "2008-07-26 23:59:59", - "Signature": "2eca2db768d60f241f8c155b9db4bc91a02d16a3f1ec09059aa3b91a4ee0e44317d1f286d12133f44f4b282141287a8b9a3781b46184f732a599edb622e6057156d99221a130091c9f171f1a5f75125a68270d5c21ac379541136b8bf164a0ee6c9b9f5557754ea940f1c836e6d823528d764aaa41b038d84523e395c0ada5e17fea7912a0d10aa807fc0b89d4d116b92dbfc7028f1a23d5d679ac9a1023952a2cf98940ad5cc16bd9381403751ebd52c892205205d51d72b2a83ddb92547fce93e2b6617a42c7249312344ee0b9184859e8b1dd39bd5e61ab5999cbc8aa8807c8538c1926e49a9bbc29dcdf266a603c85f8df773c9659bcf08ffe2ba0f1cfa5", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "23eab3ac30c7016a299c8d31d99f3ae8", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] - } - ], - "Tags": [ - "AsIO64.sys" - ] - }, - { - "Id": "b7ec29c6-e151-4a9f-a293-e61f04ee6489", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create My.sys binPath=C:\\windows\\temp\\My.sys type=kernel && sc.exe start My.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "My.sys", - "SHA256": "d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "My.sys" - ] - }, - { - "Id": "7b893f79-b5b0-4373-9d29-c53a21fe6fc3", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create WinFlash64.sys binPath=C:\\windows\\temp\\WinFlash64.sys type=kernel && sc.exe start WinFlash64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "FileName": "WinFlash64.sys", - "MD5": "a216803d691d92acc44ac77d981aa767", - "SHA1": "48be0ec2e8cb90cac2be49ef71e44390a0f648ce", - "SHA256": "316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d", + "FileName": "TmComm.sys", + "MD5": "c42caa9cdcc50c01cb2fed985a03fe23", + "SHA1": "b3c111d7192cfa8824e5c9b7c0660c37978025d6", + "SHA256": "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c", "Authentihash": { - "MD5": "62fecd37b50c9973478b3c1a02838c22", - "SHA1": "a1e4fbc16c0fc98a4c2256f2b0b45c1ece8f8f0b", - "SHA256": "ad6360cee0b1b293be38348f0f9deb7221e205516524f437aaf8f468b308cb4e" + "MD5": "eee43fab6af4ff34b0c35892e7765798", + "SHA1": "a8baa1f52375ab24150d0cba4c62a4b0f5080ef4", + "SHA256": "81c301c77dbfff44567165139e9a5ee3af2aee838298451c7075dc6e1aae489f" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "2.0.0.1118", + "Product": "AEGIS", + "ProductVersion": "2.0", + "Copyright": "Copyright (C) 2005-2007 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": "", + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_MapMem@12", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_TmCommConfigRoutine@4", + "_UnMapMem@8", + "_UtilGetProcessName@12", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilQueryKeyValue@24", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8" + ], "ImportedFunctions": [ - "IoDeleteDevice", - "RtlFreeUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAnsiStringToUnicodeString", - "RtlInitString", + "_purecall", + "ExAcquireFastMutexUnsafe", + "KeEnterCriticalRegion", + "KeGetCurrentThread", + "KeLeaveCriticalRegion", + "ExReleaseFastMutexUnsafe", + "wcsncpy", + "memcpy", + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", "IofCompleteRequest", - "MmMapLockedPages", - "IoDeleteSymbolicLink", + "ZwClose", + "KeDelayExecutionThread", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ExEventObjectType", + "ZwCreateEvent", "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "MmUnmapIoSpace", - "MmMapIoSpace", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", - "ValidFrom": "2006-10-17 00:00:00", - "ValidTo": "2007-10-17 23:59:59", - "Signature": "66da102458b1f7a00e4d83c2b5fc3f96e6c55489b52830af684ef682ba836adeaf11984c59a876a882bf9bf2de527d34872a457e01a02c8bb8c630e41e364b96980b7e774228d49597ba47674b21c4da7d9cccd87bb5af940b761a9b70c64d2d4455d764a0004a9e55cecb4cde90e49481fced746ec91fe2b63f0176df8b7400928964cb53088a06e779021ae79280e58c9d0a7ac19ad0b9ab042e223ea97c13830cc55dcad096dab50f11126be42fe8142814e943a0b408659ff0f155449719c2afbf4c911fd78cba7f91d4ca280b1959a40fc8e7785d58b7a71e5357c946e5ddf20ea489e58877cf26a28691eccdcf20b4a40f353dbaa91e703db89aa7470b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "2ca9ca93cd9b19a96ddad68aff3a668d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "WinFlash64.sys", - "MD5": "bf2a954160cb155df0df433929e9102b", - "SHA1": "7a1689cde189378e7db84456212b0e438f9bf90a", - "SHA256": "8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d", - "Authentihash": { - "MD5": "066fa975190d01fa5a8e99b0d5f3a5ae", - "SHA1": "0086ddd495c6c89c9b7732f2a2b58c06a82f31bc", - "SHA256": "63041a13d1658e22fecc34706e98ab08b54b94e7d028bf2b1308ff85995a01c3" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "swprintf", + "KeQuerySystemTime", + "KeWaitForSingleObject", "IoDeleteDevice", - "RtlFreeUnicodeString", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAnsiStringToUnicodeString", - "RtlInitString", - "IofCompleteRequest", - "MmMapLockedPages", "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "MmUnmapIoSpace", - "MmMapIoSpace" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=TAIWAN, L=TAIPEI, O=Universal ABIT Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=R&D DIV. TECH.SUPP.DEPT, CN=Universal ABIT Co., Ltd.", - "ValidFrom": "2006-07-19 00:00:00", - "ValidTo": "2007-07-19 23:59:59", - "Signature": "72879dd41a0938989ce82b000bdea2326d4885c8c604fb6ec746303afda5ee11102860f7f94ffb67b5e49b8288d3775cbb244a5ef88a021987a48f4801691176d2fdf7092cc116f097e90fbe35d2415f7a64cdb1c1649c0de4bcb81a9e92796d34129ed6b5abe91b2a4a921895f6c1342afb5944338a5140de94c3a997033dabd6b14631bd78371cfdf0e10c0ef63c4310581f547febc19b6887c973a901a47d9d978644527fd2f1dcf0d5fd78f6c1d715ddf01ec40d5d30afa081a896c6d78897c507f361d63c9a702735b373588517ff2663a4a0c0aa91a0ce1446942d35cfd4e98f893fc3390948d3863f3731901e274988753f550c66bce31372052f96d2", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "226a266fde87a6d82d69d22ba10dce2f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "WinFlash64.sys", - "MD5": "bc6ff00fb3a14437c94b37ac9a2101d4", - "SHA1": "d5326fea00bcde2ef7155acf3285c245c9fb4ece", - "SHA256": "8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59", - "Authentihash": { - "MD5": "32c5590f86eda2c188d19fa91107e3b7", - "SHA1": "d3bc762eaebf1ea4f291aeb614dd7e1d3c027a39", - "SHA256": "bddf1750dc00725c1384b34740e798b4f5f70218ab71ac62a5a96773b377df5a" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "IoDeleteDevice", - "RtlFreeUnicodeString", "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAnsiStringToUnicodeString", - "RtlInitString", - "IofCompleteRequest", - "MmMapLockedPages", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "MmFreeContiguousMemorySpecifyCache", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemorySpecifyCache", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "MmMapIoSpace", + "DbgPrint", + "RtlCopyUnicodeString", + "ProbeForWrite", + "ProbeForRead", + "ExGetPreviousMode", + "memset", + "MmIsAddressValid", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", + "towupper", + "_wcsnicmp", + "_snprintf", + "PsGetCurrentProcessId", + "IoGetCurrentProcess", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "ZwCreateKey", + "KeInitializeEvent", + "KeWaitForMultipleObjects", + "ZwNotifyChangeKey", + "PsGetCurrentThreadId", + "_vsnprintf", + "MmMapLockedPagesSpecifyCache", + "MmBuildMdlForNonPagedPool", + "MmCreateMdl", "ExFreePoolWithTag", + "MmUnmapLockedPages", "ExAllocatePoolWithTag", - "KeBugCheckEx" + "RtlImageNtHeader", + "mbstowcs", + "_stricmp", + "ZwQuerySystemInformation", + "IoGetDeviceObjectPointer", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", + "_strnicmp", + "PsLookupProcessByProcessId", + "KeUnstackDetachProcess", + "KeStackAttachProcess", + "ZwQueryObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "KeSetPriorityThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeNumberProcessors", + "ZwQueryDirectoryFile", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "IoFreeIrp", + "IoFreeMdl", + "IofCallDriver", + "IoAllocateMdl", + "IoAllocateIrp", + "IoFileObjectType", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ZwQueryKey", + "ZwSetValueKey", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "strncpy", + "NtOpenProcess", + "ObOpenObjectByPointer", + "PsProcessType", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "RtlAppendUnicodeStringToString", + "ObfReferenceObject", + "NtQueryInformationProcess", + "_snwprintf", + "RtlAnsiStringToUnicodeString", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "RtlEqualUnicodeString", + "IoCreateFile", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlCompareMemory", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "RtlLengthRequiredSid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ZwSetEvent", + "ZwRequestWaitReplyPort", + "memmove", + "ZwConnectPort", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ExAllocatePool", + "KeBugCheckEx", + "RtlUpperChar", + "RtlCompareUnicodeString", + "KeTickCount", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlUnwind", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "RtlFreeUnicodeString" ], "Signatures": [ { @@ -118219,123 +123327,714 @@ "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2007-01-30 00:00:00", + "ValidTo": "2008-02-15 23:59:59", + "Signature": "ad2b4e7b5257d4923230029228ae497edd7f8fb5694b021ef1e8a7dbc6c11f7302b8f8d07e7364296d45081c37e0a861df51e62a158847d4925dc5b78da837b24edcd18e671ff0ccbe56e7327437091db3a24e4f471c45cac3916132d2e9b721410b24e83b89779e73b6fef1f026cf155587e0610f872a87321afab6c53ec7a2cfe2048b5928b919e56223762d9c5ce4e2f09ee9a3a6933fb3453a4c808a41a47d245e1ddc951f57ee62ef636ff79e061ce084668d58f3a9f4e1b839af75204b203b7d827b037f3ebc19383e69c6540a780b75d6d22d5e05614665cfa12ca2fe65146d9d684c5a3377c79acc86723943bc522064ac4b545e1a13e88ee4b6fe76", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", "ValidFrom": "2006-05-23 17:01:29", "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=California, L=Milpitas, O=Phoenix Technology Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=CSS Core Features Development, CN=Phoenix Technology Ltd.", - "ValidFrom": "2008-11-14 00:00:00", - "ValidTo": "2009-11-14 23:59:59", - "Signature": "addfb0156ef6ad5c431dffc5ef41cefa457136306d15d84146668cbe5be0f54450614be60c40f7b9ecf7b16b10fe5bcaeff5e31433abd8e218e5cfac8ecb246b3d59d8b3aa0b5ae88feab0b12dd24dc2f4cb51fec3a2a302f67903a652d52197b07e77410d4e480d0f2c3003e150f5da93bd09c91977fbc8d7652f4f5bb7c06d672dbda83f7458f6cb52719cd7f393395e1b036a9701608eccb8c1d2f42ccbee6e53e5fc342b9d5b65aac07d35b2d3b69fb8f51184699a46ac6d3ce7de8fa73353f74f58572f5d982d0d56ce29321d35633de97a04f99d73969c4c0b3bce7cdb95ec67c0b78deee1c5af17e49e9d4978db7f4063c9670adf5094c3e5a730d4fe", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "55272d7780471b989f3def09bb221c53", + "SerialNumber": "225c8b52640584163ec1835017ded781", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } - ] - } - ], - "Tags": [ - "WinFlash64.sys" - ] - }, - { - "Id": "62e2a967-1f03-4225-a325-122b109208f3", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create DirectIo.sys binPath=C:\\windows\\temp\\DirectIo.sys type=kernel && sc.exe start DirectIo.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "DirectIo.sys", - "MD5": "d77fb9fb256b0c2ec0258c39b80dc513", - "SHA1": "bdfb1a2b08d823009c912808425b357d22480ecc", - "SHA256": "2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d", + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "d79b8b7bed8d30387c22663b24e8c191", + "SHA1": "af5b7556706e09ee9e74ee2e87eab5c0a49d2d35", + "SHA256": "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f", "Authentihash": { - "MD5": "79f811fc9166bce5a871174b384370a7", - "SHA1": "79f909fb1ffe781e45351fc683e7cece43cfe465", - "SHA256": "d166b6ffd164dbea53f0f588a979f4c5f1f2a1793fc10cda84a4530b7b22fd0c" + "MD5": "ab680a8ed6b727bb2a4e27d124191b89", + "SHA1": "62fe5d3ebcd192fcf985f2e3a27c214051ecf854", + "SHA256": "44120b712e4b5ef3b302f03b7aa61f9f6fe6820d966addbcc43d8e09402e5906" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "5.50.0.1033", + "Product": "Trend Micro Eyes", + "ProductVersion": "5.50", + "Copyright": "Copyright (C) 2002 - 2012 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_KmCallUmEx@12", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilCleanFileReadOnly@4", + "_UtilDeleteFileForce@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "__UtilDosPathNameToNtPathName@12" ], - "ExportedFunctions": "", "ImportedFunctions": [ + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "KeReleaseSemaphore", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "RtlSubAuthoritySid", + "RtlInitializeSid", + "ExAllocatePoolWithTag", + "RtlLengthRequiredSid", + "ExFreePoolWithTag", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ObfDereferenceObject", + "ZwSetEvent", "ZwClose", - "ZwUnmapViewOfSection", - "IoWriteErrorLogEntry", + "ZwRequestWaitReplyPort", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", + "ZwConnectPort", + "RtlInitUnicodeString", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ObfReferenceObject", + "IoGetCurrentProcess", + "DbgBreakPoint", + "PsGetProcessExitTime", + "MmSectionObjectType", + "DbgPrint", + "memset", + "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", + "swprintf", + "towupper", + "_wcsnicmp", + "KeInitializeEvent", + "_snprintf", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", + "ZwNotifyChangeKey", + "PsGetCurrentThreadId", + "_vsnprintf", + "KeSetPriorityThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeNumberProcessors", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "KeDelayExecutionThread", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", + "MmHighestUserAddress", + "IoFreeIrp", "memcpy", - "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", + "MmUnlockPages", + "IoBuildAsynchronousFsdRequest", + "_strnicmp", "RtlQueryRegistryValues", - "ZwOpenSection", - "memset", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", + "RtlAppendUnicodeToString", + "mbstowcs", + "_purecall", + "ZwOpenSymbolicLinkObject", + "NtClose", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", + "IoCreateFile", "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlCopyUnicodeString", + "RtlCompareMemory", + "_snwprintf", + "RtlImageNtHeader", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "ObQueryNameString", "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", + "IofCompleteRequest", + "ExEventObjectType", + "_allmul", + "IoDeleteDevice", + "IoDeleteSymbolicLink", "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByPointer", "IoGetDeviceObjectPointer", - "IoCreateDevice", + "RtlUpperChar", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "IoDriverObjectType", + "RtlAppendUnicodeStringToString", + "strncmp", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "PsThreadType", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "RtlUpcaseUnicodeString", + "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "MmSystemRangeStart", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "wcsstr", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "KeCancelTimer", + "KeSetTimerEx", + "KeInitializeTimer", + "wcstombs", "KeTickCount", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePool", - "ZwQueryValueKey", - "ZwOpenKey", - "ExFreePoolWithTag", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", + "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "IoFreeMdl", + "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "ZwQuerySymbolicLinkObject", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", "KeGetCurrentIrql", - "READ_PORT_ULONG" + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -118343,10 +124042,10 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -118357,17 +124056,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2007-10-16 00:00:00", - "ValidTo": "2009-10-19 23:59:59", - "Signature": "27590ffbf55ce7075377d7997de4f53c5377b36a064eb2342d722f7f5b5e804d5db0d6b466f2fa6673e9edf7d4352b136607ab22d384864154080bffb6606478d4b4ba3ffb40ad82364798d8532ff649ed8579e3f8dac0e00e575ec7c62a3503750608e10ee5f652ff874117ebd2bb6260572159e5fd024be4318a7a46a4e6a2829bbacb2f119e5ae61a4329830f26dabecb26412826b6098d8b8852514c52be67b32a27f889594db3721bdc3bbcf94d37b0dcb3d7a0a2d0c2e34401d24984a290a00337ba6b5d799bda733e61578d34058ec81050678a60cbf8318adc0f1fe800eeb01a5ca9a5f5e11683c96d3a58f35656003c5db4dad59e78a947830c03f7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-09-30 00:00:00", + "ValidTo": "2014-01-01 23:59:59", + "Signature": "aedd211d5f8f807ad25209eadb6ed25d8be8c21b6904be51a5010e59fa37d174a3eedced89742b62d5a6bf4fad361754f013e0a345d24c26cbe26da21fd01e7a070fb6b37b6f5068a2e931b3b7997d8070a0a7de0b1ea4fff34d811bdd20c91cc4afcff18ffad9da95f0ecdc5cbfe88c5a3e7ab0a3eb59437411e09b1a6af36f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -118376,428 +124068,766 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2011-12-27 00:00:00", + "ValidTo": "2013-02-15 23:59:59", + "Signature": "840ba0fc35187fe2edc7b17c101fd2bf035bbad8f3de048e250741e96a3f4ecee86f1f065ea76f2f8f430a13a75ff3eab29a8b11a13006d27bf3173fa49aabf9cef98fc4554f1732317c4b821c740eb58a91977d85e86574dd712718b15d24f7eb88b6d4520aef788478e1ef8cebd7fff06fadbc87ca6ca2b77da85be3c30b4d590bcb8945a0acfa013f89073933494d9c465c0036280a5af39f6802e60bd175a2603366dd935cb3458b1791411a06b6e5f38e3171de4238051c79b33117cb94674d0625c402bdfb0f99b80625dc0f827911c6c11263884a4e41d1abf60070ad46b7296e19e1cfcda7304a650d7a814319cc11e5a947e82b2d00a169e798b871", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6204d256fa7f1bbb6b94137201342edb", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "6326c00ead256b6837eeb29b5ee84720", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "DirectIo.sys", - "MD5": "590875a0b2eeb171403fc7d0f5110cb2", - "SHA1": "4f94789cffb23c301f93d6913b594748684abf6a", - "SHA256": "31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192", + "FileName": "TmComm.sys", + "MD5": "e28ce623e3e5fa1d2fe16c721efad4c2", + "SHA1": "4cd5bf02edf6883a08dfed7702267612e21ed56e", + "SHA256": "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed", "Authentihash": { - "MD5": "92d24cb91b1cdc8139614ac03a00af5c", - "SHA1": "562695a1b80864b303b234fa801f064d7546b4f8", - "SHA256": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630" + "MD5": "ae1b6ea856ae1be7cf1929618e5d78ad", + "SHA1": "93d07ce0258ae8595833b8c5c6aee14b1a210405", + "SHA256": "6d6fe20c9f7ccfe723bf7feecb5acf773a85cb61286452dc4001589f82b1a424" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.50.0.1041", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.50", + "Copyright": "Copyright (C) 2014 Trend Micro Incorporated. All rights reserved.", "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__UtilDosPathNameToNtPathName@12" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "ZwOpenSection", - "ZwClose", - "ZwUnmapViewOfSection", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", - "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoCreateSymbolicLink", + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", "ObfDereferenceObject", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", - "IoCreateDevice", - "ZwMapViewOfSection", - "DbgPrint", - "RtlAssert", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "RtlQueryRegistryValues", - "ExFreePool", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA", - "ValidFrom": "2003-08-06 00:00:00", - "ValidTo": "2013-08-05 23:59:59", - "Signature": "76b29cee139f1bf62d349294457334dc8e6b2e5cfc4c7d89ebc368f1d7990f2e1d17c8b5168bbecd8a0506f219493a035b05c9208e6d52e17681a0c3658a2267e41c53533746bfbcd72feb7b9ed014456c402108e25d757666301ef4df828a2fbdf3a20cbf1ddb9f14a29a72374db07748e84a3f09ce55192cefe60724e1afec", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=AU, ST=NSW, L=Sydney, O=PassMark Software Pty Ltd, OU=Secure Application Development, CN=PassMark Software Pty Ltd", - "ValidFrom": "2005-10-20 07:03:10", - "ValidTo": "2007-10-20 07:03:10", - "Signature": "3116ad5ee2031661e893bffa3e28036440e1342ac82cb00ffa19b541cc558bb494ac845d401892bc236a2d26f6826d580da1b6eb998a81ea3867ddb07fdf2a267452f6abc71242c3dc904e528953ec2eebdb5ca5dd9c1e607527822dff5fb577a2be4fbdb33332abd62448751055ec5a857ff146bf07ccb4856e84f32debaa67", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.4" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "401630", - "Issuer": "C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA" - } - ] - } - ] - }, - { - "FileName": "DirectIo.sys", - "MD5": "392d7180653b0ca77a78bdf15953d865", - "SHA1": "3e917f0986802d47c0ffe4d6f5944998987c4160", - "SHA256": "673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92", - "Authentihash": { - "MD5": "a905e5bba9e716972e78843a7de4d30e", - "SHA1": "08de981cec441bf0bc18a90a44e13941ba4e781d", - "SHA256": "15cf3ce2a0ee32488de26222492842a378d6b8af6924578b35dac89fb0c7cb5c" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwOpenSection", + "ZwSetEvent", "ZwClose", - "ZwUnmapViewOfSection", - "ObfDereferenceObject", - "ZwWriteFile", - "PsGetProcessId", - "NtBuildNumber", - "RtlFillMemoryUlong", - "ExAllocatePoolWithTag", - "ZwCreateFile", - "memset", - "memcpy", - "MmGetPhysicalMemoryRanges", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", - "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "ObReferenceObjectByHandle", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoCreateSymbolicLink", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", - "IoCreateDevice", - "KeQueryActiveProcessors", - "KeRevertToUserAffinityThread", - "KeSetSystemAffinityThread", - "KeTickCount", - "KeBugCheckEx", - "ZwMapViewOfSection", - "DbgPrint", + "ZwConnectPort", "RtlInitUnicodeString", - "ExAllocatePool", - "ZwQueryValueKey", - "ExFreePoolWithTag", - "RtlIntegerToUnicodeString", - "RtlAssert", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2009-09-22 00:00:00", - "ValidTo": "2012-10-18 23:59:59", - "Signature": "b7f68f477ab8836d5a2eaa9eaf9449186c71f90679d58058c558928f1ad7c76398511ce520afd6dce66540f536c377f824cf5b84fd60f83ead01a592fbce29cc51cca7da2fe8b50e89bc6999104fb406db3b878a7f9f148c767b668b84fcba161c1c14215de332cfcfc2fa52bce1543341231dd345b41da888372d4a2f82711f6125e029fd71859711bccd6b600247a440b6603296cfa9451e6ec81d51b1b7512705461af59e23e0423ba441c68025359a6e591c6370fa516188f8d720a16c6c7b24e975a204fbe5a3b8236443813e993d717df40642fe7d88d85aa1a51b47a3a05232da19c8f2de4144aa11d4577379c794ef9a48d60fc40f8793d5273a25da", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "38e7fa0db1a398f805bb85a69171dc9d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] - }, - { - "FileName": "DirectIo.sys", - "MD5": "e3fda6120dfa016a76d975fdab7954f6", - "SHA1": "e2e7a2b2550b889235aafd9ffd1966ccd20badfe", - "SHA256": "83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a", - "Authentihash": { - "MD5": "4235df36aa97725d3a17e653dd5e1524", - "SHA1": "9fa6e7d69545a0f7b82c01e9bec2c8f19d1ab65b", - "SHA256": "2b03a8bad9ecfcacc8e8a21ee310ce359e1382d7a5d5ce5284b32ecc2bcc4b8a" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", + "ZwRequestWaitReplyPort", "ExFreePoolWithTag", - "ZwQueryValueKey", - "ExAllocatePoolWithTag", - "RtlInitUnicodeString", - "RtlAssert", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", "DbgPrint", - "ZwMapViewOfSection", + "memset", + "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", + "swprintf", + "towupper", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "_snprintf", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwClose", - "ZwUnmapViewOfSection", - "IoWriteErrorLogEntry", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", - "IoDeleteDevice", + "ZwNotifyChangeKey", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlEqualUnicodeString", "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenKey", - "RtlWriteRegistryValue", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", "KeWaitForSingleObject", + "KeSetPriorityThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeDelayExecutionThread", + "KeNumberProcessors", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", + "IoFileObjectType", + "_allrem", + "ZwQuerySecurityObject", + "memcpy", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "MmUnlockPages", + "_purecall", + "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "mbstowcs", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "NtClose", + "ObQueryNameString", + "MmGetSystemRoutineAddress", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "IoCreateFile", "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoCreateSymbolicLink", - "ObfDereferenceObject", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "_snwprintf", + "MmSystemRangeStart", + "wcsncmp", + "strrchr", + "ZwQueryVolumeInformationFile", "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", - "IoCreateDevice", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2006-10-19 00:00:00", - "ValidTo": "2007-10-19 23:59:59", - "Signature": "9bf8ac41d262fb76c85a3584db7eabfb020d1c1585e06c41a27ad555c19f6918bdf3c14582f8e9f47cf06f96d827c5da7ad99da6f51a346dccd9f141e501d2b383fe875f1701cdff354e2348870698178a99f3753dd465f5e2599d7da4c7e906767c865c017d66c63972407ba9886476f6466b607e1ae7299e1d8704b7ef534c5e91e36e94b91ff4a15ee5f8cffb09851c346003f2a5f28109a511cd58cc209dbbbe8b29ebabd0877136c823cc07ddf6ea4e84a1a611a114326a60a4781d3dd45681e43952be5954f26da67cdf51c2667f93ffe97180001d37fcf4c57747b81b6946fc323f45453a861f0dd45d11d033f95af78da4407ba75e00bdfa24d5e675", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "6365cef4a64e1054779b87cb364f5ba7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "DirectIo.sys", - "MD5": "a17c403c4b74d4fa920c3887066daeb2", - "SHA1": "30c6e1da8745c3d53df696af407ef095a8398273", - "SHA256": "94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e", - "Authentihash": { - "MD5": "9377db4b59048af79f44c26fc34298a5", - "SHA1": "d0559503988daa407fcc11e59079560cb456bb84", - "SHA256": "eb6f186c9bf73b0efd227d99e09659c321f0414bda568e99ee9a3863dc1a380d" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwUnmapViewOfSection", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", "IofCompleteRequest", - "memcpy", + "ExEventObjectType", "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", "IoDeleteSymbolicLink", - "RtlQueryRegistryValues", - "ZwOpenSection", - "memset", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByPointer", "IoGetDeviceObjectPointer", - "IoCreateDevice", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "wcsstr", + "RtlUpcaseUnicodeString", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", "KeTickCount", "KeBugCheckEx", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "DbgPrint", - "RtlInitUnicodeString", - "ExAllocatePool", - "ZwQueryValueKey", - "ZwOpenKey", - "ExFreePoolWithTag", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", + "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ZwSetSecurityObject", + "ExAcquireFastMutexUnsafe", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "IoBuildAsynchronousFsdRequest", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", "KeGetCurrentIrql", - "READ_PORT_ULONG" + "KfRaiseIrql", + "ClassInitialize" ], "Signatures": [ { @@ -118805,31 +124835,17 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2010-05-10 00:00:00", + "ValidTo": "2015-05-10 23:59:59", + "Signature": "c8fb63f80b75752c3af1f213a72db6a31a9cad0107d3348e77e0c26eae025d484fa4d221b636fd2a35437c6bdf80870b15f0763200b4ceb567a42f2f201b9c549e833f1f5f149562820f2241221f70b3f3f742de6c51cd4bf821ac9b3b8cb1e5e6288fce2a8af9aa524d8c5b77ba4d5a58dbbb6a04cc521e9de228370ebbe70e91c7f8dbf18198ebcd37b30eab65d362ec3aa576eb13a83593c92e0a01ecc0e8cc3d7eb6ebe2c1ecd3149282668750dcfd5097acb34a767306c486113ab35f4304526feab3d074364ccaf11b7984377063ad74b9aa0ef398b08608ebdbe01f8c10f239649bae4f0a2c928a4f18b591e58d1a935f1faef1a6f02e97d0d2f62b3c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2007-10-16 00:00:00", - "ValidTo": "2009-10-19 23:59:59", - "Signature": "27590ffbf55ce7075377d7997de4f53c5377b36a064eb2342d722f7f5b5e804d5db0d6b466f2fa6673e9edf7d4352b136607ab22d384864154080bffb6606478d4b4ba3ffb40ad82364798d8532ff649ed8579e3f8dac0e00e575ec7c62a3503750608e10ee5f652ff874117ebd2bb6260572159e5fd024be4318a7a46a4e6a2829bbacb2f119e5ae61a4329830f26dabecb26412826b6098d8b8852514c52be67b32a27f889594db3721bdc3bbcf94d37b0dcb3d7a0a2d0c2e34401d24984a290a00337ba6b5d799bda733e61578d34058ec81050678a60cbf8318adc0f1fe800eeb01a5ca9a5f5e11683c96d3a58f35656003c5db4dad59e78a947830c03f7", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -118838,522 +124854,788 @@ "ValidTo": "2016-05-23 17:11:29", "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "6204d256fa7f1bbb6b94137201342edb", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "FileName": "DirectIo.sys", - "MD5": "7056549baa6da18910151b08121e2c94", - "SHA1": "84d44e166072bccf1f8e1e9eb51880ffa065a274", - "SHA256": "bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3", - "Authentihash": { - "MD5": "92d24cb91b1cdc8139614ac03a00af5c", - "SHA1": "562695a1b80864b303b234fa801f064d7546b4f8", - "SHA256": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwOpenSection", - "ZwClose", - "ZwUnmapViewOfSection", - "IoWriteErrorLogEntry", - "memmove", - "IoAllocateErrorLogEntry", - "IofCompleteRequest", - "IoDeleteDevice", - "RtlAppendUnicodeStringToString", - "RtlIntegerToUnicodeString", - "RtlAppendUnicodeToString", - "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "ZwOpenKey", - "RtlWriteRegistryValue", - "KeWaitForSingleObject", - "IofCallDriver", - "IoBuildDeviceIoControlRequest", - "KeInitializeEvent", - "IoCreateSymbolicLink", - "ObfDereferenceObject", - "ObReferenceObjectByPointer", - "IoGetDeviceObjectPointer", - "IoCreateDevice", - "ZwMapViewOfSection", - "DbgPrint", - "RtlAssert", - "RtlInitUnicodeString", - "ExAllocatePoolWithTag", - "ZwQueryValueKey", - "RtlQueryRegistryValues", - "ExFreePool", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "WRITE_PORT_ULONG", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "KeGetCurrentIrql", - "READ_PORT_ULONG" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=AU, ST=NSW, O=PassMark Software Pty Ltd, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=PassMark Software Pty Ltd", - "ValidFrom": "2006-10-19 00:00:00", - "ValidTo": "2007-10-19 23:59:59", - "Signature": "9bf8ac41d262fb76c85a3584db7eabfb020d1c1585e06c41a27ad555c19f6918bdf3c14582f8e9f47cf06f96d827c5da7ad99da6f51a346dccd9f141e501d2b383fe875f1701cdff354e2348870698178a99f3753dd465f5e2599d7da4c7e906767c865c017d66c63972407ba9886476f6466b607e1ae7299e1d8704b7ef534c5e91e36e94b91ff4a15ee5f8cffb09851c346003f2a5f28109a511cd58cc209dbbbe8b29ebabd0877136c823cc07ddf6ea4e84a1a611a114326a60a4781d3dd45681e43952be5954f26da67cdf51c2667f93ffe97180001d37fcf4c57747b81b6946fc323f45453a861f0dd45d11d033f95af78da4407ba75e00bdfa24d5e675", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Trend Micro, Inc.", + "ValidFrom": "2014-02-07 00:00:00", + "ValidTo": "2015-04-08 23:59:59", + "Signature": "95676d657200d1a91b1629ed0bb118cc53bbacd5393d361300de6c1107b5007664bf846a75e03f5f4c9d6d9882cbb744621deee429f37c0695f829dace5b0f44309bdaa5a132dfbd8161e0a490752ecc340e7ae1c40c01c2029b7d8c0ecc9a717843e22a7a7232b64dfdec2f1312a6fd514a59d27eb2486dc5e9cbe7aa1ea6e21598f06bbd3faf3c37073e2f363b4133336ecb536a7735f53ddd666509cef465ae1c5e01a23b674a7bf4a8835c3ddd85168f84ff5c63a1685a15939bc0c7e5dd92bc95e41a0fd443d384e328be7374e95e28230365a7489d114009911ecee502afe8dbcdb44055df9b59feebc6d05eeffba205a4d62574936463bb05f79b5be4", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "6365cef4a64e1054779b87cb364f5ba7", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "5bb307b9e6fbf0c0fd40f5772d1ad8e3", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] - } - ] - } - ], - "Tags": [ - "DirectIo.sys" - ] - }, - { - "Id": "aaa92ef1-5728-4e15-9fca-b054b02f0fb0", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create piddrv64.sys binPath=C:\\windows\\temp\\piddrv64.sys type=kernel && sc.exe start piddrv64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "piddrv64.sys", - "MD5": "fd7de498a72b2daf89f321d23948c3c4", - "SHA1": "c4ed28fdfba7b8a8dfe39e591006f25d39990f07", - "SHA256": "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29", - "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2012", - "Microsoft Root Certificate Authority 2010" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "62eed4173c566a248531fb6f20a5900d", + "SHA1": "0e60414750c48676d7aa9c9ec81c0a3b3a4d53d0", + "SHA256": "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918", "Authentihash": { - "MD5": "a6200c0995103391120e3561971560a6", - "SHA1": "0c2599d738d01a82ec91725f499acebbcfb47cc9", - "SHA256": "b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28" + "MD5": "8b3b8e708437670247e2e8af98e9c269", + "SHA1": "c9fd7be77bad0db66831c5fdaef66d96574ae2e4", + "SHA256": "d33fe3bbcdf1ef7e42faf4ac81d7da3a6451eb67b477e78b75506b0df21cf598" }, - "InternalName": "", - "Copyright": "", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "7.0.0.1101", + "Product": "Trend Micro Eyes", + "ProductVersion": "7.0", + "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll", - "WDFLDR.SYS" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3@YAXPEAX_K@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "??_V@YAXPEAX_K@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "AllocFullFileName", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetBackupCommPortAPIs", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "MmGetSystemRoutineAddress", - "IoBuildSynchronousFsdRequest", - "IofCallDriver", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "IoFreeIrp", - "IoGetDeviceProperty", + "RtlInitUnicodeString", + "KeInitializeEvent", + "KeClearEvent", + "KeSetEvent", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", "ExFreePoolWithTag", + "ExAcquireFastMutexUnsafe", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", + "IoAllocateMdl", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObfReferenceObject", "ObfDereferenceObject", - "ObReferenceObjectByName", - "IoEnumerateDeviceObjectList", - "IoGetDeviceAttachmentBaseRef", - "IoDriverObjectType", - "KeBugCheckEx", + "ZwClose", + "ZwCreateSection", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenEvent", + "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "ZwSetEvent", "__C_specific_handler", + "PsProcessType", + "wcslen", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "PsThreadType", + "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", "ExAllocatePoolWithTag", - "KeWaitForSingleObject", - "KeInitializeEvent", - "RtlCopyUnicodeString", - "DbgPrint", - "RtlCompareUnicodeString", - "RtlInitUnicodeString", - "ObfReferenceObject", - "memcpy_s", - "HalGetBusData", - "HalGetBusDataByOffset", - "WdfVersionUnbind", - "WdfVersionBind", - "WdfVersionBindClass", - "WdfVersionUnbindClass" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2018-09-20 19:45:06", - "ValidTo": "2019-09-20 19:45:06", - "Signature": "180e211f245e9f356516359d002cb33904c7c9b883a39af9d000d7feee231f0c68bc272d4e9818533c6dd00a732df28966757d7c84db825265e3b453ccd9e620af2d714ea7aaf1019b7666098ed84df68cbdc52180b76bcef050c13e57a3125e05a576e11221316e763219b50353920b15f0bfd58474381f0d3fc4439dea7b3de5aa7287948b34909c689aa98df140c25ed2f0b7059e84a99c68c2cd69f42af3a2c9776df0eb5f08f3bf62ecd920144b0a6511a9201f00d2bee8774cc00863ba36827c01d8849a69cb06ae35ec50976412beaada0ff49a0bb11acb1465e80a206b0b846b3049548c400cd37cd1d1f1cb3dc1e040f6f26c53adf284153000c33b", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012", - "ValidFrom": "2012-04-18 23:48:38", - "ValidTo": "2027-04-18 23:58:38", - "Signature": "5a8a67daccd5fd0d264177bf0a4678b4b3de12692b7723c2652f015fd203f461ba509d2e8c3972f36c3e6ab11e766decb7f382dcccbbc56970287366173f54ebee011648c446d91b80ae813a8d0f796d68b09eea2d3f39d3ca387ebd5e7c086e19dcc6c2f438336861e2524783e1000156d2bacb878205310a418b4ee77f5f5fed5fd3392d45eba213bffd1ec298417161165fc80a70257c59693124e471e70abb0417f79f721ec9d2bb1abe3d02fe090cb243b4591a99539396215fe0d6b72601429536ac27fdbef48577683d18bdf4be98882211865216f345ec0397107087a37043713cdbc98603170cf5735bc67de15c64edd7c548d7ed32e2d1aad3cfa7f6574e61f977eb67f288b3de00da038fd08a34373e1dd862b8d2b1f3e12f8b723b81967c6ffcec667672601b24f2a0896d5b6d002eef28dd868705c2b4b9e5be64c22af24a155c98e2c42785ff52e3627e0fb2020bd766c70ab2d33d200414503259830a7d9bed5a38120152ba2f5e20728e4af1fde771028c3be107bec973f4dd47d8b4efb4a4b330b9893e76cab90098567eabea8ab8a5d038ab6977130b142fe9aa411ff7babd3a2b348aee0aab63e663f788248e200d2b3b9de3c24952ac9f1f0e393b5dd46e506ae67d523aaa7c3315290d265e0158a74ea93d7a846f743f609fe4324f3600af6d71d33ea646655f8174f1fec171da4ca0415a82ddf11f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000006d9da53e87009d334900000000006d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2012" - } - ] - } - ] - } - ], - "Tags": [ - "piddrv64.sys" - ] - }, - { - "Id": "0a2f2700-97b5-42b6-b121-38e5f03e9957", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create BS_RCIO.sys binPath=C:\\windows\\temp\\BS_RCIO.sys type=kernel && sc.exe start BS_RCIO.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "BS_RCIO.sys", - "MD5": "ab53d07f18a9697139ddc825b466f696", - "SHA1": "213ba055863d4226da26a759e8a254062ea77814", - "SHA256": "362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc", - "Signature": [ - "Biostar Microtech Int'l Corp", - "DigiCert EV Code Signing CA", - "DigiCert" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", - "Authentihash": { - "MD5": "8284660345377a69dd99b25fdf397314", - "SHA1": "3311e4e94e8a6dd81859719fbe0fcbf187f0bd8a", - "SHA256": "f67e60228084151fdcb84e94a48693db864cf606b65faef5a1d829175380dbfa" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeWaitForSingleObject", - "memcpy", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", "KeDelayExecutionThread", - "PsTerminateSystemThread", - "KeSetEvent", - "IoStartNextPacket", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "ZwClose", - "MmMapIoSpace", - "ObfDereferenceObject", - "ObReferenceObjectByHandle", - "ExEventObjectType", + "ExGetPreviousMode", + "DbgPrint", + "swprintf", + "RtlCopyUnicodeString", + "PsGetVersion", "IofCompleteRequest", - "KeRemoveEntryDeviceQueue", - "IoStartPacket", - "KeTickCount", - "KeBugCheckEx", - "READ_REGISTER_BUFFER_UCHAR", - "MmUnmapIoSpace", - "KeReleaseSemaphore", - "KeInitializeSemaphore", - "IoDeleteSymbolicLink", - "RtlInitUnicodeString", - "IoCreateDevice", "IoCreateSymbolicLink", - "PsCreateSystemThread", "IoDeleteDevice", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset", - "WRITE_PORT_UCHAR", - "WRITE_PORT_USHORT", - "WRITE_PORT_ULONG", - "READ_PORT_UCHAR", - "READ_PORT_USHORT", - "READ_PORT_ULONG", - "KfLowerIrql" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, ??=TW, serialNumber=23826200, ??=2F, NO.108,2, MIN CHUAN RD, postalCode=231, C=TW, ST=XINDIAN DIST, L=NEW TAIPEI CITY, O=Biostar Microtech Int'l Corp, CN=Biostar Microtech Int'l Corp", - "ValidFrom": "2017-01-18 00:00:00", - "ValidTo": "2018-11-21 12:00:00", - "Signature": "aa8cef17213cdec7450165ba781408fc71b6792ac728f013552013c510425eb3a2e2ef24ade49746109163fa7f439ea8fdd5d17d6b314fec14bcbf7ee75a9583786cf64194fd76065aa97819044180dd63b9168bdd5cefcd2ce925b4ca4da6e78b0d61ad0850722efed489401704611c8918e733ff438a81521e58224b3b0357ac9f8e8feaf9b4da492ef2e00b1d30ebacb6146bdafc613fbd87377733614beb7458f1bd285b224620c0dc41a4b58ed64abb79fa6344ca956ea323f12cdcc794f5620cc46ef8892a04d6b33cb81b5e0b2e6e1218fc9f1de0a1d7083ec01b422d9b351f429b4c709bd1fa057edcc32dda3b940fb999896097c07237578e983fc5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", - "ValidFrom": "2014-10-22 00:00:00", - "ValidTo": "2024-10-22 00:00:00", - "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", - "ValidFrom": "2006-11-10 00:00:00", - "ValidTo": "2021-11-10 00:00:00", - "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0240c40d347ee38f707adae8a101450b", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" - } - ] - } - ] - } - ], - "Tags": [ - "BS_RCIO.sys" - ] - }, - { - "Id": "d4664202-d1b9-44d4-97cc-fee2150082db", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create nvflsh64.sys binPath=C:\\windows\\temp \\n \\n \\n vflsh64.sys type=kernel && sc.exe start nvflsh64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "nvflsh64.sys", - "MD5": "d3e40644a91327da2b1a7241606fe559", - "SHA1": "7667b72471689151e176baeba4e1cd9cd006a09a", - "SHA256": "a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3", - "Signature": [ - "NVIDIA Corporation", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "c3a003ae7b48dcd1dac8bced7cf93f28", - "SHA1": "118cbd8cae88dc0dfb0d6a24df9161c90b916b90", - "SHA256": "372c6118541efaa800bcba6e0c1780f9beb8cab6f2176bcc5fe3664ea19379e4" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "RtlInitUnicodeString", - "ZwUnmapViewOfSection", - "IofCompleteRequest", - "ObfDereferenceObject", "IoDeleteSymbolicLink", - "ExFreePoolWithTag", - "IoCreateSymbolicLink", + "ObReferenceObjectByHandle", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "towupper", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "MmIsAddressValid", + "PsGetCurrentThreadId", + "ObQueryNameString", + "_snprintf", + "_vsnprintf", + "RtlInitAnsiString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", + "ExSystemTimeToLocalTime", + "wcscat", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ZwOpenFile", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "_stricmp", + "IoGetDeviceObjectPointer", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "IoCreateFile", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlUpcaseUnicodeChar", + "_snwprintf", + "strlen", + "_strnicmp", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "ObOpenObjectByName", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "RtlLengthSecurityDescriptor", + "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwDuplicateObject", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "NtCreateFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "IoFileObjectType", + "ObInsertObject", + "wcschr", + "wcsncmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IoFreeIrp", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", + "NtClose", + "ZwSetInformationObject", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "strcpy", + "wcsstr", + "RtlCompareUnicodeString", + "DbgPrintEx", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ExAllocatePool", + "ExpInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", + "IoDeviceObjectType", "IoCreateDevice", - "ExAllocatePoolWithTag", - "KeBugCheckEx", - "IoDeleteDevice", - "ZwClose", - "HalTranslateBusAddress" + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "ZwCreateKey", + "_purecall", + "KeBugCheckEx" ], "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2016-03-29 00:00:00", + "ValidTo": "2017-06-28 23:59:59", + "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=California, L=Santa Clara, O=NVIDIA Corporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Software, CN=NVIDIA Corporation", - "ValidFrom": "2011-09-02 00:00:00", - "ValidTo": "2014-09-01 23:59:59", - "Signature": "5238793a97b2868da546597dbe0a1fba197ae635b9f53b53e26758194d749767e05fb1ce407fd31469376b37c67d5d48bc834f970ac733cd63d557e8a3be20a1fbf9d09e7a5c6c4ebd6fc18a68d0842d2ffdf6f79142d914c6521d227014040fa12f2afb3878aa065cfbed7fa29091b4fe54ea6237a0e1f8f183d0573ebb5bfe712cee4c49bd0b2f40c33bfcf0c7de0bc51ce01a70d14072d4d01216f36e388159220a4d8e3250ddccd71c7ef8a93a26edda2e959b598703a85fa391630e052454e31390dd82d69afee5df2f287bdce8f45f6363c27e6e23ab92faefc7e8d78c10cc1f936f33c36a134cb8820b5749ff479f70834bd99d8e15ad79a1cb3d7ebf", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -119366,576 +125648,1547 @@ ], "Signer": [ { - "SerialNumber": "43bb437d609866286dd839e1d00309f5", + "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - } - ], - "Tags": [ - "nvflsh64.sys" - ] - }, - { - "Id": "54d67d79-0268-4c5f-be7e-0f74cd20828a", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create NTIOLib_X64.sys binPath=C:\\windows\\temp\\NTIOLib_X64.sys type=kernel && sc.exe start NTIOLib_X64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + }, { - "Filename": "NTIOLib_X64.sys", - "MD5": "c02f70960fa934b8defa16a03d7f6556", - "SHA1": "3805e4e08ad342d224973ecdade8b00c40ed31be", - "SHA256": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530", - "Signature": [ - "Micro-Star Int'l Co. Ltd.", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "", - "Company": "MSI", - "Description": "NTIOLib", - "Product": "NTIOLib", - "ProductVersion": "1.0.0.0", - "FileVersion": "1.0.0.0", - "MachineType": "AMD64", - "OriginalFilename": "NTIOLib.sys", + "FileName": "TmComm.sys", + "MD5": "8cb2ffb8bb0bbf8cd0dd685611854637", + "SHA1": "3ca51b23f8562485820883e894b448413891183a", + "SHA256": "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036", "Authentihash": { - "MD5": "c6830e904e56ea951005ea7639eedd35", - "SHA1": "c57c0dd18135bca5fdb094858a70033c006cd281", - "SHA256": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957" + "MD5": "cc40deb90f473e8cc92ba1440f546068", + "SHA1": "0a8f087ac86cb29b206c436f8b2ce58c7f43ec7d", + "SHA256": "ab3e5217c5ec836a882d68a23b017de5b4f88328510e4bcb9564759926aec89f" }, - "InternalName": "NTIOLib.sys", - "Copyright": "Copyright (C) 2008-2009 MSI. All rights reserved.", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.50.0.1058", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.50", + "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__UtilDosPathNameToNtPathName@12" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "IoDeleteDevice", - "IoCreateDevice", - "KeBugCheckEx", + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObfDereferenceObject", + "ZwSetEvent", + "ZwClose", + "ZwConnectPort", "RtlInitUnicodeString", - "IoCreateSymbolicLink", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 12:00:00", - "ValidTo": "2014-01-27 11:00:00", - "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, O=Micro,Star Int'l Co. Ltd., CN=Micro,Star Int'l Co. Ltd.", - "ValidFrom": "2008-08-28 09:49:45", - "ValidTo": "2011-08-28 09:49:45", - "Signature": "572df373e9b036711b3cf5ee882e5d75d8d50f012407cf0c1b554ff8f41c7b6477fa0b2ad579f2c1fe7b8b9d7374b690527c219eb979686fb67d0b4cf2885d8d7d1261f05cb72fe4c9f294c52aa05f3e5d1ceb0d77085dbd6af07978032505da666f353283a8982af26985e69c1599479945b591124183574b8a4cc34caa62e31b523dac3fedbd04951b3661399ed34f5c5868d9bbe3295fc09890d9521e1cdcae2ff129f547d4c8ce8aa08616107c555fac60e5b63c14ddfeb6962af3608b75d9c77c69260d8af9775b83afaa15b8ecef6840cb4ee87d451f9042b49735ea40931c0664c8c2bf6a139db6ac5b90edcea63a6bf5b54978f027b1046170d476d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 09:00:00", - "ValidTo": "2014-01-27 10:00:00", - "Signature": "3c4a010267edf20a2e736e40252f1dccbc2db652141b27122cf1229e190a89b6ef352a29152b1a88c20f37168d2602d5e93080f608b9939ac0498f332c3035ff4ab9892aa75c38e761a778fe22851a07b4b9edcf21f25ddedff329c5d38d9e14c4285c88e590a300442912b23e759540244a6beee2d0ef862ddf6d741a4f1cc79424c443464f7b81015d23733cd9752e995361565e7ccd13e237d222e570f8a743f6154147fda24702c43651ca545da6cdcad61817533ff1d38e0f0aafda17941657a0991431c90e1611d2c04ca2a25978fbb6b933cff763c9d2c4c84953dd8a59525e7d3b385eed220360ac85cd58325dcdc31c07fa7ef67efbc8ac378be498", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0100000000011c08b7f67e", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - } - ], - "Tags": [ - "NTIOLib_X64.sys" - ] - }, - { - "Id": "29cb263b-b0b0-40d5-a97d-5ddf4ba79c1e", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create goad.sys binPath=C:\\windows\\temp\\goad.sys type=kernel && sc.exe start goad.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "goad.sys", - "MD5": "312e31851e0fc2072dbf9a128557d6ef", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "goad.sys" - ] - }, - { - "Id": "65660363-0080-4432-abd9-64368dac0283", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create t.sys binPath=C:\\windows\\temp\\t.sys type=kernel && sc.exe start t.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "t.sys", - "SHA256": "146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "t.sys" - ] - }, - { - "Id": "204eccdf-99ca-4f2a-a325-8ebe34fd29a1", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create bwrs.sys binPath=C:\\windows\\temp\\bwrs.sys type=kernel && sc.exe start bwrs.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "bwrs.sys", - "SHA256": "221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "bwrs.sys" - ] - }, - { - "Id": "ddbd60c3-0611-4a59-894d-aec84203906f", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create full.sys binPath=C:\\windows\\temp\\full.sys type=kernel && sc.exe start full.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "full.sys", - "SHA1": "4b8c0445075f09aeef542ab1c86e5de6b06e91a3", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "full.sys" - ] - }, - { - "Id": "457f8b21-202a-4a3d-a18d-b4aaded9ef02", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create WinIo64B.sys binPath=C:\\windows\\temp\\WinIo64B.sys type=kernel && sc.exe start WinIo64B.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "WinIo64B.sys", - "SHA1": "f18e669127c041431cde8f2d03b15cfc20696056", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "WinIo64B.sys" - ] - }, - { - "Id": "4a80da66-f8f1-4af9-ba56-696cfe6c1e10", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create BS_Def64.sys binPath=C:\\windows\\temp\\BS_Def64.sys type=kernel && sc.exe start BS_Def64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "BS_Def64.sys", - "MD5": "8abbb12e61045984eda19e2dc77b235e", - "SHA1": "609fa1efcf61e26d64a5ceb13b044175ab2b3a13", - "SHA256": "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "IoGetCurrentProcess", + "ObfReferenceObject", + "DbgBreakPoint", + "ZwRequestWaitReplyPort", + "ExFreePoolWithTag", + "ProbeForWrite", + "ZwFreeVirtualMemory", + "ZwAllocateVirtualMemory", + "ObOpenObjectByPointer", + "PsProcessType", + "memmove", + "PsGetProcessExitTime", + "MmSectionObjectType", + "PsThreadType", + "MmGetSystemRoutineAddress", + "ObReleaseObjectSecurity", + "SeReleaseSubjectContext", + "SeAccessCheck", + "SeCaptureSubjectContext", + "ObGetObjectSecurity", + "DbgPrint", + "memset", + "MmIsAddressValid", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwWriteFile", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", + "swprintf", + "towupper", + "_wcsnicmp", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "_snprintf", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "PsGetCurrentThreadId", + "RtlInitAnsiString", + "ZwDeviceIoControlFile", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", + "ZwNotifyChangeKey", + "_vsnprintf", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "ExGetPreviousMode", + "KeWaitForSingleObject", + "KeSetPriorityThread", + "PsTerminateSystemThread", + "PsCreateSystemThread", + "KeDelayExecutionThread", + "KeNumberProcessors", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "PsSetCreateProcessNotifyRoutine", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", + "IoFileObjectType", + "_allrem", + "memcpy", + "ZwSetSecurityObject", + "RtlLengthSecurityDescriptor", + "MmHighestUserAddress", + "IoFreeIrp", + "IoFreeMdl", + "_purecall", + "IoBuildAsynchronousFsdRequest", + "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "mbstowcs", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "NtClose", + "ObQueryNameString", + "ZwSetInformationObject", + "_stricmp", + "ZwUnmapViewOfSection", + "ZwMapViewOfSection", + "ZwOpenFile", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", + "MmBuildMdlForNonPagedPool", + "IoAllocateMdl", + "ProbeForRead", + "PsGetVersion", + "RtlImageNtHeader", + "RtlCompareMemory", + "RtlUpcaseUnicodeString", + "_snwprintf", + "MmSystemRangeStart", + "wcsncmp", + "strrchr", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "_allmul", + "KeReleaseSemaphore", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "KeInitializeSemaphore", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoDriverObjectType", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwFsControlFile", + "ObInsertObject", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "_allshr", + "ExInterlockedPopEntrySList", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "wcsstr", + "IoUnregisterPlugPlayNotification", + "FsRtlIsNameInExpression", + "IoGetConfigurationInformation", + "MmProbeAndLockPages", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "ExAllocatePool", + "RtlFreeAnsiString", + "RtlUnicodeStringToAnsiString", + "strncat", + "wcschr", + "wcsncat", + "wcstombs", + "KeTickCount", + "KeBugCheckEx", + "RtlUnwind", + "wcsncpy", + "ExReleaseResourceLite", + "ExAcquireResourceExclusiveLite", + "ExAcquireResourceSharedLite", + "ExReleaseFastMutexUnsafe", + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "ZwQuerySecurityObject", + "ExAcquireFastMutexUnsafe", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "RtlAbsoluteToSelfRelativeSD", + "MmUnlockPages", + "KeGetCurrentThread", + "KfAcquireSpinLock", + "KfReleaseSpinLock", + "KeRaiseIrqlToDpcLevel", + "KfLowerIrql", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeGetCurrentIrql", + "KfRaiseIrql", + "ClassInitialize" ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "AsusTek Computer Inc.", - "Description": "Default BIOS Flash Driver", - "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", - "ProductVersion": "1.24", - "FileVersion": "1.24 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "Bs_Def64.sys", + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2015-05-05 00:00:00", + "ValidTo": "2015-12-31 23:59:59", + "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2015-02-20 00:00:00", + "ValidTo": "2016-05-21 23:59:59", + "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "59f6320772a2e6b0b3587536be4cc022", + "SHA1": "fc8fbd92f6e64682360885c188d1bdfbc14ca579", + "SHA256": "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5", "Authentihash": { - "MD5": "5c40712c0a854396aa9e8776763f3340", - "SHA1": "45cae96b31928bc5f93381edf6b978534fa24f59", - "SHA256": "57e9de67e908186b3cb8180caa2e5c5d7b6bb31969557b8bd5710d79089e8868" + "MD5": "d47678b2b6a24ffb8778d44bb2245abf", + "SHA1": "27ac9d934e3a700c1d391cfbaecff8049a6ed97c", + "SHA256": "cb21a13819bf295f34f5b34e3e566d25d880b045831e90ff610daf9e8b1f15cd" }, - "InternalName": "Bs_Def64.sys", - "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.70.0.1078", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2015 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "IoFreeMdl", - "MmUnmapLockedPages", - "KeDelayExecutionThread", - "MmUnmapIoSpace", - "MmMapIoSpace", - "RtlZeroMemory", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmMapLockedPages", - "IofCompleteRequest", - "IoDeleteSymbolicLink", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", - "strncpy", "KeLeaveCriticalRegion", + "wcsncpy", "KeEnterCriticalRegion", - "IoIs32bitProcess", - "strstr", - "strncmp", + "ExAcquireFastMutexUnsafe", + "wcsrchr", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "_purecall", + "ZwOpenEvent", + "ZwConnectPort", + "KeClearEvent", + "PsProcessType", + "ExFreePoolWithTag", "RtlInitUnicodeString", - "MmFreeContiguousMemory", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2006-06-27 00:00:00", - "ValidTo": "2007-07-16 23:59:59", - "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "284649f592786c4851c1138e364185ae", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - }, - { - "Filename": "BS_Def64.sys", - "MD5": "c9a293762319d73c8ee84bcaaf81b7b3", - "SHA1": "7d7c03e22049a725ace2a9812c72b53a66c2548b", - "SHA256": "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "AsusTek Computer Inc.", - "Description": "Default BIOS Flash Driver", - "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", - "ProductVersion": "1.24", - "FileVersion": "1.24 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "Bs_Def64.sys", - "Authentihash": { - "MD5": "7aa4c54af2ef8f71eb5c7976ab741fa3", - "SHA1": "c95b6a13289b6538c7f4b68f791758bda1036cbe", - "SHA256": "3171d7af852e8b6be4651c415ea9490568475c45ecaa02a33dda9babb1643b07" - }, - "InternalName": "Bs_Def64.sys", - "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "KeSetEvent", + "ProbeForWrite", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "ZwWaitForSingleObject", + "DbgBreakPoint", + "ZwSetEvent", + "IoGetCurrentProcess", + "ZwFreeVirtualMemory", + "ZwClose", + "ObfReferenceObject", + "ObfDereferenceObject", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "KePulseEvent", + "ZwAllocateVirtualMemory", + "ObGetObjectSecurity", + "SeAccessCheck", + "SeReleaseSubjectContext", + "SeCaptureSubjectContext", + "PsThreadType", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "MmSectionObjectType", + "DbgPrint", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "ZwReadFile", + "swprintf", + "ZwSetInformationFile", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwWriteFile", + "_wcsnicmp", + "towupper", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "ZwCreateEvent", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwNotifyChangeKey", + "RtlInitAnsiString", + "_snprintf", + "RtlFreeUnicodeString", + "ExSystemTimeToLocalTime", + "_vsnprintf", + "ObReferenceObjectByHandle", + "RtlTimeToTimeFields", + "ZwDeviceIoControlFile", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeWaitForMultipleObjects", + "ExGetPreviousMode", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "KeWaitForSingleObject", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "MmIsAddressValid", + "KeDelayExecutionThread", + "KeNumberProcessors", + "PsLookupProcessByProcessId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenDirectoryObject", + "ZwQueryInformationProcess", + "ZwQuerySecurityObject", + "NtSetInformationFile", + "ZwDeleteValueKey", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "NtQueryInformationFile", + "IoFileObjectType", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "NtCreateFile", + "ZwEnumerateValueKey", + "RtlLengthSecurityDescriptor", + "ZwQueryDirectoryObject", + "ZwSetSecurityObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwTerminateProcess", + "ZwDeleteKey", + "ExReleaseFastMutexUnsafe", + "ZwQueryKey", + "ZwOpenKey", + "MmSystemRangeStart", + "_stricmp", + "_strnicmp", + "mbstowcs", + "ProbeForRead", + "RtlUpcaseUnicodeString", + "_snwprintf", + "ZwQuerySymbolicLinkObject", + "ZwMapViewOfSection", + "MmGetSystemRoutineAddress", + "RtlAppendUnicodeToString", + "IoCreateFile", + "RtlQueryRegistryValues", "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", + "ZwOpenSymbolicLinkObject", "IoFreeMdl", - "MmUnmapLockedPages", - "KeDelayExecutionThread", - "MmUnmapIoSpace", - "MmMapIoSpace", - "RtlZeroMemory", + "ObQueryNameString", + "ZwUnmapViewOfSection", + "NtClose", + "IoFreeIrp", + "PsGetVersion", + "IoAllocateIrp", + "RtlCompareMemory", + "MmUnlockPages", + "ZwSetInformationObject", + "ZwOpenFile", + "wcsncmp", + "RtlImageNtHeader", + "IoAllocateMdl", + "IofCallDriver", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlInitializeSid", + "RtlCreateSecurityDescriptor", + "IoDeleteSymbolicLink", "IoDeleteDevice", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmMapLockedPages", + "ExEventObjectType", "IofCompleteRequest", - "IoDeleteSymbolicLink", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ZwUnmapViewOfSection", + "IoCreateSymbolicLink", + "IoGetDeviceObjectPointer", + "ObOpenObjectByName", + "NtQueryInformationProcess", "strncpy", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "IoIs32bitProcess", - "strstr", - "strncmp", - "RtlInitUnicodeString", - "MmFreeContiguousMemory", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, + "NtOpenProcess", + "ObInsertObject", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "IoReleaseVpbSpinLock", + "wcschr", + "strncat", + "RtlUnicodeStringToAnsiString", + "wcsncat", + "RtlFreeAnsiString", + "wcstombs", + "IoGetConfigurationInformation", + "IoRegisterPlugPlayNotification", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "FsRtlIsNameInExpression", + "wcsstr", + "ExAllocatePool", + "IoUnregisterPlugPlayNotification", + "MmProbeAndLockPages", + "RtlCompareUnicodeString", + "IoGetDeviceInterfaces", + "DbgPrintEx", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", + "IoCreateDevice", + "IoDeviceObjectType", + "SeCaptureSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "RtlLengthSid", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwEnumerateKey", + "ExAcquireResourceExclusiveLite", + "__C_specific_handler" + ], + "Signatures": [ + { + "CertificatesInfo": [], + "SignerInfo": "", + "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Time Stamping Signer", + "ValidFrom": "2015-05-05 00:00:00", + "ValidTo": "2015-12-31 23:59:59", + "Signature": "0dbbad60111bb5f00dcce6483a7a3e0e33dc1cb9ead620fea34dd0cc764ee818d879dfd34f9a4264238a29728a3a6c66a63c3a17a8704565c673c3d0ce8954fbac690f58b019cb869f7eb97eeb5192bf9bddebd165f0257b887cdebda5c8b51451bcc081308a85387be679fe67559387fe4fe88d0eedf37292b5c289806dd159e31d0deab138ee039d0019a5ab219b79c3ccc23e687ebdc94d694db46451fbb22874e25389ce9dfaade2dbceab7b7e064474fd0aa3c9b7a730cd49d29264f122a6b828457479e9a7ce3b33f98350947d68c01d49c760787a3c6426d5befa0a6de41ee109538fa9c523acc79d614221f02c1671493b10af2c6f1ae631f114fd6c", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -119946,1876 +127199,2956 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2006-06-27 00:00:00", - "ValidTo": "2007-07-16 23:59:59", - "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2015-02-20 00:00:00", + "ValidTo": "2016-05-21 23:59:59", + "Signature": "e480eb7f78216a855e34dbcb712d3879d6b1744c823c8e78c3661e55182a5c1f3a03686169393ef8778c893a49604a79769f5ba7156426c5431ae729a8dc5f8e22b14d124e46eff3f4f660552a57250a15e15d07ad548a02cddf8a204b5010be387a05b1019f618cf15078d80a809a7272b1822a63862c7db194f12697a786001ef630ac9d8bf9f5475191f327b8ed4839dff1ef65e5eb8f91379a66366451f99cb633848c57d4392096e6080fa327b23fc3834ad4f6043904d6c5aeb35454a265b3fda38167cffa8394f092a74bad1ea386f63b7baeb95271a97fc3bff0a2bc96a834f280a254d7170e5cc2830f3bd0649178f8b04514ecd1103753b1762902", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "284649f592786c4851c1138e364185ae", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" + "SerialNumber": "1519396ee230f02cad1fcfdb077a35f0", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "Filename": "BS_Def64.sys", - "MD5": "120b5bbb9d2eb35ff4f62d79507ea63a", - "SHA1": "f9519d033d75e1ab6b82b2e156eafe9607edbcfb", - "SHA256": "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb", - "Signature": [ - "ASUSTeK Computer Inc.", - "VeriSign Class 3 Code Signing 2004 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "ASUSTeK Computer Inc.", - "Company": "AsusTek Computer Inc.", - "Description": "Default BIOS Flash Driver", - "Product": "Support SST39SF020,SST29EE020,AT49F002T,AT29C020,AM29F002NT,AM29F002NB,V29C51002T,V29C51002B,M29F002T,W29C020.", - "ProductVersion": "1.24", - "FileVersion": "1.24 built by: WinDDK", - "MachineType": "AMD64", - "OriginalFilename": "Bs_Def64.sys", + "FileName": "TmComm.sys", + "MD5": "c006d1844f20b91d0ea52bf32d611f30", + "SHA1": "70258117b5efe65476f85143fd14fa0b7f148adb", + "SHA256": "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566", "Authentihash": { - "MD5": "034aa8df77d5a2815c8f4cf9f1399fd3", - "SHA1": "e62d0712ddfd9fbaf9014cf43e49e2087a3f1ed2", - "SHA256": "eb11a4270a6980a97ea8775422dacbd1e763b7e5898f0a80c71c91449fff7ab4" + "MD5": "893a04662ec3207278510b671992072d", + "SHA1": "61ec0fdef8d1c5248fab9a3cf0764b7be9ddea37", + "SHA256": "2c1b6a278ff90171a7472423a2626edcf75233aacac1bd7d1995716ef26f8dcf" }, - "InternalName": "Bs_Def64.sys", - "Copyright": "Copyright (C) AsusTek Computer. 1992-2004", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "7.0.0.1176", + "Product": "Trend Micro Eyes", + "ProductVersion": "7.0", + "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", + "CLASSPNP.SYS", "HAL.dll" ], - "ExportedFunctions": "", + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CDebugLogEx@@QAE@ABV0@@Z", + "??0CDebugLogEx@@QAE@K@Z", + "??0CDelayLoadThread@@QAE@ABV0@@Z", + "??0CDelayLoadThread@@QAE@XZ", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QAE@ABV0@@Z", + "??0CInclusionExtConfig@@QAE@KKE@Z", + "??0CInclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CInclusionFileNameConfig@@QAE@KK@Z", + "??0CInclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CInclusionFilePathConfig@@QAE@KK@Z", + "??0CInclusionFolderConfig@@QAE@ABV0@@Z", + "??0CInclusionFolderConfig@@QAE@KK@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CNoLockList@@QAE@ABV0@@Z", + "??0CNoLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CSmartResource@@QAE@AAVCResource@@E@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z01@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0CWorkerThreadPoolEx@@QAE@ABV0@@Z", + "??0CWorkerThreadPoolEx@@QAE@KK@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CDebugLogEx@@UAE@XZ", + "??1CDelayLoadThread@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CInclusionExtConfig@@UAE@XZ", + "??1CInclusionFileNameConfig@@UAE@XZ", + "??1CInclusionFilePathConfig@@UAE@XZ", + "??1CInclusionFolderConfig@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CNoLockList@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CSmartResource@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1CWorkerThreadPoolEx@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3@YAXPAXI@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CDebugLogEx@@QAEAAV0@ABV0@@Z", + "??4CDelayLoadThread@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSmartResource@@QAEAAV0@ABV0@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?AddNode@CNoLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CheckNode@CNoLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Count@CNoLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteAll@CNoLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MAEXXZ", + "?FinishIt@CWorkerThreadJob@@QAEJXZ", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?First@CNoLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetLogFlag@CDebugLogEx@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QAEPAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitProcMon@CDebugLogEx@@IAEXXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?Insert@CNoLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsEmpty@CNoLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsFull@CNoLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QAEEPBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?Limit@CNoLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?Next@CNoLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QAEJP6GXPAX@Z0E1@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReadWIRP@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?Remove@CNoLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveHead@CNoLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?RemoveTail@CNoLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?ResetData@CInclusionExtConfig@@QAEXXZ", + "?ResetData@CInclusionFileNameConfig@@QAEXXZ", + "?ResetData@CInclusionFilePathConfig@@QAEXXZ", + "?ResetData@CInclusionFolderConfig@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CDelayLoadThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBGK@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetLogFlag@CDebugLogEx@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?Terminate@CWorkerThreadPoolEx@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitForInit@CDelayLoadThread@@QAEEXZ", + "?WaitForLoad@CDelayLoadThread@@QAEEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QAEXXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CDebugLogEx@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteDataToFile@CDebugLogEx@@IAEXPADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IAEXPAD@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemInformation@CDebugLogEx@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IAEXPAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_AllocFullFileName@8", + "_DeInitKm2UmCommunication@0", + "_DeInitKmLPC@0", + "_DuplicateFullFileName@4", + "_FreeFullFileName@4", + "_GetKm2UmMode@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKm2UmCommunication@8", + "_InitKmLPC@0", + "_IsVerifierCodeCheckFlagOn@0", + "_IsWindows8_1_update@4", + "_KmCallUm@8", + "_KmCallUmByLPC@8", + "_KmCallUmEx@12", + "_KmCleanupCommPortAPIs@0", + "_KmGetUmInitProcess@0", + "_KmSetBackupCommPortAPIs@4", + "_KmSetCommPortAPIs@4", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadDLLToBufferWithImageSize@8", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilAddDeviceInDriveTable@4", + "_UtilAddReparsePointMapping@8", + "_UtilCleanFileReadOnly@4", + "_UtilCloseExclusiveHandle@12", + "_UtilCreateDosFileName@8", + "_UtilDeleteFileForce@4", + "_UtilGetDeviceObjectName@8", + "_UtilGetFileNameFromFileObject@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemDirectory@4", + "_UtilGetSystemDirectoryEx@0", + "_UtilGetSystemDirectoryLength@0", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilPostJobToWorkerThread@12", + "_UtilQueryExclusiveHandle@12", + "_UtilQueryKeyValue@24", + "_UtilRemoveDeviceFromDriveTable@4", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "_UtlWriteBinValueKeyToRegistry@16", + "_ValidateAddressWithSize@20", + "__ResetProtectFromClose@4", + "__UtilDosPathNameToNtPathName@12" + ], "ImportedFunctions": [ - "MmBuildMdlForNonPagedPool", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", + "MmMapLockedPagesSpecifyCache", "IoAllocateMdl", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", "IoFreeMdl", - "MmUnmapLockedPages", - "KeDelayExecutionThread", - "MmUnmapIoSpace", - "MmMapIoSpace", - "RtlZeroMemory", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "IoCreateDevice", - "MmMapLockedPages", - "IofCompleteRequest", - "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "ObfReferenceObject", + "ObfDereferenceObject", "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", + "ZwCreateSection", "ZwOpenSection", + "ZwMapViewOfSection", "ZwUnmapViewOfSection", - "strncpy", - "KeLeaveCriticalRegion", - "KeEnterCriticalRegion", - "IoIs32bitProcess", - "strstr", - "strncmp", - "RtlInitUnicodeString", - "MmFreeContiguousMemory", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2008-12-03 23:59:59", - "Signature": "877870da4e5201205be079c98230c4fdb91996bd9100c3bdcdcdc6f40ed8fff94dc033623011c5f5741bd492de5f9c2013b17c45be50cd83e7801783a72793671346fbcab8984103cc9b515b058b7fa86ff31b501b242ef2698d6c22f7bbca1695ed0c74c06877d9eb996287c17390f889747a23aba3987b97b1f78f29714d2e751b4841daf0b50d2054d677a097826369fd09cf8af075bb099bd9f91155269a6132be7a02b07b86bea2c38b222c78d13576bc92735cf9b9e64c150a23cce4d2d4342e4940153c0f607a24c6a566ef96cf70eb3ee7f40d7edcd17ca3767169c19c4f47303521b1a2af1a623c2bd98eaa2a077bd818b35c7be29da56ffe3c89ad", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", - "ValidFrom": "2004-07-16 00:00:00", - "ValidTo": "2014-07-15 23:59:59", - "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=Taipei / Peitou, O=ASUSTeK Computer Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=Quality Testing Department, CN=ASUSTeK Computer Inc.", - "ValidFrom": "2006-06-27 00:00:00", - "ValidTo": "2007-07-16 23:59:59", - "Signature": "3e9083070ad85eabc973807c097269557b889eba86f794582fdc292452dcb7f8bcc45cd4743a1f6fb1b4a2186c7be5c62cea2cfa8d7a8cf6b343ddd3da952369aeea7cdbb7fb2d0c172e9bd3f834d838e598760aa04f073962665cce0382d2f549978ec5b9b3d039eddfb4c4b3403f5a7ba908e6523bd44e39705deee334eb3d4dba63ac71da30b5a6a3c9bde15f52b39732144d7e59acae08622c5f78f0097899265af6be9d1f1b868e500fca79fe967ddd6d777597d52c201210d4903c6929e59ca804518364ab1f75925a99b70591290cab0f4c079392a985797cc99b1fc87cf7237ec4ce715abd07f108e320e42c327d305be93dde94161251414fc46516", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "284649f592786c4851c1138e364185ae", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" - } - ] - } - ] - } - ], - "Tags": [ - "BS_Def64.sys" - ] - }, - { - "Id": "fdf4f85b-47f4-4c98-a0d5-a6583463f565", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create vmdrv.sys binPath=C:\\windows\\temp\\vmdrv.sys type=kernel && sc.exe start vmdrv.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "vmdrv.sys", - "MD5": "d5db81974ffda566fa821400419f59be", - "SHA1": "4c18754dca481f107f0923fb8ef5e149d128525d", - "SHA256": "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351", - "Signature": [ - "Voicemod Sociedad Limitada", - "DigiCert Global G3 Code Signing ECC SHA384 2021 CA1", - "DigiCert Global Root G3" - ], - "Date": "", - "Publisher": "", - "Company": "Windows (R) Win 7 DDK provider", - "Description": "Voicemod Virtual Audio Device (WDM)", - "Product": "Windows (R) Win 7 DDK driver", - "ProductVersion": "10.0.10011.16384", - "FileVersion": "10.0.10011.16384", - "MachineType": "AMD64", - "OriginalFilename": "vmdrv.sys", - "Authentihash": { - "MD5": "681bb8e9713477839a1ee8d87b498630", - "SHA1": "68cdcd073e57f650c5d6173cd79af3a3526052f6", - "SHA256": "99ddeba6bcdc79e52e3ff8afc63dbe4b299161cf0f5558a2d7630c2a18daf2c6" - }, - "InternalName": "vmdrv.sys", - "Copyright": "Copyright (C) Voicemod S.L.2010-2020", - "Imports": [ - "ntoskrnl.exe", - "portcls.sys" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "KeClearEvent", - "KeSetEvent", - "ExFreePool", + "ZwOpenEvent", + "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "ZwSetEvent", + "_allmul", + "memcpy", + "memset", + "PsProcessType", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "swprintf", + "RtlCopyUnicodeString", + "DbgPrint", + "KeDelayExecutionThread", + "KeQuerySystemTime", + "ExAllocatePoolWithTag", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "PsGetVersion", "IofCompleteRequest", - "IoCreateDevice", "IoCreateSymbolicLink", "IoDeleteDevice", "IoDeleteSymbolicLink", + "IoGetDeviceObjectPointer", "ObReferenceObjectByHandle", - "ObfDereferenceObject", + "PsGetCurrentProcessId", + "ZwCreateEvent", "ExEventObjectType", - "ExAllocatePoolWithTag", - "ExFreePoolWithTag", + "MmSectionObjectType", + "PsThreadType", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "ExGetPreviousMode", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "MmIsAddressValid", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "towupper", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "ObQueryNameString", + "MmHighestUserAddress", + "_snprintf", + "_vsnprintf", + "RtlInitAnsiString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", "ExSystemTimeToLocalTime", - "_purecall", - "KeInitializeDpc", - "KeFlushQueuedDpcs", - "KeInitializeMutex", - "KeReleaseMutex", - "KeInitializeTimerEx", - "KeCancelTimer", - "KeSetTimerEx", + "ZwCreateKey", + "PsGetCurrentThreadId", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ExReleaseFastMutexUnsafe", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "_stricmp", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "_strnicmp", + "RtlCompareUnicodeString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IofCallDriver", + "IoFreeIrp", + "RtlUpperChar", + "ObReferenceObjectByName", + "IoFileObjectType", + "IoDriverObjectType", + "IoBuildDeviceIoControlRequest", + "IoCreateFile", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlUpcaseUnicodeChar", + "RtlPrefixUnicodeString", + "_snwprintf", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "PsIsThreadTerminating", + "ObOpenObjectByName", + "KeServiceDescriptorTable", + "KeAddSystemServiceTable", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "RtlLengthSecurityDescriptor", + "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "_allrem", + "RtlAppendUnicodeToString", + "ZwFsControlFile", + "ObInsertObject", + "strrchr", + "wcschr", + "wcsncmp", + "RtlQueryRegistryValues", + "IoBuildAsynchronousFsdRequest", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", + "NtClose", + "ZwSetInformationObject", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "wcsstr", + "ExAllocatePool", + "ExInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", + "RtlUnwind", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "ExAcquireFastMutexUnsafe", + "ExFreePoolWithTag", + "KeBugCheckEx", "KeWaitForSingleObject", - "KeInitializeSpinLock", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "IoAllocateWorkItem", - "IoFreeWorkItem", - "IoQueueWorkItem", - "RtlIsNtDdiVersionAvailable", - "PcInitializeAdapterDriver", - "PcDispatchIrp", - "PcAddAdapterDevice", - "PcRegisterAdapterPowerManagement", - "PcNewServiceGroup", - "PcRegisterSubdevice", - "PcRegisterPhysicalConnection", - "PcNewPort" + "KeLeaveCriticalRegion", + "KeEnterCriticalRegion", + "KeSetEvent", + "KeClearEvent", + "KeInitializeEvent", + "RtlInitUnicodeString", + "KeGetCurrentThread", + "memmove", + "ZwOpenFile", + "_purecall", + "ClassInitialize", + "KfRaiseIrql", + "KeReleaseQueuedSpinLock", + "KeAcquireQueuedSpinLock", + "KfAcquireSpinLock", + "KfLowerIrql", + "KeGetCurrentIrql", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "KeRaiseIrqlToDpcLevel", + "KfReleaseSpinLock" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1", - "ValidFrom": "2021-04-29 00:00:00", - "ValidTo": "2036-04-28 23:59:59", - "Signature": "3065023078bd4995657101d0465768650e68a9dc3608c1eefdd48edb40653f0dff93afc2ae6386a37ecbb4915a78ec070367077c023100e79f1ff1075bac34c638bcb5a550cee6ea387e3e7990e4a45bab020de807fc56a65a8addb350b2ddf2fa66749ed01663", - "SignatureAlgorithmOID": "1.2.840.10045.4.3.3" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=ES, ??=Valencia, serialNumber=B98657844, C=ES, L=Valencia, O=Voicemod Sociedad Limitada, CN=Voicemod Sociedad Limitada", - "ValidFrom": "2021-10-21 00:00:00", - "ValidTo": "2023-01-19 23:59:59", - "Signature": "3066023100fd8a9d376bf4399c7cb947c5fbb2e90bb3fdbcb37cab257ef47db016f1898e2d129241a757f039f8e7112b05a48632a60231009b75d4e2623fb9f54ce9ffc6ba7a661a5d2d54b096ddf6c510b2f6063981c15846e282779e9febffa39e5c9fad429646", - "SignatureAlgorithmOID": "1.2.840.10045.4.3.3" - } - ], - "Signer": [ + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, { - "SerialNumber": "014d8930c6a3fceb0f4021734d5ed508", - "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1" - } - ] - } - ] - } - ], - "Tags": [ - "vmdrv.sys" - ] - }, - { - "Id": "c3cca618-5a7f-4a51-8785-cb328fbfb0df", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create viraglt64.sys binPath=C:\\windows\\temp\\viraglt64.sys type=kernel && sc.exe start viraglt64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/jbaines-r7/dellicious", - " https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious and https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., OU=Taipei, TW, CN=Trend Micro, Inc.", + "ValidFrom": "2019-07-12 00:00:00", + "ValidTo": "2020-07-10 12:00:00", + "Signature": "5c08ae5d586a4751195382d6889dc2fc500e7c39c641e1a58def8d923e12b754e2cc35720cc8d3d29382980debf7d98fcc17d764187126dd07c134fdbb96dd44fe8a40195df6f6acd1881fa5ba2921dadceb3f64422344672834813916bbdf317533cf6aaf3317d78197d7d6c560ad681de135f39e2d4ad345b7fe491162660a5462c6075fd725382df1e6e6bc3a4c443be778f79b07f181082e38150ca28ab932f99e4bc4185dc5b3b6edf22c187fdfd84e23a21e7da1989837f43b89aa172e6b34dbcb297bffd511a1d1c100b25e0e921f622a0845e23317f9fec83659ca21c241800683e0dd66ce4d042a8aefc4142b5923a6fa93ee72c48e8dc04c13b4b0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0ea0fe4dfb74cc64bc32143103c27c8b", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" + } + ] + } + ] + }, { - "Filename": "viraglt64.sys", - "MD5": "43830326cd5fae66f5508e27cbec39a0", - "SHA1": "05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d", - "SHA256": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495", - "Signature": [ - "TG Soft S.a.s. Di Tonello Gianfranco e C.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "", - "Company": "TG Soft S.a.s.", - "Description": "VirIT Agent System", - "Product": "VirIT Agent System", - "ProductVersion": "1, 0, 0, 11", - "FileVersion": "1, 0, 0, 11", - "MachineType": "AMD64", - "OriginalFilename": "viragt64.sys", + "FileName": "TmComm.sys", + "MD5": "949ef0df929a71d6cc77494dfcb1ddeb", + "SHA1": "a34adabde63514e1916713a588905c4019f83efb", + "SHA256": "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39", "Authentihash": { - "MD5": "68a2f77cfa5aec4556b4276852be637f", - "SHA1": "0188096c79f0cdde9233e52d4117c0f53e667e3d", - "SHA256": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78" + "MD5": "aa72488d023f12e4252ac8c34499bc3c", + "SHA1": "f3beb6685e5b2a2492d1da242c6e1e15a32b1c4f", + "SHA256": "a4a7794cdb933d71f57cf9f31188c1152bdc9fc429e17a84c4f639942965311d" }, - "InternalName": "viragt.sys", - "Copyright": "Copyright (C) TG Soft S.a.s. 2011, 2016 - www.tgsoft.it", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "2.80.0.1063", + "Product": "Trend Micro AEGIS", + "ProductVersion": "2.80", + "Copyright": "Copyright (C) 2005-2009 Trend Micro Incorporated. All rights reserved.", + "MachineType": "I386", "Imports": [ "ntoskrnl.exe", - "HAL.dll" + "HAL.dll", + "CLASSPNP.SYS" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QAE@ABV0@@Z", + "??0CAutoUpdateConfigThread@@QAE@PAU_UNICODE_STRING@@P6GX0PAX@Z1@Z", + "??0CBlobConfig@@QAE@ABV0@@Z", + "??0CBlobConfig@@QAE@K@Z", + "??0CContext@@QAE@ABV0@@Z", + "??0CContext@@QAE@KP6GJPAU_EVENT_REPORT@@PAXPAU_TMCE_REPORT@@PAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QAE@ABV0@@Z", + "??0CContextList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QAE@ABV0@@Z", + "??0CDebugLog@@QAE@PBG@Z", + "??0CExclusionExtConfig@@QAE@ABV0@@Z", + "??0CExclusionExtConfig@@QAE@KKE@Z", + "??0CExclusionFileNameConfig@@QAE@ABV0@@Z", + "??0CExclusionFileNameConfig@@QAE@KK@Z", + "??0CExclusionFilePathConfig@@QAE@ABV0@@Z", + "??0CExclusionFilePathConfig@@QAE@KK@Z", + "??0CExclusionFolderConfig@@QAE@ABV0@@Z", + "??0CExclusionFolderConfig@@QAE@KK@Z", + "??0CExclusionRegistryConfig@@QAE@ABV0@@Z", + "??0CExclusionRegistryConfig@@QAE@KK@Z", + "??0CFile@@QAE@ABV0@@Z", + "??0CFile@@QAE@E@Z", + "??0CFileExtension@@QAE@ABV0@@Z", + "??0CFileExtension@@QAE@KEEPAVIMemoryAllocator@@@Z", + "??0CKEvent@@QAE@ABV0@@Z", + "??0CKEvent@@QAE@W4_EVENT_TYPE@@E@Z", + "??0CList@@QAE@ABV0@@Z", + "??0CList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QAE@ABV0@@Z", + "??0CLockEvent@@QAE@XZ", + "??0CLockList@@QAE@ABV0@@Z", + "??0CLockList@@QAE@KKPAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IAE@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QAE@ABV0@@Z", + "??0CMemoryPoolAllocator@@IAE@W4_POOL_TYPE@@KKK@Z", + "??0CMemoryPoolAllocator@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@ABV0@@Z", + "??0CModuleConfig@@QAE@XZ", + "??0CModuleConfigList@@QAE@ABV0@@Z", + "??0CModuleConfigList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QAE@ABV0@@Z", + "??0CModuleFileExtConfig@@QAE@KKE@Z", + "??0CModuleFlagConfig@@QAE@ABV0@@Z", + "??0CModuleFlagConfig@@QAE@K@Z", + "??0CModuleMultiStringConfig@@QAE@ABV0@@Z", + "??0CModuleMultiStringConfig@@QAE@KK@Z", + "??0CModuleStringConfig@@QAE@ABV0@@Z", + "??0CModuleStringConfig@@QAE@K@Z", + "??0CSmartLock@@QAE@AAVCLockEvent@@@Z", + "??0CSmartLock@@QAE@XZ", + "??0CSmartReference@@QAE@AAJ@Z", + "??0CSmartReference@@QAE@AAK@Z", + "??0CStrList@@QAE@ABV0@@Z", + "??0CStrList@@QAE@KPAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QAE@ABV0@@Z", + "??0CSystemThread@@QAE@K@Z", + "??0CUserFuncAdapterJob@@QAE@ABV0@@Z", + "??0CUserFuncAdapterJob@@QAE@P6GXPAX@Z0@Z", + "??0CWorkerThread@@IAE@PAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@ABV0@@Z", + "??0CWorkerThreadJob@@QAE@E@Z", + "??0CWorkerThreadJobQueue@@QAE@ABV0@@Z", + "??0CWorkerThreadJobQueue@@QAE@K@Z", + "??0CWorkerThreadPool@@QAE@ABV0@@Z", + "??0CWorkerThreadPool@@QAE@K@Z", + "??0IMemoryAllocator@@QAE@ABV0@@Z", + "??0IMemoryAllocator@@QAE@XZ", + "??1CAutoUpdateConfigThread@@UAE@XZ", + "??1CBlobConfig@@UAE@XZ", + "??1CContext@@UAE@XZ", + "??1CContextList@@UAE@XZ", + "??1CDebugLog@@UAE@XZ", + "??1CExclusionExtConfig@@UAE@XZ", + "??1CExclusionFileNameConfig@@UAE@XZ", + "??1CExclusionFilePathConfig@@UAE@XZ", + "??1CExclusionFolderConfig@@UAE@XZ", + "??1CExclusionRegistryConfig@@UAE@XZ", + "??1CFile@@UAE@XZ", + "??1CFileExtension@@UAE@XZ", + "??1CKEvent@@UAE@XZ", + "??1CList@@UAE@XZ", + "??1CLockEvent@@UAE@XZ", + "??1CLockList@@UAE@XZ", + "??1CMemoryAllocator@@UAE@XZ", + "??1CMemoryPoolAllocator@@UAE@XZ", + "??1CModuleConfig@@UAE@XZ", + "??1CModuleConfigList@@UAE@XZ", + "??1CModuleFileExtConfig@@UAE@XZ", + "??1CModuleFlagConfig@@UAE@XZ", + "??1CModuleMultiStringConfig@@UAE@XZ", + "??1CModuleStringConfig@@UAE@XZ", + "??1CSmartLock@@QAE@XZ", + "??1CSmartReference@@QAE@XZ", + "??1CStrList@@UAE@XZ", + "??1CSystemThread@@UAE@XZ", + "??1CUserFuncAdapterJob@@UAE@XZ", + "??1CWorkerThread@@UAE@XZ", + "??1CWorkerThreadJob@@UAE@XZ", + "??1CWorkerThreadJobQueue@@UAE@XZ", + "??1CWorkerThreadPool@@UAE@XZ", + "??1IMemoryAllocator@@UAE@XZ", + "??2@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??2CMemoryAllocator@@SGPAXI@Z", + "??2CMemoryPoolAllocator@@SGPAXI@Z", + "??3@YAXPAX@Z", + "??3IMemoryAllocator@@SGXPAX@Z", + "??4CAutoUpdateConfigThread@@QAEAAV0@ABV0@@Z", + "??4CBlobConfig@@QAEAAV0@ABV0@@Z", + "??4CContext@@QAEAAV0@ABV0@@Z", + "??4CDebugLog@@QAEAAV0@ABV0@@Z", + "??4CFile@@QAEAAV0@ABV0@@Z", + "??4CKEvent@@QAEAAV0@ABV0@@Z", + "??4CLockEvent@@QAEAAV0@ABV0@@Z", + "??4CMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??4CMemoryPoolAllocator@@QAEAAV0@ABV0@@Z", + "??4CModuleConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleFlagConfig@@QAEAAV0@ABV0@@Z", + "??4CModuleStringConfig@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEAAV0@ABV0@@Z", + "??4CSmartLock@@QAEABV0@AAVCLockEvent@@@Z", + "??4CSystemThread@@QAEAAV0@ABV0@@Z", + "??4CUserFuncAdapterJob@@QAEAAV0@ABV0@@Z", + "??4CWorkerThread@@QAEAAV0@ABV0@@Z", + "??4CWorkerThreadJob@@QAEAAV0@ABV0@@Z", + "??4IMemoryAllocator@@QAEAAV0@ABV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QAEXXZ", + "??_FCFile@@QAEXXZ", + "??_FCFileExtension@@QAEXXZ", + "??_FCModuleConfigList@@QAEXXZ", + "??_FCStrList@@QAEXXZ", + "??_FCSystemThread@@QAEXXZ", + "??_FCWorkerThread@@QAEXXZ", + "??_FCWorkerThreadJob@@QAEXXZ", + "??_FCWorkerThreadJobQueue@@QAEXXZ", + "??_U@YAPAXIPAVIMemoryAllocator@@PBDK@Z", + "??_V@YAXPAX@Z", + "?Acquire@CLockEvent@@QAEXXZ", + "?Add@CContextList@@QAEEPAVCContext@@@Z", + "?Add@CFileExtension@@QAEEPBGK@Z", + "?Add@CModuleConfigList@@QAEEPAVCModuleConfig@@@Z", + "?Add@CStrList@@QAEEPBG@Z", + "?AddNode@CLockList@@UAEEQAXE@Z", + "?Alloc@CMemoryAllocator@@UAEPAXKPBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UAEPAXKPBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IAEPAXK@Z", + "?AttachJobQueue@CWorkerThread@@QAEXPAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QAEXXZ", + "?CheckNode@CLockList@@UAEHQAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QAEXXZ", + "?Cleanup@CBlobConfig@@AAEXXZ", + "?Cleanup@CModuleFileExtConfig@@IAEXXZ", + "?Cleanup@CModuleMultiStringConfig@@IAEXXZ", + "?Cleanup@CModuleStringConfig@@AAEXXZ", + "?Close@CFile@@QAEJXZ", + "?Count@CLockList@@QAEKXZ", + "?Create@CFile@@QAEJPBGKKKK@Z", + "?Create@CSystemThread@@QAEEXZ", + "?CreateInstance@CMemoryAllocator@@SGPAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SGPAV1@W4_POOL_TYPE@@KKK@Z", + "?CreatePool@CWorkerThreadPool@@QAEEXZ", + "?CreateThreads@CWorkerThreadPool@@QAEEK@Z", + "?CreateWIRP@CFile@@QAEJPBGKKKK@Z", + "?Delete@CFile@@QAEJXZ", + "?Delete@CFileExtension@@QAEEPBGK@Z", + "?Delete@CStrList@@QAEEPBG@Z", + "?DeleteAll@CList@@UAEXXZ", + "?DeleteAll@CLockList@@UAEXXZ", + "?DeleteNode@CContextList@@MAEXPAX@Z", + "?DeleteNode@CList@@UAEXPAX@Z", + "?DeleteNode@CModuleConfigList@@MAEXPAX@Z", + "?DeleteNode@CStrList@@EAEXPAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YGXPAPAX@Z", + "?DoIt@CWorkerThreadJob@@QAEJXZ", + "?EntryPoint@CSystemThread@@KGXPAX@Z", + "?Find@CContextList@@QAEPAVCContext@@K@Z", + "?Find@CContextList@@QAEPAVCContext@@PAX@Z", + "?Find@CFileExtension@@QAEPAU_STR_LIST_NODE@CStrList@@PBGK@Z", + "?Find@CModuleConfigList@@QAEPAVCModuleConfig@@K@Z", + "?Find@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?FindNode@CContextList@@IAEPAXPAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QAEPAU_STR_LIST_NODE@1@PBG@Z", + "?First@CList@@UAEPAXXZ", + "?First@CLockList@@UAEPAXXZ", + "?Free@CMemoryAllocator@@UAEXPAX@Z", + "?Free@CMemoryPoolAllocator@@UAEXPAX@Z", + "?GetAttributes@CFile@@QAEKXZ", + "?GetBasicInfomration@CFile@@IAEJXZ", + "?GetBlobCofig@CContext@@UAEJKPAXPAK@Z", + "?GetCategory@CContext@@QAEKXZ", + "?GetData@CBlobConfig@@QAEHPAXPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleFileExtConfig@@QAEPAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QAEKXZ", + "?GetData@CModuleMultiStringConfig@@QAEHPAGPAK@Z", + "?GetData@CModuleMultiStringConfig@@QAEPAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QAEPAGXZ", + "?GetData@CStrList@@QAEEPAGPAK@Z", + "?GetDataType@CModuleConfig@@QAEKXZ", + "?GetEngineContext@CContext@@QAEPAXXZ", + "?GetFBCallBackRoutine@CContext@@QAEKXZ", + "?GetFileExtensionConfig@CContext@@QAEPAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UAEJKPAGPAK@Z", + "?GetFileSize@CFile@@QAEJPAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UAEJKPAK@Z", + "?GetID@CModuleConfig@@QAEKXZ", + "?GetJob@CWorkerThreadJobQueue@@QAEPAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QAEKXZ", + "?GetLinkContext@CContext@@QAEPAXXZ", + "?GetLogFlag@CDebugLog@@QAEKXZ", + "?GetModuleId@CModuleConfig@@QAEKXZ", + "?GetMultiStringConfig@CContext@@QAEPAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QAEPAU_ETHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QAEKXZ", + "?GetSize@CBlobConfig@@QAEKXZ", + "?GetStringConfig@CContext@@QAEPAGK@Z", + "?GetStringConfig@CContext@@UAEJKPAGPAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QAEKXZ", + "?GetThreadID@CSystemThread@@QAEKXZ", + "?GetType@CContext@@QAEKXZ", + "?GetUserParameter@CContext@@QAEKXZ", + "?InitializeBlobConfig@CContext@@QAEHKPAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QAEHKPBG@Z", + "?InitializeFlagConfig@CContext@@QAEHKK@Z", + "?InitializeMultiStringConfig@CContext@@QAEHKPBG@Z", + "?InitializeStringConfig@CContext@@QAEHKPBG@Z", + "?Insert@CList@@UAEXQAXE@Z", + "?Insert@CLockList@@UAEXQAXE@Z", + "?InsertAfter@CList@@UAEXPAX0@Z", + "?InsertBefore@CList@@UAEXPAX0@Z", + "?Instance@CWorkerThreadPool@@SGPAV1@XZ", + "?IsEmpty@CList@@UAEEXZ", + "?IsEmpty@CLockList@@UAEEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IAEEK@Z", + "?IsFull@CLockList@@QBEEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QAEEPBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QAEEPBG@Z", + "?IsOpened@CFile@@QAEEXZ", + "?IsTerminated@CWorkerThreadPool@@QAEEXZ", + "?IsValid@CMemoryAllocator@@UAEEXZ", + "?IsValid@CMemoryPoolAllocator@@UAEEXZ", + "?IsValid@IMemoryAllocator@@UAEEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QAEEK@Z", + "?JobFunction@CUserFuncAdapterJob@@MAEXXZ", + "?JobQueue@CWorkerThreadPool@@QAEAAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QAEKXZ", + "?MatchAllExtensions@CFileExtension@@QAEEXZ", + "?MatchNoExtensions@CFileExtension@@QAEEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IAEPAXPAX@Z", + "?NeedDelete@CWorkerThreadJob@@QAEEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QAEXE@Z", + "?NewNode@CList@@UAEPAXXZ", + "?NewNode@CStrList@@EAEPAXXZ", + "?NewNodeVariant@CList@@IAEPAXK@Z", + "?Next@CList@@UBEPAXQAX@Z", + "?Next@CLockList@@UBEPAXQAX@Z", + "?NextPool@CMemoryPoolAllocator@@QAEPAV1@XZ", + "?NotityTerminate@CWorkerThread@@QAEXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QAEJP6GXPAX@Z0E@Z", + "?Pulse@CKEvent@@QAEJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QAEEPAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QAEJPAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SGPAV1@XZ", + "?Read@CFile@@QAEJPADKPAK@Z", + "?ReferenceCount@CContext@@QAEAAKXZ", + "?Release@CLockEvent@@QAEXXZ", + "?Remove@CContextList@@UAEEQAX@Z", + "?Remove@CList@@UAEEQAX@Z", + "?Remove@CLockList@@UAEEQAX@Z", + "?RemoveHead@CList@@UAEPAXXZ", + "?RemoveHead@CLockList@@UAEPAXXZ", + "?RemoveTail@CList@@UAEPAXXZ", + "?RemoveTail@CLockList@@UAEPAXXZ", + "?Reset@CKEvent@@QAEXXZ", + "?RestoreCR0@@YGXPAX@Z", + "?Run@CAutoUpdateConfigThread@@UAEXXZ", + "?Run@CWorkerThread@@UAEXXZ", + "?SeekToEnd@CFile@@QAEJXZ", + "?Set@CKEvent@@QAEJJE@Z", + "?SetAttributes@CFile@@QAEJK@Z", + "?SetBlobCofig@CContext@@UAEJKPAXK@Z", + "?SetData@CBlobConfig@@QAEHPAXK@Z", + "?SetData@CModuleFileExtConfig@@QAEHPBG@Z", + "?SetData@CModuleFlagConfig@@QAEHK@Z", + "?SetData@CModuleMultiStringConfig@@QAEHPBG@Z", + "?SetData@CModuleStringConfig@@QAEHPBG@Z", + "?SetEngineContext@CContext@@QAEXPAX@Z", + "?SetFileExtensionConfig@CContext@@UAEJKPBG@Z", + "?SetFlagConfig@CContext@@UAEJKK@Z", + "?SetLinkContext@CContext@@QAEXPAX@Z", + "?SetLogFlag@CDebugLog@@QAEEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QAEXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QAEXE@Z", + "?SetMultiStringConfig@CContext@@UAEJKPBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QAEXXZ", + "?SetPriority@CSystemThread@@QAEXK@Z", + "?SetStopUse@CContext@@QAEXXZ", + "?SetStringConfig@CContext@@UAEJKPBG@Z", + "?Setup@CSystemThread@@MAEXXZ", + "?StopUse@CContext@@QAEHXZ", + "?TearDown@CSystemThread@@MAEXXZ", + "?Terminate@CSystemThread@@QAEXE@Z", + "?Terminate@CWorkerThreadPool@@QAEEXZ", + "?TmExceptionFilter@@YGJPAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QAEJPAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QAEXXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QAEEXZ", + "?Write@CDebugLog@@QAAXPBDZZ", + "?Write@CFile@@QAEJPADKPAT_LARGE_INTEGER@@PAK@Z", + "?WriteSystemInformation@CDebugLog@@QAEXXZ", + "?WriteSystemStringInformation@CDebugLog@@IAEXPBG@Z", + "?WriteToFile@CDebugLog@@IAEXPADK@Z", + "?_pNonPagedAllocator@@3PAVCMemoryAllocator@@A", + "?_pPagedAllocator@@3PAVCMemoryAllocator@@A", + "?m_lpInstance@CWorkerThreadPool@@1PAV1@A", + "?m_lpRCMInstance@CWorkerThreadPool@@1PAV1@A", + "_DeInitKmLPC@0", + "_GetModuleInfoByAddress@8", + "_GetModuleInfoByModuleName@8", + "_InitKmLPC@0", + "_KmCallUm@8", + "_ModGetExportProcAddress@8", + "_ModLoadDLLToBuffer@4", + "_ModLoadModule@8", + "_ModUnLoadModule@4", + "_NormalizeFileName@4", + "_NormalizeFullNtPathToDosName@4", + "_TmCommConfigRoutine@4", + "_UtilCleanFileReadOnly@4", + "_UtilDeleteFileForce@4", + "_UtilGetFileObjectForProcessByEPROC@8", + "_UtilGetFileObjectFromFileName@12", + "_UtilGetProcessName@12", + "_UtilGetSystemTime@4", + "_UtilIoSetFileInfo@24", + "_UtilIopCreateFileIRP@40", + "_UtilKeGetLowFileDevice@16", + "_UtilModuleIATHook@24", + "_UtilModuleIATUnHook@8", + "_UtilQueryKeyValue@24", + "_UtilVolumeDeviceToDosName@8", + "_UtilWaitValueChangeToZero@8", + "_UtilWriteVersionToRegistry@8", + "_UtilbuildDynamicDiskMappingTable@0", + "__UtilDosPathNameToNtPathName@12" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "mbstowcs", + "ExReleaseFastMutexUnsafe", + "wcsncpy", + "memcpy", + "wcsrchr", + "KeSetEvent", + "KePulseEvent", + "KeClearEvent", + "KeInitializeSemaphore", + "KeWaitForSingleObject", + "DbgPrint", + "KeReleaseSemaphore", + "RtlSubAuthoritySid", + "RtlInitializeSid", "ExAllocatePoolWithTag", - "KeSetTargetProcessorDpc", - "ZwCreateKey", - "IoDeleteSymbolicLink", + "RtlLengthRequiredSid", "ExFreePoolWithTag", - "KeInitializeMutex", - "RtlAnsiStringToUnicodeString", - "ZwReadFile", - "strstr", - "RtlInitUnicodeString", - "IoDeleteDevice", - "RtlInitAnsiString", - "ZwSetValueKey", - "_strupr", - "KeInitializeDpc", - "ZwQuerySystemInformation", - "MmBuildMdlForNonPagedPool", - "IoFreeMdl", - "ZwSetInformationFile", - "KeReleaseMutex", - "KeDelayExecutionThread", - "ZwCreateFile", - "PsCreateSystemThread", - "MmMapLockedPagesSpecifyCache", - "ExSystemTimeToLocalTime", - "ZwQueryValueKey", - "PsTerminateSystemThread", - "KeInsertQueueDpc", - "ZwEnumerateValueKey", - "ZwClose", - "sprintf", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "RtlTimeToTimeFields", - "MmProbeAndLockPages", - "ZwOpenProcess", - "MmUnlockPages", - "IoCreateSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "RtlCreateSecurityDescriptor", + "RtlAddAccessAllowedAce", + "RtlCreateAcl", + "ObfDereferenceObject", + "ZwSetEvent", + "ZwClose", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "memmove", + "KeStackAttachProcess", + "ZwConnectPort", + "RtlInitUnicodeString", + "ZwCreateSection", + "ZwWaitForSingleObject", + "ZwOpenEvent", + "ObfReferenceObject", + "IoGetCurrentProcess", + "memset", "MmIsAddressValid", - "ObfDereferenceObject", - "IoCreateDevice", - "ZwTerminateProcess", - "KeNumberProcessors", - "ZwQueryInformationFile", - "MmIsNonPagedSystemAddressValid", "ZwWriteFile", - "ZwDeleteKey", - "RtlFormatCurrentUserKeyPath", - "ZwEnumerateKey", - "IoAllocateMdl", - "ZwOpenKey", - "ObOpenObjectByName", + "ZwReadFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwCreateFile", "swprintf", - "RtlUnicodeStringToAnsiString", - "ZwOpenDirectoryObject", - "IoFileObjectType", - "IoDriverObjectType", - "ZwQueryDirectoryObject", - "wcstombs", - "KeQueryActiveProcessors", - "KeBugCheckEx", - "IofCompleteRequest", - "ExQueueWorkItem", - "__C_specific_handler", - "__chkstk", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=IT, ST=Padova, L=Rubano, O=TG Soft S.a.s. Di Tonello Gianfranco e C., CN=TG Soft S.a.s. Di Tonello Gianfranco e C.", - "ValidFrom": "2016-01-20 00:00:00", - "ValidTo": "2019-03-11 23:59:59", - "Signature": "629f1e9a0f9ce5d38b9d6a8dd11af5b17d415d1891039677a3bc1ead43fdf569a403413d461fcfd48f76688244a7a7115e5408682f43319e9526d6dce0fd8ec4a0599331dc94ed2bb68aca4d58e63472587d17cea864ff3cf9ce209f122d904dfafb0db7cab4648b5b903922150f153a527764236b0222d9c1d51ff9631b87fba8b7b079b2ec5839af1be2c721dcebfa5dba429157f785d3a4929c785422ea5d2dacdc68dd1b3ca98c81aba0d7e232fefa7065e861fe51480983ed865dad87663c3a8c505c047ac1b6983917657497403bd7d0df0c71860aa2bec36b1954b1d2dc987e20e71c193f1e59a627c8d6a345b8f7e9b21f0841636672190217727209", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "7380a219373c43f82746ddf3ed55eaea", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" - } - ] - } - ] - } - ], - "Tags": [ - "viraglt64.sys" - ] - }, - { - "Id": "3e0bf6dc-791b-4170-8c40-427e7299d93d", - "Author": "Paul Michaud", - "Created": "2023-05-12", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create KfeCo10X64.sys binPath=C:\\windows\\temp\\KfeCo10X64.sys type=kernel && sc.exe start KfeCo10X64.sys", - "Description": "Killer exposes COM interfaces that allow non-privileged users 1) to block network for any process 2) to manage any service in the OS. Killer is preinstalled to laptops equipped with Intel Killer NICs (e.g. Dell). Since Intel patched the vulnerability quietly, it's not clear which version is safe. Also, it is unclear which OEMs are affected. Dell is definitely in the list, but it is likely that other vendors with Killer NICs on board, such as Acer and MSI, are affected too. Some users think that Killer suite is required for the NIC to work properly, so they install it even after a fresh Windows install. This version is confirmed vulnerable based on the script usage from zwclose.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://zwclose.github.io/2023/04/18/killer2.html", - "https://twitter.com/zwclose/status/1648441215808049153", - "https://zwclose.github.io/2022/12/18/killer1.html" - ], - "Acknowledgement": { - "Person": "zwclose", - "Handle": "zwclose" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "KfeCo10X64.sys", - "MD5": "697f698b59f32f66cd8166e43a5c49c7", - "SHA1": "f5d58452620b55c2931cba75eb701f4cde90a9e4", - "SHA256": "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704", - "Signature": "", - "Date": "", - "Publisher": "", - "Company": "Rivet Networks, LLC.", - "Description": "Killer Traffic Control Callout Driver", - "Product": "Killer Traffic Control", - "ProductVersion": "9.7.4.11", - "FileVersion": "9.7.4.11", - "MachineType": "AMD64", - "OriginalFilename": "KfeCoDrv.sys", - "Authentihash": { - "MD5": "9085c42a59541dbd2e05fec9c247a189", - "SHA1": "c46323ef4fd5f553003a92fdad0d3059564e481f", - "SHA256": "8bce4a327c9e77631c03057b0e45cdbb2e751194d42995c0310e3ccdd3d33b7c" - }, - "InternalName": "KfeCoDrv.sys", - "Copyright": "Copyright (C) 2015-2018 Rivet Networks, LLC.", - "Imports": [ - "ntoskrnl.exe", - "NDIS.SYS", - "fwpkclnt.sys", - "WDFLDR.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "EtwRegister", + "towupper", + "_wcsnicmp", "KeInitializeEvent", - "EtwUnregister", - "__C_specific_handler", - "ExFreePoolWithTag", - "ExAllocatePoolWithTag", - "RtlCopyUnicodeString", - "EtwSetInformation", - "EtwWriteTransfer", - "strstr", - "RtlCompareMemory", - "RtlIpv4StringToAddressA", - "KeAcquireInStackQueuedSpinLock", - "KeSetTimer", - "KeCancelTimer", - "KeInitializeTimer", + "_snprintf", + "PsGetCurrentProcessId", + "RtlTimeToTimeFields", + "ExSystemTimeToLocalTime", + "KeQuerySystemTime", + "ZwCreateKey", + "ZwCreateEvent", + "KeWaitForMultipleObjects", + "ObReferenceObjectByHandle", + "ZwNotifyChangeKey", + "PsGetCurrentThreadId", + "_vsnprintf", "KeSetPriorityThread", - "KeSetImportanceDpc", - "KeInsertQueueDpc", - "KeInitializeDpc", - "IoQueueWorkItem", - "IoFreeWorkItem", - "IoAllocateWorkItem", "PsTerminateSystemThread", - "KeWaitForMultipleObjects", - "KeDelayExecutionThread", - "KeClearEvent", - "RtlEthernetAddressToStringW", - "RtlRandomEx", - "ZwClose", "PsCreateSystemThread", - "KeWaitForSingleObject", - "KeSetEvent", - "KeQueryInterruptTimePrecise", - "ExEventObjectType", - "ObReferenceObjectByHandle", - "MmMapLockedPagesSpecifyCache", + "KeNumberProcessors", + "ZwQuerySystemInformation", + "ZwQueryDirectoryFile", + "ZwOpenDirectoryObject", + "ZwQueryDirectoryObject", + "ZwDuplicateObject", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryValueKey", + "ZwDeleteValueKey", + "ZwDeleteKey", + "ExGetPreviousMode", + "ZwTerminateProcess", + "KeLeaveCriticalRegion", + "PsProcessType", + "ZwOpenProcess", + "ZwQueryKey", + "ZwSetValueKey", + "IoFreeIrp", + "_purecall", "MmUnlockPages", - "MmProbeAndLockPages", + "IoBuildAsynchronousFsdRequest", "ProbeForWrite", - "ProbeForRead", - "IoFreeMdl", - "IoAllocateMdl", - "MmBuildMdlForNonPagedPool", - "ObfDereferenceObject", - "memchr", - "RtlIpv6StringToAddressA", - "KeReleaseInStackQueuedSpinLockFromDpcLevel", - "KeAcquireInStackQueuedSpinLockAtDpcLevel", - "KeReleaseInStackQueuedSpinLock", - "KeInitializeSpinLock", - "NdisGetDataBuffer", - "NdisRetreatNetBufferDataStart", - "NdisAdvanceNetBufferDataStart", - "NdisCopySendNetBufferListInfo", - "NdisFreeNetBufferListPool", - "NdisAllocateNetBufferListPool", - "NdisFreeNetBufferPool", - "NdisAllocateNetBufferPool", - "NdisFreeGenericObject", - "NdisCopyReceiveNetBufferListInfo", - "NdisAllocateGenericObject", - "FwpsInjectTransportReceiveAsync0", - "FwpsQueryConnectionRedirectState0", - "FwpsRedirectHandleDestroy0", - "FwpsRedirectHandleCreate0", - "FwpsApplyModifiedLayerData0", - "FwpsAcquireWritableLayerDataPointer0", - "FwpsCompleteClassify0", - "FwpsPendClassify0", - "FwpsReleaseClassifyHandle0", - "FwpsAcquireClassifyHandle0", - "FwpsCalloutUnregisterByKey0", - "FwpsConstructIpHeaderForTransportPacket0", - "FwpsDereferenceNetBufferList0", - "FwpsReferenceNetBufferList0", - "FwpsInjectMacSendAsync0", - "FwpsInjectMacReceiveAsync0", - "FwpsAllocateCloneNetBufferList0", - "FwpsFreeNetBufferList0", - "FwpsAllocateNetBufferAndNetBufferList0", - "FwpmFilterDeleteById0", - "FwpsCalloutRegister3", - "FwpmFilterAdd0", - "FwpmCalloutDeleteByKey0", - "FwpmSubLayerDeleteByKey0", - "FwpmProviderContextDeleteByKey0", - "FwpsQueryPacketInjectionState0", - "FwpsInjectTransportSendAsync1", - "FwpsFreeCloneNetBufferList0", - "FwpsGetPacketListSecurityInformation0", - "FwpsFlowRemoveContext0", - "FwpsFlowAssociateContext0", - "FwpsCalloutUnregisterById0", - "FwpmCalloutAdd0", - "FwpmSubLayerAdd0", - "FwpmProviderAdd0", - "FwpmTransactionAbort0", - "FwpmTransactionCommit0", - "FwpmTransactionBegin0", - "FwpmEngineClose0", - "FwpmEngineOpen0", - "FwpsInjectionHandleDestroy0", - "FwpsInjectionHandleCreate0", - "WdfVersionUnbind", - "WdfVersionBindClass", - "WdfVersionUnbindClass", - "WdfVersionBind" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Texas, L=Austin, O=Rivet Networks LLC, CN=Rivet Networks LLC", - "ValidFrom": "2020-06-26 00:00:00", - "ValidTo": "2021-07-01 12:00:00", - "Signature": "abf01f216d547fddd1906d605cee818c112ccb63b4102fe93cd215dcc3a619e51ac0cb95e094bd3f00091bd4c27de102be07fb3bf81da2ac84cecbd127bfa975a0cdf4f4e4b5ccc97a12613fe9c88c3cc71f9ce5e7142833e7ee728cacc9d28bde4c6533dd97f4083d884f5becfcde942a3934cd58f9590defaed7370382d7a318938b941d54b74a5015c1f6cbd69ce717a61e5171c3895ca5a5e5407e8f6aca5088caf373af711a575dc21995e949e2b8a32e91378a4f677a5ca39b6c3ccb2b95f8fe88e9c6437e37096adb5ccb67ac1270d155728de644876bc7571da01cad1b4df2cc3d7a4d4a14bf3082a48ed6feb7fc9180ad2df14aea246bf0bd8154cb", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA", - "ValidFrom": "2013-10-22 12:00:00", - "ValidTo": "2028-10-22 12:00:00", - "Signature": "3eec0d5a24b3f322d115c82c7c252976a81d5d1c2d3a1ac4ef3061d77e0b60fdc33d0fc4af8bfdef2adf205537b0e1f6d192750f51b46ea58e5ae25e24814e10a4ee3f718e630e134badd75f4479f33614068af79c464e5cff90b11b070e9115fbbaafb551c28d24ae24c6c7272aa129281a3a7128023c2e91a3c02511e29c1447a17a6868af9ba75c205cd971b10c8fbba8f8c512689fcf40cb4044a513f0e6640c25084232b2368a2402fe2f727e1cd7494596e8591de9fa74646bb2eb6643dab3b08cd5e90dddf60120ce9931633d081a18b3819b4fc6931006fc0781fa8bdaf98249f7626ea153fa129418852e9291ea686c4432b266a1e718a49a6451ef", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA", - "ValidFrom": "2011-04-15 19:41:37", - "ValidTo": "2021-04-15 19:51:37", - "Signature": "5cf5b22d02ceed01b53512d813f7aa4014c7a15ca08a55ed7e55ea6ac457176fd04722423658efc5ac61c5f62c52ce6ae6c80d85dab334420ea40225182672b92a4ea57e4b16f2a0e40c449ce24d9af474f0f927a6699031c244654348c74869d0fc8409f286140ac22996857f11eb8713176ed3ec6bff1d578ab17b1ea5a07ce9a27a68e5fac6b161d67263fa379163835599f81d614f0c6fa3f7bcb1152acc8d85e31417ef7e49443fb022c0f0acbe2fdbe10c86b0f4585c5a10a94bcdf3448a4652083e0a6210e9459504b78b8d4b074f500db7bbe7fb8ca27878c6c53b7663b2cfe521845a66fce04c79834ecfa8ee700586587cc29cd73ca3ad3c7e76625c87d0ed7cd5c55b1421f4be75a275d2e9e15ad020307841624d6b5e6e1b1710244ad8588775d015d762bbfd185665842561977faad49df4f35d6da031c2e19e02ac3e90c3327ee832903416d08b14cf95accee58c54a265b8bfed186a57073ed3e79a4a2f081a041c49871a8ae61b08a365d81c31c50d9cbab368ddf45076160675fec403e7d13edfdc862e10027e661296534e7af3365879b12042d8963f35be3f8ef2999743f5e40ce13c68728c8d49d75a52b573fb7a35943a61b08482c04885c19732d39b725fa0d2348f7ef0467cf28c7294c707b0d7b5b230b81965f09c8327b0a0abd0a2727e050fb3aeddb95b9b42bcc32663456b86f11d4643edc8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "0824024fda0b4b1b496eeeddfcff6e16", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" - } - ] - } - ] - } - ], - "Tags": [ - "KfeCo10X64.sys" - ] - }, - { - "Id": "5943b267-64f3-40d4-8669-354f23dec122", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create Agent64.sys binPath=C:\\windows\\temp\\Agent64.sys type=kernel && sc.exe start Agent64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "Agent64.sys", - "MD5": "8407ddfab85ae664e507c30314090385", - "SHA1": "8db869c0674221a2d3280143cbb0807fac08e0cc", - "SHA256": "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748", - "Signature": [ - "eSupport.com, Inc.", - "GlobalSign CodeSigning CA - SHA256 - G2", - "GlobalSign", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", - "Company": "Phoenix Technologies", - "Description": "DriverAgent Direct I/O for 64-bit Windows", - "Product": "DriverAgent", - "ProductVersion": "6.0", - "FileVersion": "6.0", - "MachineType": "AMD64", - "OriginalFilename": "Agent64.sys", - "Authentihash": { - "MD5": "d86884546c97e614b73d16c600cfb2df", - "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", - "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" - }, - "InternalName": "Agent64.sys", - "Copyright": "EnTech Taiwan, 1997-2009", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeInitializeDpc", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", - "ExFreePoolWithTag", - "ExAllocatePool", - "ZwClose", - "MmUnmapLockedPages", - "IoDeleteDevice", - "KeSetEvent", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "IoFreeMdl", + "_strnicmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "KeDelayExecutionThread", + "mbstowcs", + "ZwQuerySymbolicLinkObject", + "ZwOpenSymbolicLinkObject", + "NtClose", + "ZwSetInformationObject", + "_stricmp", "ZwUnmapViewOfSection", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoStartNextPacket", - "KeInsertQueueDpc", - "MmMapLockedPages", "ZwMapViewOfSection", + "ZwOpenFile", + "RtlEqualUnicodeString", + "IoFileObjectType", + "IoCreateFile", + "IofCallDriver", + "IoAllocateIrp", "MmBuildMdlForNonPagedPool", - "MmGetPhysicalAddress", - "MmMapLockedPagesSpecifyCache", - "ObReferenceObjectByHandle", - "ZwOpenSection", "IoAllocateMdl", - "MmAllocateContiguousMemory", + "PsGetVersion", + "MmGetSystemRoutineAddress", + "RtlCompareMemory", + "RtlCopyUnicodeString", + "RtlImageNtHeader", + "PsLookupProcessByProcessId", + "RtlFreeUnicodeString", + "RtlAnsiStringToUnicodeString", + "RtlInitAnsiString", + "strrchr", "KeBugCheckEx", - "RtlInitUnicodeString", - "_snwprintf", - "IoCreateNotificationEvent", + "RtlAppendUnicodeStringToString", + "IofCompleteRequest", + "ExEventObjectType", + "IoDeleteDevice", "IoDeleteSymbolicLink", - "HalTranslateBusAddress", - "HalGetInterruptVector", - "KeStallExecutionProcessor" + "IoCreateSymbolicLink", + "ProbeForRead", + "IoGetDeviceObjectPointer", + "RtlUpperChar", + "RtlCompareUnicodeString", + "strncpy", + "KeServiceDescriptorTable", + "NtOpenProcess", + "ObReferenceObjectByPointer", + "MmSectionObjectType", + "ObQueryNameString", + "ObOpenObjectByName", + "IoDriverObjectType", + "NtQueryInformationProcess", + "_snwprintf", + "KeAddSystemServiceTable", + "ZwQueryObject", + "ZwQuerySecurityObject", + "ObInsertObject", + "_allrem", + "IoReleaseVpbSpinLock", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "KeTickCount", + "RtlUnwind", + "KeEnterCriticalRegion", + "ObOpenObjectByPointer", + "ExAcquireFastMutexUnsafe", + "ZwSetSecurityObject", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetDaclSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "RtlLengthSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlLengthSid", + "wcschr", + "RtlAbsoluteToSelfRelativeSD", + "IoFreeMdl", + "KeGetCurrentThread", + "KfLowerIrql", + "KeRaiseIrqlToDpcLevel", + "ClassInitialize" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", + "ValidFrom": "2007-06-15 00:00:00", + "ValidTo": "2012-06-14 23:59:59", + "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , SHA256 , G2", - "ValidFrom": "2011-08-02 10:00:00", - "ValidTo": "2019-08-02 10:00:00", - "Signature": "79b06934e20587f6fed4602c2f86793403e0b107930c845cf9e4dc6ccf6eb5ec0a5cba0bd068312e3f64bd0f826b6677817fc629a517d8f0894d832411f66efe9de1480a28a0e27b2480a4ecc29a00d7b06d6ccd88d51578cf13f988a5734dc1362bdccbcedb7e7cd28bef2fbdb34f4d3aadbb626e2893c40ccbd9e6cae011029403b0bd3f942856901e53c227d5c93ccd1a631e825915b640caa781aac355af33d1b575e809ea47084822fb5d1bf32c7a697ec5d75a5e56333cad57e8932542c3d25e713b4a1c54eda955ac2805c7c46c5ddc3c93f6693c8251ce1a153d5e0173ff40a2eab4aed38efaee5d6c47c741f5d45657f2183732d6d4cc4bf671e076", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2009-11-18 10:00:00", - "ValidTo": "2019-03-18 10:00:00", - "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA", + "ValidFrom": "2004-07-16 00:00:00", + "ValidTo": "2014-07-15 23:59:59", + "Signature": "ae3a17b84a7b55fa6455ec40a4ed494190999c89bcaf2e1dca7823f91c190f7feb68bc32d98838dedc3fd389b43fb18296f1a45abaed2e26d3de7c016e000a00a4069211480940f91c1879672324e0bbd5e150ae1bf50edde02e81cd80a36c524f9175558aba22f2d2ea4175882f63557d1e545a9559cad93481c05f5ef67ab5", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=MA, L=North Andover, O=eSupport.com, Inc., CN=eSupport.com, Inc.", - "ValidFrom": "2014-09-24 20:36:26", - "ValidTo": "2015-09-25 20:36:26", - "Signature": "386e2be7e95562b52e95ae0e00ab2181b2d671a2d324c96e5512d8af948dd9e15d42aafe5431ae079857b9c35ccd663ba7c0fef04974f27d8bf8a384fd5489393bdacf6dee7067f5ea9f11311e4a1b3b917c866eaee253c8edd08fc79e25bca7e0c0e892d4f0d65cce1aea7e4813c53d8baa708ad6ee167c4b6ba2cf88a6f29661aab4cd73062532812338ca25950c06dc45becdf28ee42048c9cbaa8ec58c8f2afb18b82e0b7ef389417c48900b41e4093c664ab69bbf35fb7af80baefd1781999e6b119ff8bf21245611aa6c2cd356631c67e1dd9c69da25746b7f543014be046ef19b1cf9a5bfd0594d8816f83aa590588e9501166b85ed40961885fb54f7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=RD, CN=Trend Micro, Inc.", + "ValidFrom": "2008-01-16 00:00:00", + "ValidTo": "2011-02-16 23:59:59", + "Signature": "5a693868cea6ba49064b801a0d9e12887a37cbb92cca2950cc5e99c2df9aec5697422e67cd042836daf09a09e739f625255841fed1ec9657cb8b3edc08c55c302574cbdb3f7de2798ed769d766402619b48041f9d90f8c904488788412b1c632055e1afc4a5bbac642cb626bd20fece0feaa6cf9b287887788cf64586309a14a644b5f0595c0ddcb7d789831faedb48451e40e342da4ccbc38a5e992e57e7ce5328d531a8c68e61f9dc9be65605c1bedf3358579000b91a19b3be388bac36b58ca76b72358bd8e74e0a7b08b0587bb7a29758c01af40b80e8e72c76abd3a2babfe7c1ed6e7b1cd9b0221a605062b6d9d0ceb57e0eb305fdc5eb5bf6ea442f4c9", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "11216e054fad930d88cabc078eb0d3bcc8ac", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , SHA256 , G2" + "SerialNumber": "645212f783f4d7aba3555729e99ce065", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA" } ] } ] }, { - "Filename": "Agent64.sys", - "MD5": "1ed08a6264c5c92099d6d1dae5e8f530", - "SHA1": "27d3ebea7655a72e6e8b95053753a25db944ec0f", - "SHA256": "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca", - "Signature": [ - "Phoenix Technologies Ltd", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", - "Company": "Phoenix Technologies", - "Description": "DriverAgent Direct I/O for 64-bit Windows", - "Product": "DriverAgent", - "ProductVersion": "6.0", - "FileVersion": "6.0", - "MachineType": "AMD64", - "OriginalFilename": "Agent64.sys", + "FileName": "TmComm.sys", + "MD5": "d6b259b2dfe80bdf4d026063accd752c", + "SHA1": "0adc1320421f02f2324e764aa344018758514436", + "SHA256": "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7", "Authentihash": { - "MD5": "d86884546c97e614b73d16c600cfb2df", - "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", - "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" + "MD5": "451feb7fca0b5d5816babd65d34074c4", + "SHA1": "84913e5e61158fa8ff45dffb4e60cd589a9e69a9", + "SHA256": "03192bacd96989bad4181609295764f61a86d2ec9f7918a90a219e674ae3097f" }, - "InternalName": "Agent64.sys", - "Copyright": "EnTech Taiwan, 1997-2009", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "7.0.0.1099", + "Product": "Trend Micro Eyes", + "ProductVersion": "7.0", + "Copyright": "Copyright (C) 2016 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3@YAXPEAX_K@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "??_V@YAXPEAX_K@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "AllocFullFileName", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetBackupCommPortAPIs", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeDpc", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", - "ExFreePoolWithTag", - "ExAllocatePool", - "ZwClose", - "MmUnmapLockedPages", - "IoDeleteDevice", + "RtlInitUnicodeString", + "KeInitializeEvent", + "KeClearEvent", "KeSetEvent", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "IoFreeMdl", - "ZwUnmapViewOfSection", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoStartNextPacket", - "KeInsertQueueDpc", - "MmMapLockedPages", - "ZwMapViewOfSection", - "MmBuildMdlForNonPagedPool", - "MmGetPhysicalAddress", + "KeEnterCriticalRegion", + "KeLeaveCriticalRegion", + "KeWaitForSingleObject", + "ExFreePoolWithTag", + "ExAcquireFastMutexUnsafe", + "ExReleaseFastMutexUnsafe", + "ProbeForRead", + "ProbeForWrite", + "ExAcquireResourceSharedLite", + "ExAcquireResourceExclusiveLite", + "ExReleaseResourceLite", + "MmProbeAndLockPages", + "MmUnlockPages", "MmMapLockedPagesSpecifyCache", - "ObReferenceObjectByHandle", - "ZwOpenSection", "IoAllocateMdl", - "MmAllocateContiguousMemory", - "KeBugCheckEx", - "RtlInitUnicodeString", - "_snwprintf", - "IoCreateNotificationEvent", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress", - "HalGetInterruptVector", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 13:00:00", - "ValidTo": "2017-01-27 12:00:00", - "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=MA, L=North Andover, O=Phoenix Technologies Ltd, OU=eSupport, CN=Phoenix Technologies Ltd", - "ValidFrom": "2009-12-11 17:20:45", - "ValidTo": "2010-12-12 17:20:42", - "Signature": "a7d9a2c70e374ebde881422b81fab976d3182885474a1379d078c736dc5e32157c8b5c667ec3e4bfb078a7f1e90e27be2bad1a41c54e9b53fcdf4f53c55a4a6e1328c147ca683314ae76a64e00d0487ae707f63c1c8524b5245329d368f7cbe263c7982dc73fe20c76921d51ad2a4333baba7443b5f493d42e8a2abcc510371a0a8a6b549cc41484d1da2442ce77e29284e7a6c1c64f2597e2cef45d2e97e1bb74826cab053233cfffed1d55c0c65b6bdefe00c5817dcbe798aa13bb7fb5c909348d5968c7f049f99943fbe0cf8be7e68fee1c6b45b911ecb1e11683a719be94109894e0c39d50530bbb9d0d2db812b78893f9ed0a870f9f6196268ed35ef119", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 10:00:00", - "ValidTo": "2017-01-27 10:00:00", - "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "010000000001257ee1f400", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - }, - { - "Filename": "Agent64.sys", - "MD5": "ddc2ffe0ab3fcd48db898ab13c38d88d", - "SHA1": "33cdab3bbc8b3adce4067a1b042778607dce2acd", - "SHA256": "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa", - "Signature": [ - "Phoenix Technologies Ltd", - "GlobalSign ObjectSign CA", - "GlobalSign Primary Object Publishing CA", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", - "Company": "Phoenix Technologies", - "Description": "DriverAgent Direct I/O for 64-bit Windows", - "Product": "DriverAgent", - "ProductVersion": "6.0", - "FileVersion": "6.0", - "MachineType": "AMD64", - "OriginalFilename": "Agent64.sys", - "Authentihash": { - "MD5": "d86884546c97e614b73d16c600cfb2df", - "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", - "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" - }, - "InternalName": "Agent64.sys", - "Copyright": "EnTech Taiwan, 1997-2009", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeInitializeDpc", + "IoFreeMdl", + "IoGetCurrentProcess", + "ObfReferenceObject", + "ObfDereferenceObject", + "ZwClose", + "ZwCreateSection", + "ZwOpenSection", + "ZwMapViewOfSection", + "ZwUnmapViewOfSection", + "ZwOpenEvent", + "KePulseEvent", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ObOpenObjectByPointer", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "ZwSetEvent", + "__C_specific_handler", + "PsProcessType", + "wcslen", + "wcsncpy", + "wcsrchr", + "RtlUnicodeStringToInteger", + "ZwWaitForSingleObject", + "ZwRequestWaitReplyPort", + "ZwConnectPort", + "SeCaptureSubjectContext", + "SeReleaseSubjectContext", + "SeAccessCheck", + "ObGetObjectSecurity", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "PsThreadType", + "MmSectionObjectType", + "RtlCreateSecurityDescriptor", + "RtlSetDaclSecurityDescriptor", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "ExAllocatePoolWithTag", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "RtlCreateAcl", + "RtlAddAccessAllowedAce", + "RtlLengthRequiredSid", + "RtlInitializeSid", + "RtlSubAuthoritySid", + "KeDelayExecutionThread", + "ExGetPreviousMode", + "DbgPrint", + "swprintf", + "RtlCopyUnicodeString", + "PsGetVersion", "IofCompleteRequest", "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", - "ExFreePoolWithTag", - "ExAllocatePool", - "ZwClose", - "MmUnmapLockedPages", "IoDeleteDevice", - "KeSetEvent", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "IoFreeMdl", - "ZwUnmapViewOfSection", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoStartNextPacket", - "KeInsertQueueDpc", - "MmMapLockedPages", - "ZwMapViewOfSection", - "MmBuildMdlForNonPagedPool", - "MmGetPhysicalAddress", - "MmMapLockedPagesSpecifyCache", + "IoDeleteSymbolicLink", "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "KeBugCheckEx", - "RtlInitUnicodeString", + "PsGetCurrentProcessId", + "ZwCreateEvent", + "ExEventObjectType", + "_wcsnicmp", + "PsSetCreateProcessNotifyRoutine", + "ZwQueryInformationProcess", + "PsLookupProcessByProcessId", + "ZwOpenDirectoryObject", + "ExInitializeResourceLite", + "ExDeleteResourceLite", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "towupper", + "MmGetSystemRoutineAddress", + "ObReferenceObjectByPointer", + "MmIsAddressValid", + "PsGetCurrentThreadId", + "ObQueryNameString", + "_snprintf", + "_vsnprintf", + "RtlInitAnsiString", + "RtlAnsiStringToUnicodeString", + "RtlFreeUnicodeString", + "RtlTimeToTimeFields", + "KeWaitForMultipleObjects", + "ExSystemTimeToLocalTime", + "wcscat", + "ZwDeviceIoControlFile", + "ZwNotifyChangeKey", + "ZwOpenFile", + "ZwQueryVolumeInformationFile", + "mbstowcs", + "_stricmp", + "IoGetDeviceObjectPointer", + "RtlImageNtHeader", + "ZwQuerySystemInformation", + "IoBuildDeviceIoControlRequest", + "IofCallDriver", + "IoCreateFile", + "RtlEqualUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlUpcaseUnicodeChar", "_snwprintf", - "IoCreateNotificationEvent", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress", - "HalGetInterruptVector", - "KeStallExecutionProcessor" + "strlen", + "_strnicmp", + "strncpy", + "NtOpenProcess", + "NtQueryInformationProcess", + "ObOpenObjectByName", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "KeNumberProcessors", + "RtlLengthSecurityDescriptor", + "ZwOpenKey", + "ZwDeleteKey", + "ZwDeleteValueKey", + "ZwEnumerateKey", + "ZwEnumerateValueKey", + "ZwQueryKey", + "ZwQueryValueKey", + "ZwSetValueKey", + "ZwTerminateProcess", + "ZwOpenProcess", + "ZwDuplicateObject", + "ZwQuerySecurityObject", + "ZwSetSecurityObject", + "ZwQueryDirectoryObject", + "ZwQueryDirectoryFile", + "NtCreateFile", + "NtQueryInformationFile", + "NtSetInformationFile", + "IoFileObjectType", + "ObInsertObject", + "wcschr", + "wcsncmp", + "RtlQueryRegistryValues", + "RtlAppendUnicodeToString", + "RtlCompareMemory", + "MmBuildMdlForNonPagedPool", + "IoAllocateIrp", + "IoFreeIrp", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "RtlUpcaseUnicodeString", + "NtClose", + "ZwSetInformationObject", + "SeQueryAuthenticationIdToken", + "MmSystemRangeStart", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "SeCreateAccessState", + "IoAcquireVpbSpinLock", + "IoReleaseVpbSpinLock", + "wcstombs", + "strncat", + "wcsncat", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "strcpy", + "wcsstr", + "RtlCompareUnicodeString", + "DbgPrintEx", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "ExAllocatePool", + "ExpInterlockedPopEntrySList", + "IoBuildSynchronousFsdRequest", + "IoGetStackLimits", + "IoGetDeviceInterfaces", + "IoRegisterPlugPlayNotification", + "IoUnregisterPlugPlayNotification", + "IoGetConfigurationInformation", + "FsRtlIsNameInExpression", + "IoDeviceObjectType", + "IoCreateDevice", + "RtlGetOwnerSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetSaclSecurityDescriptor", + "SeCaptureSecurityDescriptor", + "RtlLengthSid", + "SeExports", + "IoIsWdmVersionAvailable", + "RtlAbsoluteToSelfRelativeSD", + "ZwCreateKey", + "_purecall", + "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services Signer , G2", - "ValidFrom": "2007-06-15 00:00:00", - "ValidTo": "2012-06-14 23:59:59", - "Signature": "50c54bc82480dfe40d24c2de1ab1a102a1a6822d0c831581370a820e2cb05a1761b5d805fe88dbf19191b3561a40a6eb92be3839b07536743a984fe437ba9989ca95421db0b9c7a08d57e0fad5640442354e01d133a217c84daa27c7f2e1864c02384d8378c6fc53e0ebe00687dda4969e5e0c98e2a5bebf8285c360e1dfad28d8c7a54b64dac71b5bbdac3908d53822a1338b2f8a9aebbc07213f44410907b5651c24bc48d34480eba1cfc902b414cf54c716a3805cf9793e5d727d88179e2c43a2ca53ce7d3df62a3ab84f9400a56d0a835df95e53f418b3570f70c3fbf5ad95a00e17dec4168060c90f2b6e8604f1ebf47827d105c5ee345b5eb94932f233", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", - "ValidFrom": "1999-01-28 13:00:00", - "ValidTo": "2017-01-27 12:00:00", - "Signature": "b578a6a27c04b77fc97f7d6abc71fa293060c2f4621efe7f431e9b6ee2b21f730b85765b7df54e49062fd4fab79140efed6f8d8e138354c52a023d0aa4dc990b7abd772fcc40c18ff3c48c4e72ba107ce6ff642bc7ce6ca7fcd79a7c8e468d01834d423bdb9c3f9f326157d717b0b33666f0b3fd446f8137b1944ea7562589f58ad66d116262795c42900218d39c23fc08e86445b92d7e805b4eafc38a299283781f914134af85c5fd07994e2c5cfec7fd17bb2525314d72b5b5294b489a376f13c7114e4a451e7e2f319cabe852afd6679734885f0e276a6652d15ac7ac302c2038dd2bff3aebce104582a27b1ba12073569b2a93e60451066c1bdc2f899493", + "Subject": "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA,1 Time Stamping Signer", + "ValidFrom": "2015-12-31 00:00:00", + "ValidTo": "2019-07-09 18:40:36", + "Signature": "ba332440408c7cdb589fb36098b2f5c031feeb1f6e50f60ae0e4e681ad2687a2dffdb3daf473f300fb291b891b153edb6b52932bc4ac3981d73c67579a3936e028089ae3394f9b89097f7bc5617f598932250a6aae1a3ef0a227a8b6c3b887f7160448413d5cd8ec9f4d203104d965a1edcd690753163ddd36020a88eb40e506300bb8164bdcefbc5509ffc63e122e76b3dcce42eff97657e1b70a054098589a5d711693718c6581ea6ff389f7fb73adb4e7bfd98e6faa0b4f25f3b8e1d5dd75986881f8aac0d180c2c4c43989c1f6c99e6cd774f9d997f84fc29a0acd5e8ff819e9e0a59fc4f09221e62d7925c922f9c3f03a8457ad3a16f46394101d5dd0c6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=MA, L=North Andover, O=Phoenix Technologies Ltd, OU=eSupport, CN=Phoenix Technologies Ltd", - "ValidFrom": "2009-12-11 17:20:45", - "ValidTo": "2010-12-12 17:20:42", - "Signature": "a7d9a2c70e374ebde881422b81fab976d3182885474a1379d078c736dc5e32157c8b5c667ec3e4bfb078a7f1e90e27be2bad1a41c54e9b53fcdf4f53c55a4a6e1328c147ca683314ae76a64e00d0487ae707f63c1c8524b5245329d368f7cbe263c7982dc73fe20c76921d51ad2a4333baba7443b5f493d42e8a2abcc510371a0a8a6b549cc41484d1da2442ce77e29284e7a6c1c64f2597e2cef45d2e97e1bb74826cab053233cfffed1d55c0c65b6bdefe00c5817dcbe798aa13bb7fb5c909348d5968c7f049f99943fbe0cf8be7e68fee1c6b45b911ecb1e11683a719be94109894e0c39d50530bbb9d0d2db812b78893f9ed0a870f9f6196268ed35ef119", + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2016-03-29 00:00:00", + "ValidTo": "2017-06-28 23:59:59", + "Signature": "27351697f046d1d43fe306dff30b83e7a404e3e6431c1e06829c558d99eb3f21776021e3e1bd4e485aba08b89bb0972f23daa471d7b432a44a591270f9a838f13dbda32ee936c0df792cff8c493e1f27b2282b3d896ae7b4155ca1a50bf7111f3f4bbbe11f17cfe5d49c0589c210966ef7e567153e802d2e783ff498c59585598d9d3e93273d1e81c07ce85c0cfb24834d448c3930120f1686bd472d916ac8f9475acfdb27be8528311f668d71dfc132a0ff62df7baa575a0cc732b3de003beca214954d4d97cf9511b9329eccbb7b716675b31e543a43570080dffce3fc8ca8fbb17d954b9678e2d0c1e1710a5cf03952a687fede59dcba3bf98900f9934f12", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", - "ValidFrom": "2004-01-22 10:00:00", - "ValidTo": "2017-01-27 10:00:00", - "Signature": "1e6af36df48ea922fe7008652ea15dab3330dd6c78fa4beaadc58dec107a6ac55897396b92f391e20ca7281cd15d768e8b077c136fadc43643b3c1bc3159cf1838d8a33bceffca6758bfe0f1ac613ea23b1ebc025b41ac446bf526f3ed5ea865f6ca65a63fcaf577eba5862a582956f8be161040e9d2fc572c636137662539202e0703a036032594bd7ceb7ed3a3c2c57616753092b9ff7641352168d10e5e5c8ec30360e68040fcc05da2546e6e9267a7811287a2a32bdbb74dffe4d5c7e505e6d5f1aefccd661821f33e47c9e59542612c9d2680b20fa83d0ec9a778df6e748c2c46f672e93c646b2855c44b6433cb78541338f0d57106d43e0d0a350ee0b3", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "010000000001257ee1f400", - "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" - } - ] - } - ] - }, - { - "Filename": "Agent64.sys", - "MD5": "29ccff428e5eb70ae429c3da8968e1ec", - "SHA1": "21e6c104fe9731c874fab5c9560c929b2857b918", - "SHA256": "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f", - "Signature": [ - "eSupport.com, Inc", - "GlobalSign CodeSigning CA - G2", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", - "Company": "Phoenix Technologies", - "Description": "DriverAgent Direct I/O for 64-bit Windows", - "Product": "DriverAgent", - "ProductVersion": "6.0", - "FileVersion": "6.0", - "MachineType": "AMD64", - "OriginalFilename": "Agent64.sys", + "SerialNumber": "774d49c5649436de6bf3190a67eedcdf", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + } + ] + } + ] + }, + { + "FileName": "TmComm.sys", + "MD5": "996ded363410dfd38af50c76bd5b4fbc", + "SHA1": "d7597d27eeb2658a7c7362193f4e5c813c5013e5", + "SHA256": "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c", "Authentihash": { - "MD5": "d86884546c97e614b73d16c600cfb2df", - "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", - "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" + "MD5": "8668e5f58ae2a95ada7f83f280974cba", + "SHA1": "0ad65356dae97eebd80c059e1ee1ec39c8119b95", + "SHA256": "683f0af364f8a19f81d2e095e17de6d403ba3672bdf4a1caf601bca5b57454df" }, - "InternalName": "Agent64.sys", - "Copyright": "EnTech Taiwan, 1997-2009", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.70.0.1129", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2020 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" + ], + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetFileVersionOfNtoskrnl", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFileName1", + "NormalizeFullNtPathToDosName", + "NormalizeFullNtPathToDosName1", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" ], - "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeDpc", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", + "KeLeaveCriticalRegion", + "wcsncpy", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "wcsrchr", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "_purecall", + "ZwOpenEvent", + "ZwConnectPort", + "KeClearEvent", + "PsProcessType", "ExFreePoolWithTag", - "ExAllocatePool", - "ZwClose", - "MmUnmapLockedPages", - "IoDeleteDevice", - "KeSetEvent", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "IoFreeMdl", - "ZwUnmapViewOfSection", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoStartNextPacket", - "KeInsertQueueDpc", - "MmMapLockedPages", - "ZwMapViewOfSection", - "MmBuildMdlForNonPagedPool", - "MmGetPhysicalAddress", - "MmMapLockedPagesSpecifyCache", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "KeBugCheckEx", "RtlInitUnicodeString", - "_snwprintf", - "IoCreateNotificationEvent", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress", - "HalGetInterruptVector", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=Massachusetts, L=North Andover, O=eSupport.com, Inc, CN=eSupport.com, Inc", - "ValidFrom": "2013-08-20 20:02:56", - "ValidTo": "2014-08-21 20:02:56", - "Signature": "8f8cbb4f0adaa90368c533e8ccdfa1cc41e00542eeff2f26535b87723292930e207a18e6738acd604e85995e5c2783dae363ed56452392b15f55db6d5f0054352847ecce83b3b40504a1a1299d608674bbe771bb10bdaac159895d747de333ab565ccb7e153003b958d2c2c5e0646faec117a93625865ca9446d2c8fd6cdd474c4c9d11aa2c6dae281c649564df8918607430a7391144cbc9401aac196acabd2bf077fb25dc2d8a90dde1523dbec77eb72c782b3c7b3b0d4c50915bac1f256ed27e6b73d992927946dae1a8675b9cd0e68ba58c4d609f8b3bb20dfade8f1f436213c2965db77ef07105cbb9daf2ba0f70afd473ee557204bf7caeb7938244f50", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "11213d2f2fb6b9005e295e3c9596b6442513", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "Filename": "Agent64.sys", - "MD5": "a57b47489febc552515778dd0fd1e51c", - "SHA1": "d979353d04bf65cc92ad3412605bc81edbb75ec2", - "SHA256": "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414", - "Signature": [ - "eSupport.com, Inc.", - "GlobalSign Extended Validation CodeSigning CA - SHA256 - G2", - "GlobalSign", - "GlobalSign Root CA - R1" - ], - "Date": "", - "Publisher": "\"eSupport.com, Inc.\", Phoenix Technologies Ltd, \"eSupport.com, Inc\" ", - "Company": "Phoenix Technologies", - "Description": "DriverAgent Direct I/O for 64-bit Windows", - "Product": "DriverAgent", - "ProductVersion": "6.0", - "FileVersion": "6.0", - "MachineType": "AMD64", - "OriginalFilename": "Agent64.sys", - "Authentihash": { - "MD5": "d86884546c97e614b73d16c600cfb2df", - "SHA1": "94f7575a6bb378d0cf85b3dc65941c95415e7a80", - "SHA256": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8" - }, - "InternalName": "Agent64.sys", - "Copyright": "EnTech Taiwan, 1997-2009", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeInitializeDpc", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "IofCallDriver", - "ExFreePoolWithTag", - "ExAllocatePool", - "ZwClose", - "MmUnmapLockedPages", - "IoDeleteDevice", "KeSetEvent", - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "IoFreeMdl", - "ZwUnmapViewOfSection", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoStartNextPacket", - "KeInsertQueueDpc", - "MmMapLockedPages", - "ZwMapViewOfSection", - "MmBuildMdlForNonPagedPool", - "MmGetPhysicalAddress", - "MmMapLockedPagesSpecifyCache", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoAllocateMdl", - "MmAllocateContiguousMemory", - "KeBugCheckEx", - "RtlInitUnicodeString", - "_snwprintf", - "IoCreateNotificationEvent", - "IoDeleteSymbolicLink", - "HalTranslateBusAddress", - "HalGetInterruptVector", - "KeStallExecutionProcessor" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "OU=GlobalSign Root CA , R3, O=GlobalSign, CN=GlobalSign", - "ValidFrom": "2009-11-18 10:00:00", - "ValidTo": "2019-03-18 10:00:00", - "Signature": "4252a97ea2cf5b3bcb4bddbaf85759d324a47772ef62443782ed06ee04d5165f24a314dc6c54056ab09b3dda8139daad28db956f8183f5cd62b14524b1dd29e5085495958cf01d065f1ad6463f1340174811169b474dd13ab50f571c9230d0f8b2253b0acdf687f9c7b257d33f7da58c14ce9ca8c79f4693da59fa795d652035445a4fc1909dc1549256dc34c8f5c103d05dc059489c00fc95a0f1d176f71636c813927f2d2bc0b880f126261f414d52bf1e97bb018208e715f6c1d5342accf5e4c3877a5781e1d6d74286620177e2a9c47a86f404387a076a7d00ec73f7a80b3478c59eb3efb838400e8c3353c875ec5f3eea755eff820e7415dc1905f3ba31", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G2", - "ValidFrom": "2011-08-02 10:00:00", - "ValidTo": "2019-08-02 10:00:00", - "Signature": "aaa11197ffb423e8f303ecd38eef52a15c833563e5fff142b78335c693f5505e9b8921e85853188834fbdd49e122ea0f8ab122482919dc2ef92368588114552d24b929687853ac72fdcbf18a53a0dac8106f8938236ebb99f17390dbf1bf80a3ae8d4915bc8d88fd591dfe13ae54c3a697cd006b3d4148901505e4a41803d4d7a9e3a940b66c21acd37e1ce65df404b18bda0cd8aaebb936517f173a8d3728c7b7b8719012c66c6cb4843bf1a547dcc4a33b2c5dea0883c4e33910e4ab21650a4256d8b268f693e51ee28301ab0b86b2cfa54a37a4b2dc6cd782318d3f90e6b12a057089fc201d9f2af7ccdd93b5570deb400302d0044f84edf0728007951214", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, serialNumber=001030216, ??=US, ??=Massachusetts, C=US, ST=MA, L=North Andover, ??=120 Water St, O=eSupport.com, Inc., CN=eSupport.com, Inc.", - "ValidFrom": "2015-09-22 15:11:47", - "ValidTo": "2018-09-22 15:11:47", - "Signature": "0918e9fdc6e22f2f347ef860157ccabe11af3d666c186285f58ca1fdf5259e3785834ba138cc84b2f839762b5622053ab7e75610011ba2162b5cf22d083b01cec6f7f6fb900bb3822068e303260f6e82ac8003b64abc3173b3c01c3da9140a19aa6913fbedc0bb9c7a62d5bb3b71126dfa8c3faacf0f08fdf46504cf14cd7711f4abecb3f3b5fc2bd8f05adffccf777319d702d2072a5bcc49b8b78c888bc99e242d822acee354d996cf399c828701f9f5912816c3da6cfb8f3a6837428973fe0d518e645b25037b6861c436994da8543d286772c2d93ebcf3e1773dc8b47043ed278c3dc099c770f74490e0ce16abd3cbf4aaf348b70e2701f759b9cf61a917", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "1121b5d4d579fe52c475c01e3da626487f05", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G2" - } - ] - } - ] - } - ], - "Tags": [ - "Agent64.sys" - ] - }, - { - "Id": "142453a2-a24d-4b35-8922-6d5939f1c0fc", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create semav6msr.sys binPath=C:\\windows\\temp\\semav6msr.sys type=kernel && sc.exe start semav6msr.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "semav6msr.sys", - "MD5": "07f83829e7429e60298440cd1e601a6a", - "SHA1": "643383938d5e0d4fd30d302af3e9293a4798e392", - "SHA256": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33", - "Signature": [ - "Intel(R) Code Signing External", - "Intel External Basic Issuing CA 3B", - "Intel External Basic Policy CA", - "Sectigo (AddTrust)" - ], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "79553d83580570e382d3b9c7e101df2b", - "SHA1": "e3dbe2aa03847df621591a4cad69a5609de5c237", - "SHA256": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "KeQueryActiveProcessors", - "KeQueryActiveProcessorCount", - "IoDeleteSymbolicLink", - "KeSetSystemAffinityThreadEx", - "RtlInitUnicodeString", - "IoDeleteDevice", - "MmUnmapIoSpace", - "MmMapIoSpace", - "IofCompleteRequest", - "KeRevertToUserAffinityThreadEx", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlAssert", + "ProbeForWrite", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "ZwWaitForSingleObject", + "DbgBreakPoint", + "ZwSetEvent", + "IoGetCurrentProcess", + "ZwFreeVirtualMemory", + "ZwClose", + "ObfReferenceObject", + "ObfDereferenceObject", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "KePulseEvent", + "ZwAllocateVirtualMemory", + "ObGetObjectSecurity", + "SeAccessCheck", + "SeReleaseSubjectContext", + "SeCaptureSubjectContext", + "PsThreadType", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "MmSectionObjectType", "DbgPrint", - "KeBugCheckEx", - "__C_specific_handler" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel(R) Code Signing External", - "ValidFrom": "2015-04-16 17:22:30", - "ValidTo": "2016-04-15 17:22:30", - "Signature": "47ef93216b05a90df10512c9bb24dc20894c255a5943bd567c461f9d76dd3bfeebd65fa524ed3774b4894150c798d9647d64b8c45e0516cf03bdbc819185f494db80e56758fbad4b62f3aed983120533327039d23d550ee32f40d785fa8624a10bbcc4bf531db4c07f1a793be86b015098a62884970e3e58268820f7698ae23d609d2e20b4a75ebacbc98f01edb71c12049594593fd65f62c62b59ac0f269eeb113185fb7ae56cc8da9bd4a9abb7d3332d8ce732638afb3b2b786e56c256bf6211362b498b348b7e370c638b634d7fbd947b57e5c9f923612869cf1d9737fc51075ae92763045c2d2fed944763c14521521bab177c2aad1301d43a8679187077", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B", - "ValidFrom": "2013-02-08 22:21:23", - "ValidTo": "2018-02-08 22:31:23", - "Signature": "47bb93e603b1d9570eff60e90fc75e86e623f7defa6dc27732ef23f68fcc6f2572d4a94bad11a273bb8bd2b7b8879474890ccc5cea3a9ac0753a97597c22003d7ac7c55be8d49313ec8f94cda833dfa4d79aa1c8d8a3b4497e173a02e96656978d16b470abbc6b1048e7457b13c74d05bca02c0516be067ef679678f9c3454e67eea197714f19d3b55e4339f69bba7a72254512c677d0452aa7b66dea96aad8ca15c7939cd1c85ec890699854627a001576e93365145e15a3a59af5b41f9709dc4160e05e795b401b4931a590b8a31f7b648c86af6228c9e92286fa893b4a772533ada2cfad43dbf09237fdfcc652ad091aa5031c865f53858d4b39be6311008", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Intel Corporation, CN=Intel External Basic Policy CA", - "ValidFrom": "2013-02-01 00:00:00", - "ValidTo": "2020-05-30 10:48:38", - "Signature": "586fbfcd43074213fcb8d0ad8121f28a6fef87bc268a7c00bd680c2b19642c1167b3a9d9790aac395d6500163b53466ea2a6b56799dbe8bfa225ae049511093a2fdeacb73db8bc017430804748544ca0fb6ba8b8a284b7f434e57bcedc5278f4316d4251ae87bf94acbe9616fb55e5798264fdac5038e4dccb812ce7776f9d9b235c7d0403f4079e7ed457e266944debb55c5c629e8c2d83e64614e2a11380fddae0862711922bbd87174fcb19184b5e8ce60dd98f7d23766fa4ffa0ba3de36d37d62638e81a9c2392c8561f1a1a8e00d633a66b95fa821e740b0fa486df23337c9e3614b35ce2a3ed48a08e28f1d74cf6c09bb4f53ca3e5a863a22c08a5d5fe", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BM, O=QuoVadis Limited, CN=QuoVadis Issuing CA G4", - "ValidFrom": "2014-05-30 16:35:55", - "ValidTo": "2021-03-17 18:33:33", - "Signature": "b9f61352b517a72a4d84774309a4dba067b4600e42f403bdc4ff2c5a0f902e78c563c84aec27f67ce429d0cf6018fa6822da0252760df21754c6f6081ea1cc82e4c33a6d99227cc4c077b4e6052047934039cfdc55adc346af294d799c644c205f8a1c56fc46a05fcb98dd917a39b4afc477996b9eacde6f2d79ea7fd7132498521cfd693eed72ac3fd0b4011914edb0f0cbf39c5114238cc7dc697d328196e41d478f017694833e888d925b1858986903c7f5d3f2615250eb34a0fd2630300fb5fd70e7272c370b1cf3e71ea62c0743b64b885e971fc1307d60642af30c7068445163599fdb57c21fff80e5c21192d82fefd51743ff642d64845c521a63c267", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, OU=Authenticode, OU=Thales TSS ESN:A6A7,71B2,73F1, CN=Timestamp.intel.com", - "ValidFrom": "2014-12-09 21:30:38", - "ValidTo": "2017-12-09 21:30:35", - "Signature": "946aee51ab48079d01882edffbe887d87828778d30da382cacb0c1d5a4c0fc8437badc00c2c16454a82564ba4bcf776b79eb1feedc4e4ccd02514bbaea7c9b755d88a43a9493e07ebaa22358f95dabd995d4c572134e266dfb4bbd3a4c95c3191abbba7b1d1d0587c4a3e3911e1037fda9dacd9fe9c63383f0c21ece4e829c9c7e40e96a64139dfda69d0255a9588dbff28bfec8d343ca34decb755531b384a6cf388a5f06685870f79a321c3fc0e221cf8bba3b1e0b5d0486eb02f6e9008ebc4c2741215451b0ba6e1ec9d9e202b4e38c9184838c5e948df1c051aa0d0122c32810c11cb3458735c726b9e252558e0257b3360f85ec5ba949c3a3f8841c1938b5661ea9bde4f0894b40bd9567e89b17b373faaeeb1de7b7b27e4f52b46add679ac3dbd35bbdb48c9c6fb7aae98058c99002e9e53e0a0d5d88d21289ecce372c63afc6a08ca8f61d013695e40c48b67b9725dab9607e3f80e82d2f56afdd10b453d2e82d488b69a7ca63ced68f9bdc855d62fd79103e8b4abfef936e430dee4ea4e2a199a43a03783e4e4489807170fd63f12272c865861419fe6f2c474948f8749cb696446054b3e0913bba0f5483640dd33e955421beb4574f8398398e1323b3f24f83f640c5146aa90c6e314d6ccdcf8d21bbd09e4ff883e369adc6b742c021d833a2d4fefbba1080d8ca8eade080908a626fb8396451e2616afc943e1f74", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root", - "ValidFrom": "2013-08-15 20:26:30", - "ValidTo": "2023-08-15 20:36:30", - "Signature": "362ba2f2e1331fe493f7f26985c6640ec99b632fe4703798fd94ec7bcff8a14246f9ed6a4e8d34693605557a1ebbad8c99429606e925a82684bec1bf16a97caa5b04b7fdd1c0f402be28edf577c79bfe3af6e8c17bd382abfa144ecf2bcfe5d5b54840b1a38f838bad2b2553aba634cef243f74f2ce9dd1e4e5ab6bae83b10992400bc50fd78f6e523a8899493f7b74130374a57b7e644d9c9df9905aa44fc74af8264cc07cb01b609c32ee3e832a7b49f4178c7a184365462f2ec150ac8ead084f8f1e06bf456125f95e0fcddb77693fe294a25e90400f1b4110ec9849edb177df51ea58e3629193a6d6c464bd7ab7024288d05a3d9d524f2f8a0d13c8239d4a8820e693a8109fc06f0c75933843693064191232c22a5a7012b50b428aedb46b0591b86b39b87e8494e390b6d14df4c03301e1f5f74aef55b590353ec9816e0d06235751b48b87d13e57a48b87752a40798253b069b7a4e6a6f44864f144f2779273d5073414c9c413edd290c73b1c7fb1f760c176504ebd25010924149ece4067d3615446f89bf697df94d40c13a98b6a07e31d2b5aecafb53d53f5086cd5e933b6d5d7c9a3f3ff7a9255884dd114900a2c7c89e37dd778e6d718be05b81345d54baccf59347886de7ef5be228e4801b40e40f2ad17f2315655aac9994433f465526d6c4fa8895e2919aa32d0b85deac8ce0f967709f71790231f761a229c4", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "330000b6712f575e402cf8708400020000b671", - "Issuer": "C=US, ST=CA, L=Santa Clara, O=Intel Corporation, CN=Intel External Basic Issuing CA 3B" - } - ] - } - ] - } - ], - "Tags": [ - "semav6msr.sys" - ] - }, - { - "Id": "e32bc3da-4db1-4858-a62c-6fbe4db6afbd", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create RTCore64.sys binPath=C:\\windows\\temp\\RTCore64.sys type=kernel && sc.exe start RTCore64.sys", - "Description": "The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/VoidSec/Exploit-Development/tree/b82b6d3ac1cce66221101d3e0f4634aa64cb4ca7/windows/x64/kernel/RTCore64_MSI_Afterburner_v.4.6.4.16117" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "RTCore64.sys", - "MD5": "2d8e4f38b36c334d0a32a7324832501d", - "SHA1": "f6f11ad2cd2b0cf95ed42324876bee1d83e01775", - "SHA256": "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd", - "Signature": [], - "Date": null, - "Publisher": null, - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "538e5e595c61d2ea8defb7b047784734", - "SHA1": "4a68c2d7a4c471e062a32c83a36eedb45a619683", - "SHA256": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "ZwReadFile", + "swprintf", + "ZwSetInformationFile", + "ZwCreateFile", + "ZwQueryInformationFile", + "ZwWriteFile", + "_wcsnicmp", + "towupper", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "ZwCreateEvent", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwNotifyChangeKey", + "RtlInitAnsiString", + "_snprintf", + "RtlFreeUnicodeString", + "ExSystemTimeToLocalTime", + "_vsnprintf", + "ObReferenceObjectByHandle", + "RtlTimeToTimeFields", + "ZwDeviceIoControlFile", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeWaitForMultipleObjects", + "ExGetPreviousMode", + "RtlEqualUnicodeString", + "RtlPrefixUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "KeWaitForSingleObject", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "MmIsAddressValid", + "KeDelayExecutionThread", + "KeNumberProcessors", + "PsLookupProcessByProcessId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenDirectoryObject", + "ZwQueryInformationProcess", + "ZwQuerySecurityObject", + "NtSetInformationFile", + "ZwDeleteValueKey", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "NtQueryInformationFile", + "IoFileObjectType", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "NtCreateFile", + "ZwEnumerateValueKey", + "RtlLengthSecurityDescriptor", + "ZwQueryDirectoryObject", + "ZwSetSecurityObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "ExReleaseFastMutexUnsafe", + "ZwDeleteKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwOpenKey", + "MmSystemRangeStart", + "_stricmp", + "_strnicmp", + "mbstowcs", + "ProbeForRead", + "RtlUpcaseUnicodeString", + "_snwprintf", + "ZwQuerySymbolicLinkObject", "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "MmMapIoSpace", - "__C_specific_handler", - "ZwClose", + "MmGetSystemRoutineAddress", + "RtlAppendUnicodeToString", + "IoCreateFile", + "RtlQueryRegistryValues", + "MmBuildMdlForNonPagedPool", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "ObQueryNameString", "ZwUnmapViewOfSection", - "MmUnmapIoSpace", - "IoCreateSymbolicLink", - "IoCreateDevice", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "IofCompleteRequest", - "IoDeleteDevice", - "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=TW, ST=Taiwan, L=New Taipei City, O=MICRO,STAR INTERNATIONAL CO., LTD., OU=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2014-06-03 09:16:15", - "ValidTo": "2017-09-03 09:16:15", - "Signature": "8c35a5b5d3503f50119ab8f99b07a4bb4b71cafaf983206f744545c2997ae1762032fa2d37f4780cfe83bfa999d7bcbd863dc4a51ff39978160e2e191482ae6d7f08e8ffa337c96d8c2d38ddf476a497265a890c1bbf0dee89b1abd32343889a3757732d205ba06525fa8f6e15005405a53e55cef71ac0b6af3a640e4c8aef5e950ab8a8b5c8bcddb2ade96ad9473a3d860ae16fdbe3362cabfd916da089167d906d378dbf4534f7ffb77d87baba29f8f5bbbd9b4b7c127ac170a270dc7a7272d38fdf3bbadbfb448d47e5dd4d310a588666a0d66762e1b3704b1e00e39739190c02f4b981cf2d27ba07d2472ec320edf29e263f26278995d162102968c999b3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2006-05-23 17:00:51", - "ValidTo": "2016-05-23 17:10:51", - "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "112158044863e4dc19cf29a85668b7f45842", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - }, - { - "Filename": "RTCore64.sys", - "MD5": "0ec361f2fba49c73260af351c39ff9cb", - "SHA1": "af50109b112995f8c82be8ef3a88be404510cdde", - "SHA256": "cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812", - "Signature": null, - "Date": null, - "Publisher": null, - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "I386", - "OriginalFilename": "", - "Authentihash": { - "MD5": "63fd0d800cac53db02638349cea2f8e7", - "SHA1": "3856e573765f090afbbb9e5be4c886653402f755", - "SHA256": "ff8d17761c1645bdd1f0eccc69024907bbbfbe5c60679402b7d02f95b16310fe" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", + "NtClose", + "IoFreeIrp", + "PsGetVersion", + "IoAllocateIrp", + "RtlCompareMemory", + "MmUnlockPages", + "ZwSetInformationObject", + "ZwOpenFile", + "wcsncmp", + "RtlImageNtHeader", + "IoAllocateMdl", + "IofCallDriver", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", "ZwOpenSection", - "MmMapIoSpace", - "IofCompleteRequest", - "MmUnmapIoSpace", - "ZwClose", - "_except_handler3", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "RtlInitUnicodeString", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlInitializeSid", + "RtlCreateSecurityDescriptor", "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", - "IoDeleteDevice", - "HalTranslateBusAddress", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" - ], - "Signatures": {} - }, - { - "Filename": "RTCore64.sys", - "MD5": "0a2ec9e3e236698185978a5fc76e74e6", - "SHA1": "4fe873544c34243826489997a5ff14ed39dd090d", - "SHA256": "f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3", - "Signature": null, - "Date": null, - "Publisher": null, - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "AMD64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "bcd9f192e2f9321ed549c722f30206e5", - "SHA1": "8498265d4ca81b83ec1454d9ec013d7a9c0c87bf", - "SHA256": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnmapIoSpace", - "ZwUnmapViewOfSection", - "MmMapIoSpace", - "ZwClose", "IoDeleteDevice", - "ObReferenceObjectByHandle", + "IoGetDeviceObjectPointer", + "ExEventObjectType", + "IofCompleteRequest", "IoCreateSymbolicLink", - "ZwOpenSection", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "strncpy", + "NtOpenProcess", + "ObInsertObject", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", + "IoReleaseVpbSpinLock", + "wcschr", + "IoGetConfigurationInformation", + "IoRegisterPlugPlayNotification", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "FsRtlIsNameInExpression", + "wcsstr", + "ExAllocatePool", + "IoUnregisterPlugPlayNotification", + "MmProbeAndLockPages", + "RtlCompareUnicodeString", + "IoGetDeviceInterfaces", + "KeAcquireSpinLockRaiseToDpc", "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwMapViewOfSection", - "IofCompleteRequest", - "IoDeleteSymbolicLink", - "MmGetSystemRoutineAddress", "IoCreateDevice", - "ObOpenObjectByPointer", - "ZwSetSecurityObject", "IoDeviceObjectType", - "_snwprintf", - "RtlLengthSecurityDescriptor", "SeCaptureSecurityDescriptor", - "ExFreePoolWithTag", - "RtlCreateSecurityDescriptor", - "RtlSetDaclSecurityDescriptor", "RtlAbsoluteToSelfRelativeSD", "IoIsWdmVersionAvailable", "SeExports", - "wcschr", - "_wcsnicmp", - "ExAllocatePoolWithTag", "RtlLengthSid", - "RtlAddAccessAllowedAce", "RtlGetSaclSecurityDescriptor", "RtlGetDaclSecurityDescriptor", "RtlGetGroupSecurityDescriptor", "RtlGetOwnerSecurityDescriptor", - "ZwOpenKey", - "ZwCreateKey", - "ZwQueryValueKey", - "ZwSetValueKey", - "RtlFreeUnicodeString", - "__C_specific_handler", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2016-05-24 00:00:00", - "ValidTo": "2027-06-24 00:00:00", - "Signature": "8fa91a916d04a637200e8396de23d36b6e1f6edd643d682122b5f84736698ee1a545c724a222b72909cc545aaec6bccd638eb33d5048e5b4ccaecd928d9e288b134a11aabda3efd3b236fcb4a172bf6d9763798c44bc702f7ef3bcdd8253ab1af6ebfa1c97bcb6379ca41c30bcabbc2d4736df922003e871c658f675059a34f00b595a824434aa80e42f84f6475d96c9b6caca9db7a6bae450d3d437b8ba200ed0d3922a5bc459bba16ddb3cce449dc1382aade38dbdcd09771a10be670a02366488b9b31b26eee79e60c446a8bc61336ccf4eb99cb96af09f37feb53d4f9ad34dffde208e4e97a6fd9f09bc4dca1876c9b04d8550f280d21d06f5580407b118", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3", - "ValidFrom": "2016-06-15 00:00:00", - "ValidTo": "2024-06-15 00:00:00", - "Signature": "7609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "O=GlobalSign, OU=GlobalSign Root CA , R3, CN=GlobalSign", - "ValidFrom": "2015-06-04 17:47:53", - "ValidTo": "2025-06-04 17:47:53", - "Signature": "6002ac0e090db46a7d590cad66450a180f5ea7255c14f6d35acf9d5e3bc77afc005f6e402b2de1ce6f76ab3cabd9f945cf779052ea21973ad25d3e57ba73ec007577a2754574c76226b054bad5c9c9da6ced66f2ff8b17b27959ca805465da96ca11de2abbc3d43d37fce6fdcb92866eb9ad4d1b68e047d9b08634231cda1ddd6e54edcb0ee17ad54db2a1abceda712fa23e0804ac2a53d713d93c6e338ca7b7b935afa559df305fea3ee8777123f8f9e91edbe214036a8aef64c17be05d56e0e4f2c84ce0d7ef07d3d620fade651998a7c6712b5d94aee9c90b91578690ccde9fd43c1995043efd5c2ba4fc39958fa88787b25bca804fc31638f50eb0edd7caf6fc774477d84ac89d9fff301798d712d590dde53a66e0f12c974799b60f0e56da9b410dc34bd5f0689ccaa5865c866612f23b8304ff46ed2d64d456952b7e799d01831318d568bd91cedd86fb08a0ab0c4564c3d126345e56a26c4c690c8b63ca84187ac573abb352ae8ddce22b03677d862a126f684f6481752d85e5b8ec80059bab3969ee1f316a6a2afb35bd63aac5ee65d3d696a43e99931ebeee3b6c646caecd140afcd88c20a31cf8627fa4c07d1f2c7f3a50c0269396379c8fa51363b473d816ab27487eaafeeb0f487f29989e3b499190f08f3ebadc9f26819d736631a727b6e4a94d04e5ea5331c0fa934a879dfc4a61e063a2ac4f88f4c5781f65", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "??=Private Organization, serialNumber=22178368, ??=TW, C=TW, ST=New Taipei, L=New Taipei, ??=NO.69, LI,DE ST., ZHONGHE DIST., O=MICRO,STAR INTERNATIONAL CO., LTD., CN=MICRO,STAR INTERNATIONAL CO., LTD.", - "ValidFrom": "2019-09-16 08:28:21", - "ValidTo": "2022-09-16 08:28:21", - "Signature": "31d3e258a115d41cea97ae1122b5482d2df37785b800cd8b16ee0e42b12a04e5b75d4c3447e1ffb7da8be87e733164fd2ed0020ab3d1010bf21a78cda4d031c4a75cec091a5072b44e8946476eb7c04c69e2e46af012ce640075751baf523140e803c62108f3b9efff3024a0e27138ba6763d36ca957fb480006e9b824f677b980edb98903a116d529b318753b539854a15778dacc6e4db10e4f3c5748b399f7270b244fe83e59743dbe4576c110bde088b2224d91e0c32bc8e4e5c7a61516602b962d66b01a46ccd5814a71bf9e99aac9604179d90230caea6c1229ecd20d2638084d62ff053dcf29675a0a44de07b9e75d5c3f8aeb66900828b949ea9289a8", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "6a7bb9e55c0bbf1def6c739c", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Extended Validation CodeSigning CA , SHA256 , G3" - } - ] - } - ] - } - ], - "Tags": [ - "RTCore64.sys" - ] - }, - { - "Id": "c0645f0f-9b97-4fe9-811e-2e45c250c9ef", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "FALSE", - "Commands": { - "Command": "sc.exe create cpupress.sys binPath=C:\\windows\\temp\\cpupress.sys type=kernel && sc.exe start cpupress.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "cpupress.sys", - "SHA256": "fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1", - "Signature": [], - "Date": "", - "Publisher": "", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "", - "OriginalFilename": "" - } - ], - "Tags": [ - "cpupress.sys" - ] - }, - { - "Id": "2d7c96d3-2d6c-44cd-a8a1-5239f571a24a", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create HW.sys binPath=C:\\windows\\temp\\HW.sys type=kernel && sc.exe start HW.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", - "Resources": [ - "Internal Research" - ], - "Acknowledgement": { - "Person": [], - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "FileName": "HW.sys", - "MD5": "3cf7a55ec897cc938aebb8161cb8e74f", - "SHA1": "22fc833e07dd163315095d32ebcd3b3e377c33a4", - "SHA256": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c", - "Authentihash": { - "MD5": "22db74f3f2e50ccdeb471c81e3a62532", - "SHA1": "6e87cd3b027a07a810164d618e3f2fce61eb6ec4", - "SHA256": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90" - }, - "Description": "HW - Windows NT-8 (32/64 bit) kernel mode driver for PC ports/memory/PCI access", - "Company": "Marvin Test Solutions, Inc.", - "InternalName": "Hw.sys", - "OriginalFilename": "HW.sys", - "FileVersion": "4.8.2.0", - "Product": "HW", - "ProductVersion": "4.8.2.0", - "Copyright": "Copyright © 1996-2015 Marvin Test Solutions, Inc. All Rights Reserved.", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "RtlAppendUnicodeStringToString", - "ZwClose", - "ZwOpenProcess", - "KeReleaseMutex", - "KeWaitForSingleObject", - "PsGetCurrentProcessId", - "KeInitializeDpc", - "MmGetSystemRoutineAddress", - "IoDeleteDevice", - "IoCreateSymbolicLink", - "KeInitializeMutex", - "IoCreateDevice", - "IoDeleteSymbolicLink", - "PsGetVersion", - "ZwUnmapViewOfSection", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ExFreePoolWithTag", - "MmMapLockedPages", - "MmBuildMdlForNonPagedPool", - "IoAllocateMdl", - "MmMapIoSpace", - "MmUnmapLockedPages", - "MmUnmapIoSpace", - "MmFreeContiguousMemory", - "MmGetPhysicalAddress", - "MmAllocateContiguousMemory", - "IofCallDriver", - "IoBuildSynchronousFsdRequest", - "IoGetDeviceProperty", - "KeInitializeEvent", - "ObfDereferenceObject", - "ExAllocatePoolWithTag", - "ObReferenceObjectByName", - "IoDriverObjectType", - "IofCompleteRequest", - "IoDisconnectInterrupt", - "KeReleaseInterruptSpinLock", - "KeAcquireInterruptSpinLock", - "ExEventObjectType", - "KeFlushQueuedDpcs", - "KeInsertQueueDpc", - "KeSetEvent", - "IoFreeMdl", - "ExAllocatePool", - "HalGetBusDataByOffset" + "ZwTerminateProcess", + "ExAcquireResourceExclusiveLite", + "__C_specific_handler" ], "Signatures": [ { @@ -121823,427 +130156,779 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign Timestamping CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2028-01-28 12:00:00", - "Signature": "4e5e56901e46b4d94931f3bb1739281bc216ddfd41dc0905049b6fb2a29ad6992e40990055b5ea3fa52076d38634d417cc553ac782eeefa8babcd8069f1550dfcd167b523a02d7191afdaff0785ce04bc518df3a241edaacb8a95804020730dbb0125efe31bef00448f4f070f83a5e5683cf3dfb0dbcf4c5ed979db9d4dba52784e3389b8ba735864420a43b6da46a0ba183fd28ebdaef28f6cc885dfb0a3b00abe021ebe22f356c0f8e344597eba2f79933357ecb9a8abb454de73f9fc2d98afa65b26ec77e65ffe892e12c31a2f7b02736488f266f3bee4d761f79c3e57f9635bc2d0ecc01b08e7fff518080a792d4b34446648c874f166307314b63b0dff3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2", - "ValidFrom": "2011-04-13 10:00:00", - "ValidTo": "2019-04-13 10:00:00", - "Signature": "225cc5dd3df40b70d8e3f5e7c58e0901bbb196365c5a07adc7a8444951257aae0da4193b929ccfb94226bb3b6c97e7c7ce116d6891da8d6df1534d54388c61f3c8827669be81320b31c36cc99e200a582ff048fe7e4807aad743589473540431a9780d3b8cb070c13d7ed7bd2f2ac3e2f58f0c90dc6ba5c8be685e5d6df878d2be49951e15780891fb34c8be84adbce0c6dd18dbf3caf07bc2143c18b803ba953e211e3f60697a7f6a039e8d4af9f0282c30845eec267242b16dcb64c3128cd6844b67417cb103177809e3ada8b6962da47e80034f88f7c16b5a4615cd2c198bd8709ce52d49886072a8a4195270435edad64603b0680e24ef4af60b2524ef24", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=SG, O=GMO GlobalSign Pte Ltd, CN=GlobalSign TSA for MS Authenticode , G2", - "ValidFrom": "2015-02-03 00:00:00", - "ValidTo": "2026-03-03 00:00:00", - "Signature": "8032dc078d1ca09c9d3c2ae83d218b59a14d7ecc44ce03be7eaabcc4e67b73bb4bf188da904e7537283863b9d72b0f54a956ce7739973073cd9bd9d905451c8da4b8035d4fd91c2e98e0e988e6ecd7057e562a7bf7165ba3ad8f972512841bb25c634a0ad2ef10544782843569289c0ce41f141624fa75dc74726e4ecae36a43afcf7d3648d1bde906912c2fa6c871fdcfbdd89d2198fcafdbde228cafa7f377ef9ddca3704b441af078851ef2a58c39b5dc881c37edad14f5070b26bdbe6d025eb1b8b0586c853a0df6ff5a270cc5de53e7543c564cc94e4c30f6f25cfb1a8cc282bead5991f61b4d557bcf5b01dcfd7ad36f235c32479b01f3c15114468a9b", + "Subject": "??=TW, ??=Private Organization, serialNumber=23310837, C=TW, ST=Taipei City, L=Da???an District, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2020-08-07 00:00:00", + "ValidTo": "2021-04-15 12:00:00", + "Signature": "578aa329d98f23e576b6937a3146ca65f1ec8da04b5ec5f4c499436cfe710be5660f7c864950d9276a6dfdd2341048e6fe4f51044e7fce164f3b9203035bc3d311991685fbce0d90a4c7b2b511d0d3ba37b3558eae76db3ab30f4a2ef102faad1820e26b5fcbc216b368980655de80fe7177f9f1a80c75e4a0a21451a59c86986e5348318da4d295e8d02520fa674ce89756903b25521b5ad358f8328c5591a9702494cc24e340418dbcf08ef06214a8e90c4836dc6f8465fd59385bd56407d83bfc8a633e8125c523ff23dd8c669169848668d5aefe059ee5091e1776ec4686efd0d6ccee0e0bea5922ee41fb36e63d5704633f85115f9584926bdb708a9edb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=CA, L=Irvine, O=Marvin Test Solutions, Inc., CN=Marvin Test Solutions, Inc., emailAddress=it@marvintest.com", - "ValidFrom": "2015-06-17 17:46:36", - "ValidTo": "2018-05-04 18:44:13", - "Signature": "ab38f2c50cf023223b1fd78c4204cff8fbe1c71ca14bd3dc5d1f7833604526265abcc71a97faae04edf79563c97a75f4587852b1c8cb972771427710112f8fab1c1a01ca13d04301d551ff4c1728798bd5d8e9038ca079a7c1e5fe268f2c87b397bf2038bbee8dabb80be0f2158a468feca435ff9ed8611cf1a7cf0a6756d2defda9934a4c8a6f6dd1577070ca3e6d2ea155f01bae4e0cf05596226810c52e256bf6f7d0632a34bbe3926e083f5eb95bfa614ac331bee378d5a158222731b1edbf1bb3db3915376764e10cffca289cf0478bf9a8e0cf74a85a2a0147aa3ab1b6fb88b69de8c706dc91155126d3b7aaa0fd98b62357a7e30e7c34ef4809009f5d", + "Subject": "C=US, O=DigiCert, CN=DigiCert Timestamp Responder", + "ValidFrom": "2014-10-22 00:00:00", + "ValidTo": "2024-10-22 00:00:00", + "Signature": "9d257e1b334db226815c9b86ce23200f8087e588ffffb1d46a2c31ed3a17197117cda91bbc5a1639009de36c84e45a40fbde06018c37fa9bb19d247efe20a457ad5bb79ab06026ea6957215d342f1f71b0839419056b359010a07b97c7f63fe7e21141a6bd62d9f0273d381d286f3a5209f0ec7062d3624bb0e073a692c0d38e31d82fe36d171306eee403b614abf38f43a7719d21dd14ca155d9241daf90f81d199740d26c40e7f1bb5f5a0f1c677062815e9d893e55516f0bb0aab1cdb5c482766c8a38b0a1ce595daaec42e59a061dddaf36da261e98a0b6dec1218bdf755544003922b6bc251c20a48afb0d46ee0f4140a3a1be38f3dcaaf6a8d7bdcd844", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, - { - "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", - "ValidFrom": "2011-04-15 19:55:08", - "ValidTo": "2021-04-15 20:05:08", - "Signature": "5ff8d065746a81c6a6ca5b03b6914ae84bbdef2ba142f0efb4a5adcd3389ec0b9585ac62501108aa58d25aa08310e5a6337af25af2c5fe787cf09c83df190ad97396002dd62ccde914d41d9de83f3c1a76f7904efb01350a6c9313a0c356eb67a0e4d17a96dec267f190f80a7bf5321b94ec5f751f8d1b34da6c58a7cb2d279e2226b7c9aa30cc0777b836e38201b5393ccc8dd9a75f7f23b3877fdb5798918bd7ce2520e39d644fdd87f72b68490318e0a5df7c5f68644d36838d4781f2e9e0a869abfa7b163c05a449ea8830190a6c73055178dfd41ddd3ad47f2de44e54be83431e7a7433b4a4ebd77073bc2a02988966eef6bc8f749378e329025a5a43e258ce7ccf9acad236893be25fda26054ec8d4e72c910e1797c5beee8b13112323294ffa83d050f6bafad53db3173df4ff034aa325dce67561d1fa35086bd62744d068b78d45e0eb852cc8a15d614474160e5958aed2b5eea5bcd6d7076ab62978fd976767dd8d4f17944fd2ed0caf972437c3a29c81da6be143b6577b4cecbf791319e79fe844e94781b75e701e91f83dd17b27f50b7056434805dda92fab86101d0b12e31ad04c6e75ded645b30b748887935c564a41029af7aeb799d8b67f88fa11f2457cf4d71b91c01cf1a0fbd4080a411a142acef4eb34486e66879ed54b7a397fbb0e3d3861cf735706e412066bd96b5308cd7018c22d4f974691bca9f0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "1121f0942b1e09a2573e8ab9ce0e3955b2de", - "Issuer": "C=BE, O=GlobalSign nv,sa, CN=GlobalSign CodeSigning CA , G2" - } - ] - } - ] - } - ], - "Tags": [ - "HW.sys" - ] - }, - { - "Id": "0f21a584-6ace-4242-82cb-9766cea6973a", - "Author": "Michael Haag", - "Created": "2023-01-09", - "MitreID": "T1068", - "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create CITMDRV_IA64.sys binPath=C:\\windows\\temp\\CITMDRV_IA64.sys type=kernel && sc.exe start CITMDRV_IA64.sys", - "Description": "", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - " https://github.com/namazso/physmem_drivers", - "https://github.com/namazso/physmem_drivers" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA", + "ValidFrom": "2012-04-18 12:00:00", + "ValidTo": "2027-04-18 12:00:00", + "Signature": "9e5b963a2e1288acab016da49f75e40187a3a532d7bcbaa97ea3d61417f7c2136b7c738f2b6ae50f265968b08e259b6ceffa6c939208c14dcf459e9c46d61e74a19b14a3fa012f4ab101e1724048111368b9369d914bd7c2391210c1c4dcbb6214142a615d4f387c661fc61bffadbe4f7f945b7343000f4d73b751cf0ef677c05bcd348cd96313aa0e6111d6f28e27fcb47bb8b91120918678ea0ed428ff2ad52438e837b2ec96bb9fbc4a1650e15ebf517d23a032c7c1949e7ac9c026a2cc2587a0127e749f2d8db1c8e784beb9d1e9debb6a4e887371e12238cb2487e9737e51b2ff98eb4e7e2fe0ca0efab35ed1ba0542a8489f83f63fc4caa8df68a05061", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID CA,1", + "ValidFrom": "2006-11-10 00:00:00", + "ValidTo": "2021-11-10 00:00:00", + "Signature": "46503ec9b72824a7381db65b29af52cf52e93147ab565c7bd50d0b41b3efec751f7438f2b25c61a29c95c350e482b923d1ba3a8672ad3878ac755d1717347247859456d1ebbb368477cc24a5f3041955a9e7e3e7ab62cdfb8b2d90c2c0d2b594bd5e4fb105d20e3d1aa9145ba6863162a8a833e49b39a7c4f5ce1d7876942573e42aabcf9c764bed5fc24b16e44b704c00891efcc579bc4c1257fe5fe11ebc025da8fefb07384f0dc65d91b90f6745cdd683ede7920d8db1698c4ffb59e0230fd2aaae007cee9c420ecf91d727b716ee0fc3bd7c0aa0ee2c08558522b8eb181a4dfc2a21ad49318347957771dcb11b4b4b1c109c7714c19d4f2f5a9508291026", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "0f6146af9397c7fa04b13c2d0279a1ba", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA" + } + ] + } + ] + }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "c7a57cd4bea07dadba2e2fb914379910", - "SHA1": "ea877092d57373cb466b44e7dbcad4ce9a547344", - "SHA256": "1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "TmComm.sys", + "MD5": "148bd10da8c8d64928a213c7bf1f2fca", + "SHA1": "dfd801b6c2715f5525f8ffb38e3396a5ad9b831d", + "SHA256": "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "4fdf46c89a0eb3a5482552a69bd4e21e", + "SHA1": "1a45053380feb519b9388c513b8867b0b40d8b8b", + "SHA256": "ef0dbc4c4735f30e96e16375b18c2f5fa58e15ef60d17786e39e616a4438e264" }, - "InternalName": "", - "Copyright": "", + "Description": "TrendMicro Common Module", + "Company": "Trend Micro Inc.", + "InternalName": "TmComm.sys", + "OriginalFilename": "TmComm.sys", + "FileVersion": "6.70.0.1117", + "Product": "Trend Micro Eyes", + "ProductVersion": "6.70", + "Copyright": "Copyright (C) 2019 Trend Micro Incorporated. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], - "ExportedFunctions": "", + "ExportedFunctions": [ + "??0CAutoUpdateConfigThread@@QEAA@AEBV0@@Z", + "??0CAutoUpdateConfigThread@@QEAA@PEAU_UNICODE_STRING@@P6AX0PEAX@Z1@Z", + "??0CBlobConfig@@QEAA@AEBV0@@Z", + "??0CBlobConfig@@QEAA@K@Z", + "??0CContext@@QEAA@AEBV0@@Z", + "??0CContext@@QEAA@KP6AJPEAU_EVENT_REPORT@@PEAXPEAU_TMCE_REPORT@@PEAU_TMCE_FEEDBACK@@@Z1K@Z", + "??0CContextList@@QEAA@AEBV0@@Z", + "??0CContextList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CDebugLog@@QEAA@AEBV0@@Z", + "??0CDebugLog@@QEAA@PEBG@Z", + "??0CDebugLogEx@@QEAA@AEBV0@@Z", + "??0CDebugLogEx@@QEAA@K@Z", + "??0CDelayLoadThread@@QEAA@AEBV0@@Z", + "??0CDelayLoadThread@@QEAA@XZ", + "??0CExclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CExclusionExtConfig@@QEAA@KKE@Z", + "??0CExclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFileNameConfig@@QEAA@KK@Z", + "??0CExclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFilePathConfig@@QEAA@KK@Z", + "??0CExclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CExclusionFolderConfig@@QEAA@KK@Z", + "??0CExclusionRegistryConfig@@QEAA@AEBV0@@Z", + "??0CExclusionRegistryConfig@@QEAA@KK@Z", + "??0CFile@@QEAA@AEBV0@@Z", + "??0CFile@@QEAA@E@Z", + "??0CFileExtension@@QEAA@AEBV0@@Z", + "??0CFileExtension@@QEAA@KEEPEAVIMemoryAllocator@@@Z", + "??0CInclusionExtConfig@@QEAA@AEBV0@@Z", + "??0CInclusionExtConfig@@QEAA@KKE@Z", + "??0CInclusionFileNameConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFileNameConfig@@QEAA@KK@Z", + "??0CInclusionFilePathConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFilePathConfig@@QEAA@KK@Z", + "??0CInclusionFolderConfig@@QEAA@AEBV0@@Z", + "??0CInclusionFolderConfig@@QEAA@KK@Z", + "??0CKEvent@@QEAA@AEBV0@@Z", + "??0CKEvent@@QEAA@W4_EVENT_TYPE@@E@Z", + "??0CList@@QEAA@AEBV0@@Z", + "??0CList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CLockEvent@@QEAA@AEBV0@@Z", + "??0CLockEvent@@QEAA@XZ", + "??0CLockList@@QEAA@AEBV0@@Z", + "??0CLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CMemoryAllocator@@IEAA@W4_POOL_TYPE@@K@Z", + "??0CMemoryAllocator@@QEAA@AEBV0@@Z", + "??0CMemoryPoolAllocator@@IEAA@W4_POOL_TYPE@@_K1K@Z", + "??0CMemoryPoolAllocator@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@AEBV0@@Z", + "??0CModuleConfig@@QEAA@XZ", + "??0CModuleConfigList@@QEAA@AEBV0@@Z", + "??0CModuleConfigList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CModuleFileExtConfig@@QEAA@AEBV0@@Z", + "??0CModuleFileExtConfig@@QEAA@KKE@Z", + "??0CModuleFlagConfig@@QEAA@AEBV0@@Z", + "??0CModuleFlagConfig@@QEAA@K@Z", + "??0CModuleMultiStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleMultiStringConfig@@QEAA@KK@Z", + "??0CModuleStringConfig@@QEAA@AEBV0@@Z", + "??0CModuleStringConfig@@QEAA@K@Z", + "??0CNoLockList@@QEAA@AEBV0@@Z", + "??0CNoLockList@@QEAA@KKPEAVIMemoryAllocator@@@Z", + "??0CSmartLock@@QEAA@AEAVCLockEvent@@@Z", + "??0CSmartLock@@QEAA@XZ", + "??0CSmartReference@@QEAA@AEAJ@Z", + "??0CSmartReference@@QEAA@AEAK@Z", + "??0CSmartResource@@QEAA@AEAVCResource@@E@Z", + "??0CStrList@@QEAA@AEBV0@@Z", + "??0CStrList@@QEAA@KPEAVIMemoryAllocator@@@Z", + "??0CSystemThread@@QEAA@AEBV0@@Z", + "??0CSystemThread@@QEAA@K@Z", + "??0CUserFuncAdapterJob@@QEAA@AEBV0@@Z", + "??0CUserFuncAdapterJob@@QEAA@P6AXPEAX@Z01@Z", + "??0CWorkerThread@@IEAA@PEAVCWorkerThreadJobQueue@@@Z", + "??0CWorkerThread@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJob@@QEAA@E@Z", + "??0CWorkerThreadJobQueue@@QEAA@AEBV0@@Z", + "??0CWorkerThreadJobQueue@@QEAA@K@Z", + "??0CWorkerThreadPool@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPool@@QEAA@K@Z", + "??0CWorkerThreadPoolEx@@QEAA@AEBV0@@Z", + "??0CWorkerThreadPoolEx@@QEAA@KK@Z", + "??0IMemoryAllocator@@QEAA@AEBV0@@Z", + "??0IMemoryAllocator@@QEAA@XZ", + "??1CAutoUpdateConfigThread@@UEAA@XZ", + "??1CBlobConfig@@UEAA@XZ", + "??1CContext@@UEAA@XZ", + "??1CContextList@@UEAA@XZ", + "??1CDebugLog@@UEAA@XZ", + "??1CDebugLogEx@@UEAA@XZ", + "??1CDelayLoadThread@@UEAA@XZ", + "??1CExclusionExtConfig@@UEAA@XZ", + "??1CExclusionFileNameConfig@@UEAA@XZ", + "??1CExclusionFilePathConfig@@UEAA@XZ", + "??1CExclusionFolderConfig@@UEAA@XZ", + "??1CExclusionRegistryConfig@@UEAA@XZ", + "??1CFile@@UEAA@XZ", + "??1CFileExtension@@UEAA@XZ", + "??1CInclusionExtConfig@@UEAA@XZ", + "??1CInclusionFileNameConfig@@UEAA@XZ", + "??1CInclusionFilePathConfig@@UEAA@XZ", + "??1CInclusionFolderConfig@@UEAA@XZ", + "??1CKEvent@@UEAA@XZ", + "??1CList@@UEAA@XZ", + "??1CLockEvent@@UEAA@XZ", + "??1CLockList@@UEAA@XZ", + "??1CMemoryAllocator@@UEAA@XZ", + "??1CMemoryPoolAllocator@@UEAA@XZ", + "??1CModuleConfig@@UEAA@XZ", + "??1CModuleConfigList@@UEAA@XZ", + "??1CModuleFileExtConfig@@UEAA@XZ", + "??1CModuleFlagConfig@@UEAA@XZ", + "??1CModuleMultiStringConfig@@UEAA@XZ", + "??1CModuleStringConfig@@UEAA@XZ", + "??1CNoLockList@@UEAA@XZ", + "??1CSmartLock@@QEAA@XZ", + "??1CSmartReference@@QEAA@XZ", + "??1CSmartResource@@QEAA@XZ", + "??1CStrList@@UEAA@XZ", + "??1CSystemThread@@UEAA@XZ", + "??1CUserFuncAdapterJob@@UEAA@XZ", + "??1CWorkerThread@@UEAA@XZ", + "??1CWorkerThreadJob@@UEAA@XZ", + "??1CWorkerThreadJobQueue@@UEAA@XZ", + "??1CWorkerThreadPool@@UEAA@XZ", + "??1CWorkerThreadPoolEx@@UEAA@XZ", + "??1IMemoryAllocator@@UEAA@XZ", + "??2@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??2CMemoryAllocator@@SAPEAX_K@Z", + "??2CMemoryPoolAllocator@@SAPEAX_K@Z", + "??3@YAXPEAX@Z", + "??3IMemoryAllocator@@SAXPEAX@Z", + "??4CAutoUpdateConfigThread@@QEAAAEAV0@AEBV0@@Z", + "??4CBlobConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CContext@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLog@@QEAAAEAV0@AEBV0@@Z", + "??4CDebugLogEx@@QEAAAEAV0@AEBV0@@Z", + "??4CDelayLoadThread@@QEAAAEAV0@AEBV0@@Z", + "??4CFile@@QEAAAEAV0@AEBV0@@Z", + "??4CKEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CLockEvent@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CMemoryPoolAllocator@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleFlagConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CModuleStringConfig@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEAV0@AEBV0@@Z", + "??4CSmartLock@@QEAAAEBV0@AEAVCLockEvent@@@Z", + "??4CSmartResource@@QEAAAEAV0@AEBV0@@Z", + "??4CSystemThread@@QEAAAEAV0@AEBV0@@Z", + "??4CUserFuncAdapterJob@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThread@@QEAAAEAV0@AEBV0@@Z", + "??4CWorkerThreadJob@@QEAAAEAV0@AEBV0@@Z", + "??4IMemoryAllocator@@QEAAAEAV0@AEBV0@@Z", + "??_7CAutoUpdateConfigThread@@6B@", + "??_7CBlobConfig@@6B@", + "??_7CContext@@6B@", + "??_7CContextList@@6B@", + "??_7CDebugLog@@6B@", + "??_7CDebugLogEx@@6B@", + "??_7CDelayLoadThread@@6B@", + "??_7CExclusionExtConfig@@6B@", + "??_7CExclusionFileNameConfig@@6B@", + "??_7CExclusionFilePathConfig@@6B@", + "??_7CExclusionFolderConfig@@6B@", + "??_7CExclusionRegistryConfig@@6B@", + "??_7CFile@@6B@", + "??_7CFileExtension@@6B@", + "??_7CInclusionExtConfig@@6B@", + "??_7CInclusionFileNameConfig@@6B@", + "??_7CInclusionFilePathConfig@@6B@", + "??_7CInclusionFolderConfig@@6B@", + "??_7CKEvent@@6B@", + "??_7CList@@6B@", + "??_7CLockEvent@@6B@", + "??_7CLockList@@6B@", + "??_7CMemoryAllocator@@6B@", + "??_7CMemoryPoolAllocator@@6B@", + "??_7CModuleConfig@@6B@", + "??_7CModuleConfigList@@6B@", + "??_7CModuleFileExtConfig@@6B@", + "??_7CModuleFlagConfig@@6B@", + "??_7CModuleMultiStringConfig@@6B@", + "??_7CModuleStringConfig@@6B@", + "??_7CNoLockList@@6B@", + "??_7CStrList@@6B@", + "??_7CSystemThread@@6B@", + "??_7CUserFuncAdapterJob@@6B@", + "??_7CWorkerThread@@6B@", + "??_7CWorkerThreadJob@@6B@", + "??_7CWorkerThreadJobQueue@@6B@", + "??_7CWorkerThreadPool@@6B@", + "??_7CWorkerThreadPoolEx@@6B@", + "??_7IMemoryAllocator@@6B@", + "??_FCContextList@@QEAAXXZ", + "??_FCFile@@QEAAXXZ", + "??_FCFileExtension@@QEAAXXZ", + "??_FCModuleConfigList@@QEAAXXZ", + "??_FCStrList@@QEAAXXZ", + "??_FCSystemThread@@QEAAXXZ", + "??_FCWorkerThread@@QEAAXXZ", + "??_FCWorkerThreadJob@@QEAAXXZ", + "??_FCWorkerThreadJobQueue@@QEAAXXZ", + "??_U@YAPEAX_KPEAVIMemoryAllocator@@PEBDK@Z", + "??_V@YAXPEAX@Z", + "?Acquire@CLockEvent@@QEAAXXZ", + "?Add@CContextList@@QEAAEPEAVCContext@@@Z", + "?Add@CFileExtension@@QEAAEPEBGK@Z", + "?Add@CModuleConfigList@@QEAAEPEAVCModuleConfig@@@Z", + "?Add@CStrList@@QEAAEPEBG@Z", + "?AddNode@CLockList@@UEAAEQEAXE@Z", + "?AddNode@CNoLockList@@UEAAEQEAXE@Z", + "?Alloc@CMemoryAllocator@@UEAAPEAX_KPEBDK@Z", + "?Alloc@CMemoryPoolAllocator@@UEAAPEAX_KPEBDK@Z", + "?AllocBlock@CMemoryPoolAllocator@@IEAAPEAX_K@Z", + "?AttachJobQueue@CWorkerThread@@QEAAXPEAVCWorkerThreadJobQueue@@@Z", + "?Cancel@CWorkerThreadJob@@QEAAXXZ", + "?CheckNode@CLockList@@UEAAHQEAX@Z", + "?CheckNode@CNoLockList@@UEAAHQEAX@Z", + "?CleanQueue@CWorkerThreadJobQueue@@QEAAXXZ", + "?Cleanup@CBlobConfig@@AEAAXXZ", + "?Cleanup@CModuleFileExtConfig@@IEAAXXZ", + "?Cleanup@CModuleMultiStringConfig@@IEAAXXZ", + "?Cleanup@CModuleStringConfig@@AEAAXXZ", + "?Close@CFile@@QEAAJXZ", + "?Count@CLockList@@QEAAKXZ", + "?Count@CNoLockList@@QEAAKXZ", + "?Create@CFile@@QEAAJPEBGKKKK@Z", + "?Create@CSystemThread@@QEAAEXZ", + "?CreateInstance@CMemoryAllocator@@SAPEAV1@W4_POOL_TYPE@@K@Z", + "?CreateInstance@CMemoryPoolAllocator@@SAPEAV1@W4_POOL_TYPE@@_K1K@Z", + "?CreatePool@CWorkerThreadPool@@QEAAEXZ", + "?CreatePool@CWorkerThreadPoolEx@@QEAAEXZ", + "?CreateThreads@CWorkerThreadPool@@QEAAEK@Z", + "?CreateThreads@CWorkerThreadPoolEx@@QEAAEK@Z", + "?CreateWIRP@CFile@@QEAAJPEBGKKKK@Z", + "?Delete@CFile@@QEAAJXZ", + "?Delete@CFileExtension@@QEAAEPEBGK@Z", + "?Delete@CStrList@@QEAAEPEBG@Z", + "?DeleteAll@CList@@UEAAXXZ", + "?DeleteAll@CLockList@@UEAAXXZ", + "?DeleteAll@CNoLockList@@UEAAXXZ", + "?DeleteNode@CContextList@@MEAAXPEAX@Z", + "?DeleteNode@CList@@UEAAXPEAX@Z", + "?DeleteNode@CModuleConfigList@@MEAAXPEAX@Z", + "?DeleteNode@CStrList@@EEAAXPEAU_STR_LIST_NODE@1@@Z", + "?DisableWriteProtectFromCR0@@YAXPEAPEAX@Z", + "?DoIt@CWorkerThreadJob@@QEAAJXZ", + "?EntryPoint@CSystemThread@@KAXPEAX@Z", + "?Find@CContextList@@QEAAPEAVCContext@@K@Z", + "?Find@CContextList@@QEAAPEAVCContext@@PEAX@Z", + "?Find@CFileExtension@@QEAAPEAU_STR_LIST_NODE@CStrList@@PEBGK@Z", + "?Find@CModuleConfigList@@QEAAPEAVCModuleConfig@@K@Z", + "?Find@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FindNode@CContextList@@IEAAPEAXPEAX@Z", + "?FindPartiallyAndAllMatch@CStrList@@QEAAPEAU_STR_LIST_NODE@1@PEBG@Z", + "?FinishFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?FinishIt@CWorkerThreadJob@@QEAAJXZ", + "?First@CList@@UEAAPEAXXZ", + "?First@CLockList@@UEAAPEAXXZ", + "?First@CNoLockList@@UEAAPEAXXZ", + "?Free@CMemoryAllocator@@UEAAXPEAX@Z", + "?Free@CMemoryPoolAllocator@@UEAAXPEAX@Z", + "?GetAttributes@CFile@@QEAAKXZ", + "?GetBasicInfomration@CFile@@IEAAJXZ", + "?GetBlobCofig@CContext@@UEAAJKPEAXPEAK@Z", + "?GetCategory@CContext@@QEAAKXZ", + "?GetData@CBlobConfig@@QEAAHPEAXPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleFileExtConfig@@QEAAPEAVCFileExtension@@XZ", + "?GetData@CModuleFlagConfig@@QEAAKXZ", + "?GetData@CModuleMultiStringConfig@@QEAAHPEAGPEAK@Z", + "?GetData@CModuleMultiStringConfig@@QEAAPEAVCStrList@@XZ", + "?GetData@CModuleStringConfig@@QEAAPEAGXZ", + "?GetData@CStrList@@QEAAEPEAGPEAK@Z", + "?GetDataType@CModuleConfig@@QEAAKXZ", + "?GetEngineContext@CContext@@QEAAPEAXXZ", + "?GetFileExtensionConfig@CContext@@QEAAPEAVCFileExtension@@K@Z", + "?GetFileExtensionConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetFileSize@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFileSizeWIRP@CFile@@QEAAJPEAT_LARGE_INTEGER@@@Z", + "?GetFlagConfig@CContext@@UEAAJKPEAK@Z", + "?GetID@CModuleConfig@@QEAAKXZ", + "?GetJob@CWorkerThreadJobQueue@@QEAAPEAVCWorkerThreadJob@@XZ", + "?GetLength@CModuleStringConfig@@QEAAKXZ", + "?GetLinkContext@CContext@@QEAAPEAXXZ", + "?GetLogFlag@CDebugLog@@QEAAKXZ", + "?GetLogFlag@CDebugLogEx@@QEAAKXZ", + "?GetModuleId@CModuleConfig@@QEAAKXZ", + "?GetMultiStringConfig@CContext@@QEAAPEAVCStrList@@K@Z", + "?GetMultiStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPool@@QEAAPEAU_KTHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_ETHREAD@@XZ", + "?GetOneThreadTEB@CWorkerThreadPoolEx@@QEAAPEAU_KTHREAD@@XZ", + "?GetReportCallBackRoutine@CContext@@QEAA_KXZ", + "?GetSize@CBlobConfig@@QEAAKXZ", + "?GetStringConfig@CContext@@QEAAPEAGK@Z", + "?GetStringConfig@CContext@@UEAAJKPEAGPEAK@Z", + "?GetThreadCount@CWorkerThreadPool@@QEAAKXZ", + "?GetThreadCount@CWorkerThreadPoolEx@@QEAAKXZ", + "?GetThreadID@CSystemThread@@QEAA_KXZ", + "?GetType@CContext@@QEAAKXZ", + "?GetUserParameter@CContext@@QEAA_KXZ", + "?InitProcMon@CDebugLogEx@@IEAAXXZ", + "?InitializeBlobConfig@CContext@@QEAAHKPEAXK@Z", + "?InitializeFileExtensionConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeFlagConfig@CContext@@QEAAHKK@Z", + "?InitializeMultiStringConfig@CContext@@QEAAHKPEBG@Z", + "?InitializeStringConfig@CContext@@QEAAHKPEBG@Z", + "?Insert@CList@@UEAAXQEAXE@Z", + "?Insert@CLockList@@UEAAXQEAXE@Z", + "?Insert@CNoLockList@@UEAAXQEAXE@Z", + "?InsertAfter@CList@@UEAAXPEAX0@Z", + "?InsertBefore@CList@@UEAAXPEAX0@Z", + "?Instance@CWorkerThreadPool@@SAPEAV1@XZ", + "?IsEmpty@CList@@UEAAEXZ", + "?IsEmpty@CLockList@@UEAAEXZ", + "?IsEmpty@CNoLockList@@UEAAEXZ", + "?IsExceedLimitation@CMemoryPoolAllocator@@IEAAEK@Z", + "?IsFull@CLockList@@QEBAEXZ", + "?IsFull@CNoLockList@@QEBAEXZ", + "?IsInExclusionList@CExclusionExtConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionFolderConfig@@QEAAEPEBG@Z", + "?IsInExclusionList@CExclusionRegistryConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionExtConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFileNameConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFilePathConfig@@QEAAEPEBG@Z", + "?IsInInclusionList@CInclusionFolderConfig@@QEAAEPEBG@Z", + "?IsOpened@CFile@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPool@@QEAAEXZ", + "?IsTerminated@CWorkerThreadPoolEx@@QEAAEXZ", + "?IsValid@CMemoryAllocator@@UEAAEXZ", + "?IsValid@CMemoryPoolAllocator@@UEAAEXZ", + "?IsValid@IMemoryAllocator@@UEAAEXZ", + "?IsWorkerThread@CWorkerThreadPool@@QEAAE_K@Z", + "?IsWorkerThread@CWorkerThreadPoolEx@@QEAAE_K@Z", + "?JobFunction@CUserFuncAdapterJob@@MEAAXXZ", + "?JobQueue@CWorkerThreadPool@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?JobQueue@CWorkerThreadPoolEx@@QEAAAEAVCWorkerThreadJobQueue@@XZ", + "?Limit@CLockList@@QEAAKXZ", + "?Limit@CNoLockList@@QEAAKXZ", + "?MatchAllExtensions@CFileExtension@@QEAAEXZ", + "?MatchNoExtensions@CFileExtension@@QEAAEXZ", + "?MergeLeft@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?MergeRight@CMemoryPoolAllocator@@IEAAPEAXPEAX@Z", + "?NeedDelete@CWorkerThreadJob@@QEAAEXZ", + "?NeedDeleteWhenFinish@CWorkerThreadJob@@QEAAXE@Z", + "?NewNode@CList@@UEAAPEAXXZ", + "?NewNode@CStrList@@EEAAPEAXXZ", + "?NewNodeVariant@CList@@IEAAPEAXK@Z", + "?Next@CList@@UEBAPEAXQEAX@Z", + "?Next@CLockList@@UEBAPEAXQEAX@Z", + "?Next@CNoLockList@@UEBAPEAXQEAX@Z", + "?NextPool@CMemoryPoolAllocator@@QEAAPEAV1@XZ", + "?NotityTerminate@CWorkerThread@@QEAAXXZ", + "?PostJobToWorkerThread@CWorkerThreadPool@@QEAAJP6AXPEAX@Z0E@Z", + "?PostJobToWorkerThread@CWorkerThreadPoolEx@@QEAAJP6AXPEAX@Z0E1@Z", + "?Pulse@CKEvent@@QEAAJJE@Z", + "?QueueJob@CWorkerThreadJobQueue@@QEAAEPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPool@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?QueueJobItem@CWorkerThreadPoolEx@@QEAAJPEAVCWorkerThreadJob@@@Z", + "?RCMInstance@CWorkerThreadPool@@SAPEAV1@XZ", + "?Read@CFile@@QEAAJPEADKPEAK@Z", + "?ReadWIRP@CFile@@QEAAJPEADKPEAK@Z", + "?ReferenceCount@CContext@@QEAAAEAKXZ", + "?Release@CLockEvent@@QEAAXXZ", + "?Remove@CContextList@@UEAAEQEAX@Z", + "?Remove@CList@@UEAAEQEAX@Z", + "?Remove@CLockList@@UEAAEQEAX@Z", + "?Remove@CNoLockList@@UEAAEQEAX@Z", + "?RemoveHead@CList@@UEAAPEAXXZ", + "?RemoveHead@CLockList@@UEAAPEAXXZ", + "?RemoveHead@CNoLockList@@UEAAPEAXXZ", + "?RemoveTail@CList@@UEAAPEAXXZ", + "?RemoveTail@CLockList@@UEAAPEAXXZ", + "?RemoveTail@CNoLockList@@UEAAPEAXXZ", + "?Reset@CKEvent@@QEAAXXZ", + "?ResetData@CInclusionExtConfig@@QEAAXXZ", + "?ResetData@CInclusionFileNameConfig@@QEAAXXZ", + "?ResetData@CInclusionFilePathConfig@@QEAAXXZ", + "?ResetData@CInclusionFolderConfig@@QEAAXXZ", + "?RestoreCR0@@YAXPEAX@Z", + "?Run@CAutoUpdateConfigThread@@UEAAXXZ", + "?Run@CDelayLoadThread@@UEAAXXZ", + "?Run@CWorkerThread@@UEAAXXZ", + "?SeekToEnd@CFile@@QEAAJXZ", + "?Set@CKEvent@@QEAAJJE@Z", + "?SetAttributes@CFile@@QEAAJK@Z", + "?SetBlobCofig@CContext@@UEAAJKPEAXK@Z", + "?SetData@CBlobConfig@@QEAAHPEAXK@Z", + "?SetData@CModuleFileExtConfig@@QEAAHPEBG@Z", + "?SetData@CModuleFlagConfig@@QEAAHK@Z", + "?SetData@CModuleMultiStringConfig@@QEAAHPEBGK@Z", + "?SetData@CModuleStringConfig@@QEAAHPEBG@Z", + "?SetEngineContext@CContext@@QEAAXPEAX@Z", + "?SetFileExtensionConfig@CContext@@UEAAJKPEBG@Z", + "?SetFlagConfig@CContext@@UEAAJKK@Z", + "?SetLinkContext@CContext@@QEAAXPEAX@Z", + "?SetLogFlag@CDebugLog@@QEAAEK@Z", + "?SetLogFlag@CDebugLogEx@@QEAAEK@Z", + "?SetMatchAllExtensions@CFileExtension@@QEAAXE@Z", + "?SetMatchNoExtensions@CFileExtension@@QEAAXE@Z", + "?SetMultiStringConfig@CContext@@UEAAJKPEBG@Z", + "?SetNewJobItemEvent@CWorkerThreadJobQueue@@QEAAXXZ", + "?SetPriority@CSystemThread@@QEAAXK@Z", + "?SetStopUse@CContext@@QEAAXXZ", + "?SetStringConfig@CContext@@UEAAJKPEBG@Z", + "?Setup@CSystemThread@@MEAAXXZ", + "?StopUse@CContext@@QEAAHXZ", + "?TearDown@CSystemThread@@MEAAXXZ", + "?Terminate@CSystemThread@@QEAAXE@Z", + "?Terminate@CWorkerThreadPool@@QEAAEXZ", + "?Terminate@CWorkerThreadPoolEx@@QEAAEXZ", + "?TmExceptionFilter@@YAJPEAU_EXCEPTION_POINTERS@@@Z", + "?Wait@CKEvent@@QEAAJPEAT_LARGE_INTEGER@@E@Z", + "?WaitFinish@CWorkerThreadJob@@QEAAXXZ", + "?WaitForInit@CDelayLoadThread@@QEAAEXZ", + "?WaitForLoad@CDelayLoadThread@@QEAAEXZ", + "?WaitNewJobAvailable@CWorkerThreadJobQueue@@QEAAEXZ", + "?WaitQueueEmpty@CWorkerThreadJobQueue@@QEAAXXZ", + "?Write@CDebugLog@@QEAAXPEBDZZ", + "?Write@CDebugLogEx@@QEAAXPEBDZZ", + "?Write@CFile@@QEAAJPEADKPEAT_LARGE_INTEGER@@PEAK@Z", + "?WriteDataToFile@CDebugLogEx@@IEAAXPEADK@Z", + "?WriteDataToProcMonW@CDebugLogEx@@IEAAXPEAD@Z", + "?WriteSystemInformation@CDebugLog@@QEAAXXZ", + "?WriteSystemInformation@CDebugLogEx@@QEAAXXZ", + "?WriteSystemStringInformation@CDebugLog@@IEAAXPEBG@Z", + "?WriteSystemStringInformation@CDebugLogEx@@IEAAXPEBG@Z", + "?WriteToFile@CDebugLog@@IEAAXPEADK@Z", + "?WriteToProcMonW@CDebugLogEx@@IEAAXPEAU_UNICODE_STRING@@@Z", + "?_pNonPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?_pPagedAllocator@@3PEAVCMemoryAllocator@@EA", + "?m_lpInstance@CWorkerThreadPool@@1PEAV1@EA", + "?m_lpRCMInstance@CWorkerThreadPool@@1PEAV1@EA", + "DeInitKm2UmCommunication", + "DeInitKmLPC", + "DuplicateFullFileName", + "FreeFullFileName", + "GetKm2UmMode", + "GetModuleInfoByAddress", + "GetModuleInfoByModuleName", + "InitKm2UmCommunication", + "InitKmLPC", + "IsVerifierCodeCheckFlagOn", + "IsWindows8_1_update", + "KmCallUm", + "KmCallUmByLPC", + "KmCallUmEx", + "KmCleanupCommPortAPIs", + "KmGetUmInitProcess", + "KmSetCommPortAPIs", + "ModGetExportProcAddress", + "ModLoadDLLToBuffer", + "ModLoadDLLToBufferWithImageSize", + "ModLoadModule", + "ModUnLoadModule", + "NormalizeFileName", + "NormalizeFullNtPathToDosName", + "TmCommConfigRoutine", + "UtilAddDeviceInDriveTable", + "UtilAddReparsePointMapping", + "UtilCleanFileReadOnly", + "UtilCloseExclusiveHandle", + "UtilCreateDosFileName", + "UtilDeleteFileForce", + "UtilGetDeviceObjectName", + "UtilGetFileNameFromFileObject", + "UtilGetFileObjectForProcessByEPROC", + "UtilGetFileObjectFromFileName", + "UtilGetProcessName", + "UtilGetSystemDirectory", + "UtilGetSystemDirectoryEx", + "UtilGetSystemDirectoryLength", + "UtilGetSystemTime", + "UtilIoSetFileInfo", + "UtilIopCreateFileIRP", + "UtilKeGetLowFileDevice", + "UtilModuleIATHook", + "UtilModuleIATUnHook", + "UtilPostJobToWorkerThread", + "UtilQueryExclusiveHandle", + "UtilQueryKeyValue", + "UtilRemoveDeviceFromDriveTable", + "UtilVolumeDeviceToDosName", + "UtilWaitValueChangeToZero", + "UtilWriteVersionToRegistry", + "UtilbuildDynamicDiskMappingTable", + "UtlWriteBinValueKeyToRegistry", + "ValidateAddressWithSize", + "_ResetProtectFromClose", + "_UtilDosPathNameToNtPathName" + ], "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "KeLeaveCriticalRegion", + "wcsncpy", + "KeEnterCriticalRegion", + "ExAcquireFastMutexUnsafe", + "wcsrchr", + "ExAcquireResourceSharedLite", + "ExReleaseResourceLite", + "_purecall", + "ZwOpenEvent", + "ZwConnectPort", + "KeClearEvent", + "PsProcessType", + "ExFreePoolWithTag", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "6909b5e86e00b4033fedfca1775b0e33", - "SHA1": "205c69f078a563f54f4c0da2d02a25e284370251", - "SHA256": "22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ + "KeSetEvent", + "ProbeForWrite", + "KeUnstackDetachProcess", + "ZwRequestWaitReplyPort", + "ZwWaitForSingleObject", + "DbgBreakPoint", + "ZwSetEvent", + "IoGetCurrentProcess", + "ZwFreeVirtualMemory", "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "ObfReferenceObject", + "ObfDereferenceObject", + "RtlUnicodeStringToInteger", + "ZwCreateSection", + "ObOpenObjectByPointer", + "KeStackAttachProcess", + "KePulseEvent", + "ZwAllocateVirtualMemory", + "ObGetObjectSecurity", + "SeAccessCheck", + "SeReleaseSubjectContext", + "SeCaptureSubjectContext", + "PsThreadType", + "ObReleaseObjectSecurity", + "PsGetProcessExitTime", + "MmSectionObjectType", "DbgPrint", + "ExDeleteResourceLite", + "ExInitializeResourceLite", + "ZwReadFile", + "swprintf", + "ZwSetInformationFile", "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "fa173832dca1b1faeba095e5c82a1559", - "SHA1": "f9feb60b23ca69072ce42264cd821fe588a186a6", - "SHA256": "405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary Certification Authority (PCA3 G1 SHA1)" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "ZwQueryInformationFile", "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", + "_wcsnicmp", + "towupper", + "ExAllocatePoolWithTag", + "KeInitializeEvent", + "ZwCreateEvent", + "ZwCreateKey", + "RtlAnsiStringToUnicodeString", + "ZwNotifyChangeKey", + "RtlInitAnsiString", + "_snprintf", + "RtlFreeUnicodeString", + "ExSystemTimeToLocalTime", + "_vsnprintf", + "ObReferenceObjectByHandle", + "RtlTimeToTimeFields", + "ZwDeviceIoControlFile", + "PsGetCurrentThreadId", + "PsGetCurrentProcessId", + "KeWaitForMultipleObjects", + "ExGetPreviousMode", + "RtlEqualUnicodeString", + "RtlPrefixUnicodeString", + "RtlAppendUnicodeStringToString", + "RtlCopyUnicodeString", + "RtlUpcaseUnicodeChar", + "KeWaitForSingleObject", + "KeSetPriorityThread", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "MmIsAddressValid", + "KeDelayExecutionThread", + "KeNumberProcessors", + "PsLookupProcessByProcessId", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenDirectoryObject", + "ZwQueryInformationProcess", + "ZwQuerySecurityObject", + "NtSetInformationFile", + "ZwDeleteValueKey", + "ZwSetValueKey", + "ZwQuerySystemInformation", + "NtQueryInformationFile", + "IoFileObjectType", + "ZwQueryValueKey", + "ZwQueryDirectoryFile", + "NtCreateFile", + "ZwEnumerateValueKey", + "RtlLengthSecurityDescriptor", + "ZwQueryDirectoryObject", + "ZwSetSecurityObject", + "ZwDuplicateObject", + "ZwOpenProcess", + "ZwTerminateProcess", + "ExReleaseFastMutexUnsafe", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwOpenKey", + "MmSystemRangeStart", + "_stricmp", + "_strnicmp", + "mbstowcs", + "ProbeForRead", + "RtlUpcaseUnicodeString", + "_snwprintf", + "ZwQuerySymbolicLinkObject", "ZwMapViewOfSection", + "MmGetSystemRoutineAddress", + "RtlAppendUnicodeToString", + "IoCreateFile", + "RtlQueryRegistryValues", + "MmBuildMdlForNonPagedPool", + "ZwOpenSymbolicLinkObject", + "IoFreeMdl", + "ObQueryNameString", "ZwUnmapViewOfSection", + "NtClose", + "IoFreeIrp", + "PsGetVersion", + "IoAllocateIrp", + "RtlCompareMemory", "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", + "ZwSetInformationObject", + "ZwOpenFile", + "wcsncmp", + "RtlImageNtHeader", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "ZwQueryVolumeInformationFile", + "ObReferenceObjectByPointer", + "IoBuildDeviceIoControlRequest", + "ZwOpenSection", + "RtlSubAuthoritySid", + "RtlLengthRequiredSid", + "ExReleaseFastMutex", + "ExAcquireFastMutex", + "RtlCreateAcl", + "RtlSetDaclSecurityDescriptor", + "RtlAddAccessAllowedAce", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "RtlInitializeSid", + "RtlCreateSecurityDescriptor", + "IoDeleteSymbolicLink", + "IoDeleteDevice", + "IoGetDeviceObjectPointer", + "ExEventObjectType", "IofCompleteRequest", "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "bbe4f5f8b0c0f32f384a83ae31f49a00", - "SHA1": "b25170e09c9fb7c0599bfba3cf617187f6a733ac", - "SHA256": "49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "ObOpenObjectByName", + "NtQueryInformationProcess", + "strncpy", + "NtOpenProcess", + "ObInsertObject", + "IoAcquireVpbSpinLock", + "SeCreateAccessState", + "IoGetFileObjectGenericMapping", + "ObCreateObject", + "KeAcquireQueuedSpinLock", + "KeReleaseQueuedSpinLock", + "IoReleaseVpbSpinLock", + "wcschr", + "strncat", + "RtlUnicodeStringToAnsiString", + "wcsncat", + "RtlFreeAnsiString", + "wcstombs", + "IoGetConfigurationInformation", + "IoRegisterPlugPlayNotification", + "IoGetStackLimits", + "IoBuildSynchronousFsdRequest", + "KeReleaseSpinLock", + "ExpInterlockedPopEntrySList", + "FsRtlIsNameInExpression", + "wcsstr", + "ExAllocatePool", + "IoUnregisterPlugPlayNotification", "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", + "RtlCompareUnicodeString", + "IoGetDeviceInterfaces", + "KeAcquireSpinLockRaiseToDpc", + "KeBugCheckEx", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoDeviceObjectType", + "SeCaptureSecurityDescriptor", + "RtlAbsoluteToSelfRelativeSD", + "IoIsWdmVersionAvailable", + "SeExports", + "RtlLengthSid", + "RtlGetSaclSecurityDescriptor", + "RtlGetDaclSecurityDescriptor", + "RtlGetGroupSecurityDescriptor", + "RtlGetOwnerSecurityDescriptor", + "ZwDeleteKey", + "ExAcquireResourceExclusiveLite", + "__C_specific_handler" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -122261,10 +130946,10 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=TW, L=Taipei, O=Trend Micro, Inc., CN=Trend Micro, Inc.", + "ValidFrom": "2018-05-22 00:00:00", + "ValidTo": "2019-07-16 23:59:59", + "Signature": "f51f3f5ad8cfb51aee3156e1761cf440c448eda8ccacbc48cda1a43f3478a66508bf41a9080e901c134a5d067db2b1175f7352e2b1212a89b0860a46d610412556c2edc049b661d682b418501a89b1e8334ef89be22cc41286eb88be9d529466c5f7455be0a55046c78a77c839524125351d8468b822584925a1466f81e631794b8bfb9f3844b8249cfa8b4fc5ab102cfe61dc182a24fcd1eb15043d98615a5fe574a64af3c9f83621fd4f74be0cce77fa3a7fc5d17b07bbbb034163dbc573be495ebc59b7ea9f4bfde65cb16125195ac4cf2d9d4a50c8c3bcf120cd3b26a5194c0672dd1349fe432df6c6afcc4f82700df8f899dbf035a70c8b294466bf3ae6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -122284,66 +130969,111 @@ ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "SerialNumber": "60d927b542b7d1147fb2f0c4b9c1bbb2", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "TmComm.sys" + ], + "yara": true + }, + { + "Id": "8a162702-b043-4108-bb6c-1488751a4a32", + "Author": "Will BushidoToken", + "Created": "2023-05-22", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create dkrTK.sys binPath=C:\\windows\\temp\\dkrTK.sys type=kernel && sc.exe start dkrTK.sys", + "Description": "The User Agent tjr.exe, which is protected via a virtual machine, drops the kernel driver to the user temporary directory C:\\%User%\\AppData\\Local\\Temp\\Ktgn.sys. It then installs the dropped driver with the name ktgn and the start value = System (to start when the system restarts). From our analysis of what occurs when a user interfaces with this driver, we observed that it only uses one of the exposed Device Input and Output Control (IOCTL) code — Kill Process, which is used to kill security agent processes installed on the system.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver/indicators-blackcat-ransomware-deploys-new-signed-kernel-driver.txt", + "https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html" + ], + "Acknowledgement": { + "Person": "BushidoToken", + "Handle": "BushidoToken" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "CITMDRV_IA64.sys", - "MD5": "c5f5d109f11aadebae94c77b27cb026f", - "SHA1": "160c96b5e5db8c96b821895582b501e3c2d5d6e7", - "SHA256": "4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], + "Filename": "dkrTK.sys", + "MD5": "a837302307dace2a00d07202b661bce2", + "SHA1": "91568d7a82cc7677f6b13f11bea5c40cf12d281b", + "SHA256": "52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677", + "Signature": "", "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", + "Publisher": "", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "IA64", + "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "233c2815720d7aa90838780dc482ddb9", + "SHA1": "6271a84b349debb9a1bf7a5a164e91ef6cb9f869", + "SHA256": "24395b622d4fd48864a50978ffd2b82fdded5189741a6deea9293cc075cd0c6b" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "rand", + "srand", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExSystemTimeToLocalTime", + "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", + "IoGetCurrentProcess", + "ObReferenceObjectByHandleWithTag", + "ObfDereferenceObject", + "ObfDereferenceObjectWithTag", + "MmIsAddressValid", + "PsGetProcessExitStatus", + "PsIsThreadTerminating", + "PsLookupProcessByProcessId", + "PsLookupThreadByThreadId", + "PsGetThreadProcess", + "PsIsSystemThread", + "ObOpenObjectByPointerWithTag", + "KeBugCheckEx", + "ExAllocatePool", + "NtQuerySystemInformation", + "ExFreePoolWithTag", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", "MmUnlockPages", "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "KeQueryActiveProcessors", + "KeSetSystemAffinityThread", + "KeRevertToUserAffinityThread", + "DbgPrint", + "KeQueryPerformanceCounter" ], "Signatures": [ { @@ -122351,24 +131081,130 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CN, ST=Shandong, L=Zaozhuang, O=Bopsoft, CN=Bopsoft", + "ValidFrom": "2018-03-02 00:00:00", + "ValidTo": "2018-11-28 23:59:59", + "Signature": "261c8eec3489c246498e8f65d4f68bd4f1e569760f9653601c877ad5f755bdd0ff729e81ced79aa051ea3ad404a74ba13cfeba87cc44b1960463280c5e44162713038f4d63e5737afe06427b934e403eb31fe76ae672575dc7fc72dd9fb199680d9fc4a8dcb31662b45423e6e738418066d9e14968a0d3e85c3c8e820692d6bcc203e675079a773681d8ddb91b81a808c2f1be43fba6343d82403ea067bbc6a3fe28a67de9a82707dfbbd8e1e06e977676242b32467bd02351843eefe183b603c04af960d6777e2958b7d88d6512190b3af858188be9e9bc3cd1e2fe92adbec1bca5885ab6d021a048f258b55a0ff5b7d55d94db1694840771f54b63862a9cd2", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA", + "ValidFrom": "2011-02-22 19:31:57", + "ValidTo": "2021-02-22 19:41:57", + "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + } + ], + "Signer": [ + { + "SerialNumber": "38de06b8be15187f107e04f8b1138977", + "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2" + } + ] + } + ] + } + ], + "Tags": [ + "dkrTK.sys" + ], + "yara": false + }, + { + "Id": "6fe10a55-7fb8-4a9d-9ebc-1b27b6e5b833", + "Author": "Guus Verbeek", + "Created": "2023-05-07", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create prokiller64.sys binPath=C:\\windows\\temp\\prokiller64.sys type=kernel && sc.exe start prokiller64.sys", + "Description": "Signed POORTRY Samples", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "prokiller64.sys", + "MD5": "10f3679384a03cb487bda9621ceb5f90", + "SHA1": "31cc8718894d6e6ce8c132f68b8caaba39b5ba7a", + "SHA256": "0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc", + "Signature": "", + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", + "OriginalFilename": "", + "Authentihash": { + "MD5": "4252d83e18ad41f0cea7ac168218d95b", + "SHA1": "cf9cb05c9b725efca68c4b7d6f53c8e233217ac4", + "SHA256": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f" + }, + "InternalName": "", + "Copyright": "", + "Imports": [ + "ntoskrnl.exe" + ], + "ExportedFunctions": "", + "ImportedFunctions": [ + "rand", + "srand", + "RtlInitUnicodeString", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ExSystemTimeToLocalTime", + "MmGetSystemRoutineAddress", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoGetCurrentProcess", + "ObReferenceObjectByHandleWithTag", + "ObfDereferenceObject", + "ObfDereferenceObjectWithTag", + "MmIsAddressValid", + "PsGetProcessExitStatus", + "PsIsThreadTerminating", + "PsLookupProcessByProcessId", + "PsLookupThreadByThreadId", + "PsGetThreadProcess", + "PsIsSystemThread", + "ObOpenObjectByPointerWithTag", + "KeBugCheckEx" + ], + "Signatures": [ + { + "CertificatesInfo": "", + "SignerInfo": "", + "Certificates": [ + { + "Subject": "C=CN, ST=guangdong, L=zhuhai, O=Zhuhai liancheng Technology Co., Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Zhuhai liancheng Technology Co., Ltd.", + "ValidFrom": "2013-02-04 00:00:00", + "ValidTo": "2014-02-04 23:59:59", + "Signature": "6eb0af9de955b9bd1bda967942685c5b630bf60dd0be149178bce893c7c32039076006dd75f9655b497470e44e7954cd89fe4ee04a580992f0ee9268e8129afcf0b58519158d6864e56caa6e78d66b0278a86083b751cf8a030ba0139969509259e5d1ea91dc593e1d093fb5e4ebabe1a38359d920acb85f9c02f6939096522b010158d086bc5ff52bbe2be1ab364ca496ed5a3ac72531274daf4e808d483686118d6132d2b98018074a0e989eed4f43fe28298363e05e9c3cace4a954525ac021e0b10445e09a3528eff35b525e7cca44332744aa81b41dd4244ec54da168b2f1026a23ca9b9929199f037689956b69c21ca77e6605483439670dcf9baf2991", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { @@ -122388,66 +131224,129 @@ ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", + "SerialNumber": "627dfdf73a1455de5143a270799e6b7b", "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] - }, + } + ], + "Tags": [ + "prokiller64.sys" + ], + "yara": false + }, + { + "Id": "86b520f6-cc90-4488-b343-168cad88010d", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create gameink.sys binPath=C:\\windows\\temp\\gameink.sys type=kernel && sc.exe start gameink.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ { - "Filename": "CITMDRV_IA64.sys", - "MD5": "40bc58b7615d00eb55ad9ba700c340c1", - "SHA1": "a2e0b3162cfa336cd4ab40a2acc95abe7dc53843", - "SHA256": "4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], + "Filename": "gameink.sys", + "SHA1": "3ae56ab63230d6d9552360845b4a37b5801cc5ea", + "Signature": [], "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", + "Publisher": "", "Company": "", "Description": "", "Product": "", "ProductVersion": "", "FileVersion": "", - "MachineType": "IA64", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "gameink.sys" + ], + "yara": false + }, + { + "Id": "2e1531b2-d370-4543-9e2e-5319a1c13c22", + "Author": "Michael Haag", + "Created": "2023-02-28", + "MitreID": "T1068", + "Category": "malicious", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create daxin_blank2.sys binPath=C:\\windows\\temp\\daxin_blank2.sys type=kernel && sc.exe start daxin_blank2.sys", + "Description": "Driver used in the Daxin malware campaign.", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", + "" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [], + "KnownVulnerableSamples": [ + { + "Filename": "daxin_blank2.sys", + "MD5": "1cd158a64f3d886357535382a6fdad75", + "SHA1": "a48aa80942fc8e0699f518de4fd6512e341d4196", + "SHA256": "5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a", + "Signature": "A certificate was explicitly revoked by its issuer.", + "Date": "4:05 AM 2/6/2021", + "Publisher": "Fuqing Yuntan Network Tech Co.,Ltd.", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "9853eedacdfe3384f34b8eaa771f4f70", + "SHA1": "d7254e751cd3a49176a547a5bb70f8a0662d8d28", + "SHA256": "4b10f4f03eaa545d2fdb3b88890917a6fa24142689d3c43a7c39fc5bed5725bf" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "NDIS.SYS", + "ntoskrnl.exe", + "hal.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", + "NdisMSendNetBufferListsComplete", + "IoAllocateMdl", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", "MmUnlockPages", "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "ExAllocatePool", + "ExFreePool", + "NtQuerySystemInformation", + "HalMakeBeep" ], "Signatures": [ { @@ -122455,100 +131354,274 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=CN, ST=Fuzhou, L=Fuqing, O=Fuqing Yuntan Network Tech Co.,Ltd., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=Fuqing Yuntan Network Tech Co.,Ltd.", + "ValidFrom": "2013-04-09 00:00:00", + "ValidTo": "2014-04-09 23:59:59", + "Signature": "6946a8e63d6d38e19d41b4b5f4a71715c2c03ea0f9775b97dd3bf2d343be21049f4b78a351a0b1b8d30121393af537dfee0828f051ea2a87bed271ccc0e85e7ed9911d1d36d35da6e1141edc77520be857cf00bf3ac9b7e80722dd3580dd9eb7fab6f4134e4f1f1b794f1c28bc521ee4abbf5be4b6f2b149fca0f2beb4ba69616a0a442b06093c04ece1b42b0c121b0703c6a7d7af421a880bf3e45bfe28bcc4da347397d3aa67c89e3656062e9397dec782863abe49df79527e06388885b9d28c4bd078cc002a41206a266bfbe584b35748d6d0526fef478931c7527be7095fc9c7ee088f1c889834bb2533c3f45cfe41d1b19d0b80863ed52bc8a9d1b1d2ea", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "516ceb03f17e10c24b45ffb6336e5915", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] + } + ], + "Tags": [ + "daxin_blank2.sys" + ], + "yara": false + }, + { + "Id": "e5f12b82-8d07-474e-9587-8c7b3714d60c", + "Author": "Nasreddine Bencherchali", + "Created": "2023-05-06", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": "sc.exe create zam64.sys binPath=C:\\windows\\temp\\zam64.sys type=kernel && sc.exe start zam64.sys", + "Description": [], + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10", + "Resources": [ + "Internal Research" + ], + "Acknowledgement": { + "Person": [], + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1.yara" }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "839cbbc86453960e9eb6db814b776a40", - "SHA1": "4e826430a1389032f3fe06e2cc292f643fb0c417", - "SHA256": "54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "FileName": "zam64.sys", + "MD5": "2a3ce41bb2a7894d939fbd1b20dae5a0", + "SHA1": "cd248648eafca6ef77c1b76237a6482f449f13be", + "SHA256": "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1", + "Authentihash": { + "MD5": "689e0587c7821c19c711424fa619dbad", + "SHA1": "b9b230bb66c82e15f563ac0873a3a1db25995064", + "SHA256": "1997b7217dfddd8fbd4924e86b58fe585ef4bd91c3069d3deeb34ea70eb82d60" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.18.371", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "ZwCreateFile", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "PsGetProcessId", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "IoCreateFileSpecifyDeviceObjectHint", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -122566,86 +131639,168 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "42f7cc4be348c3efd98b0f1233cf2d69", - "SHA1": "7ab4565ba24268f0adadb03a5506d4eb1dc7c181", - "SHA256": "5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "db46c56849bbce9a55a03283efc8c280", + "SHA1": "8f4b79b8026da7f966d38a8ba494c113c5e3894b", + "SHA256": "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "a7d940958aa06308dfb68ed67e6ae18c", + "SHA1": "ddb4d31681eb2e8e95aa33b78d454b29542d2a98", + "SHA256": "ab1290211250af83be645072d346693890f3f29feda5a3a23ea97758247f7ba1" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.16.928", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ObfDereferenceObject", + "ZwCreateFile", "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "ZwQueryInformationProcess", + "__C_specific_handler", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessImageFileName", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "ObReferenceObjectByHandle", + "FsRtlGetFileSize", + "ZwDeleteFile", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "PsGetProcessId", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", + "KeBugCheckEx", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "IoGetDeviceAttachmentBaseRef", + "strstr" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -122663,93 +131818,200 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "2128e6c044ee86f822d952a261af0b48", - "SHA1": "dc7b022f8bd149efbcb2204a48dce75c72633526", - "SHA256": "76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zamguard64.sys", + "MD5": "99c131567c10c25589e741e69a8f8aa3", + "SHA1": "3b8ddf860861cc4040dea2d2d09f80582547d105", + "SHA256": "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "38757cf8a65976f362f287c3e94f8c1b", + "SHA1": "87cdb7698822d92a070b83b732fffa0ea99e34a2", + "SHA256": "950b672d3300bcacefe568156fbc8b16fa09da13df2f6ecda31254faaaf041f9" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.20.865", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", + "IoAllocateMdl", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ObQueryNameString", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "PsLookupProcessByProcessId", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySystemInformation", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -122767,183 +132029,185 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "fd81af62964f5dd5eb4a828543a33dcf", - "SHA1": "0307d76750dd98d707c699aee3b626643afb6936", - "SHA256": "7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "010c0e5ac584e3ab97a2daf84cf436f5", - "SHA1": "5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a", - "SHA256": "845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "e5f8fcdfb52155ed4dffd8a205b3d091", + "SHA1": "90abd7670c84c47e6ffc45c67d676db8c12b1939", + "SHA256": "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "ad2c4382390a8740dcea8b0aef5552c2", + "SHA1": "0740faffcb163f4c8cd204c367b9492f2e361207", + "SHA256": "b529550e8d2ec6133be50d7139179654301ff84ba09da0cd256c5dec924a185c" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.18.229", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwCreateFile", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "PsGetProcessId", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", + "KeBugCheckEx", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySymbolicLinkObject", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -122961,190 +132225,358 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "ff7b31fa6e9ab923bce8af31d1be5bb2", - "SHA1": "6714380bc0b8ab09b9a0d2fa66d1b025b646b946", - "SHA256": "84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "707ab1170389eba44ffd4cfad01b5969", + "SHA1": "b99a5396094b6b20cea72fbf0c0083030155f74e", + "SHA256": "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "fb3161dd2e402cfdd3495278974f4181", + "SHA1": "9c7deb9def09bca28c37211992c76880f575b9ef", + "SHA256": "a59ad5be59f73f2a138c70d8aa634bf5f3364a67e072b64ff2a6d4627514a9ad" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "3.0.0.000", + "Product": "ZAM", + "ProductVersion": "3.0.0.000", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", + "MmProbeAndLockPages", + "IoAllocateIrp", + "IoAllocateMdl", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ObQueryNameString", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "PsLookupProcessByProcessId", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySystemInformation", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2022-06-07 18:08:07", + "ValidTo": "2023-06-01 18:08:07", + "Signature": "4c967b89d7f96aa22dbaa9eee6cdc8dad16669620cd9c5c84bf3ca1ec4eaa4a67df9fafb84ba75fcec635f0a3d484541d890d65542406e5792504ecb8fd428068837b11d8e9d4cdb503608d0842dea48428247b46364746dc86b79cdc3379acb229e67b749ed31d3c6bcc88624bff3e066355d59b7ef9e715d3c3270506d1e794959edd8df2572505c15876ac0f42ed0d05f70214f50fb109627ab192b217d6a2bf503fe35811f6ffcf0585ae508c37589dc8015eea615f36ea2f1105c0f677a6758cb4898b57458cab4fc2e1c60f8af32baf51cb41b775e79815713693db878a935b1fb8232232310bba545e57c74d63a406968c36818974ea1e425839b83e81c94897f1b896d2974e32ff5a47f8bcefdebfde84a4d01c5918bf98aececb8edb2ef9dc697054676a10c04313f3a131469c978f2e7839f11a28e436936cc07e227fd705becbb54ba67c2eeaaa025658811de22f37e4ce51109c10ed94a65583cc4e4024432cedf41b3b18b175360b1f4e12a0cc9d562e7fabd80bacb78a74e9262a9a46c3d0a7757f71e4202522cb70d9591c77e1a4b0ca24739a9cef78f7d2fb376c4cf56a35b58deb7dba458bee058254bc3883ba356c79f458815e3bbcac600b063594db47ffdbb215783bf5c38c74a1fc6271a093aab79b4cf253c14b1eeb89f9c607d7956203166fa4420482b52ab4f3bd3f0e6bda4a13a018f0ecdb0a0", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "3300000058e7c589c068dca727000000000058", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "7bd840ff7f15df79a9a71fec7db1243e", - "SHA1": "8626ab1da6bfbdf61bd327eb944b39fd9df33d1d", - "SHA256": "8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "9e0659d443a2b9d1afc75a160f500605", + "SHA1": "09f117d83f2f206ee37f1eb19eea576a0ac9bdcc", + "SHA256": "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "536527a09edbc7e8c174f7f7423a79a1", + "SHA1": "60d4d82640d4550c3e2cfba69f00b5c7472e4926", + "SHA256": "dcf9bc1e511993fd8c87b8cab5c23366cc818cccc40617cabc8f242d4a8751d7" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.17.115", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ + "ObfDereferenceObject", + "ZwCreateFile", "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "ZwQueryInformationProcess", + "__C_specific_handler", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessImageFileName", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "ObReferenceObjectByHandle", + "FsRtlGetFileSize", + "ZwDeleteFile", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "PsGetProcessId", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", + "KeBugCheckEx", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "IoGetDeviceAttachmentBaseRef", + "strstr" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123162,190 +132594,168 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "fa222bed731713904320723b9c085b11", - "SHA1": "30a224b22592d952fbe2e6ad97eda4a8f2c734e0", - "SHA256": "a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zamguard64.sys", + "MD5": "51e7b58f6e9b776568ffbd4dd9972a60", + "SHA1": "2cf75df00c69d907cfe683cb25077015d05be65d", + "SHA256": "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "e03436e22127cd75a132169b627e5a3f", + "SHA1": "b8d8e15e952b3fd2a510699d2124253565ecd611", + "SHA256": "082adcdc2d246d2291bcf135a7519840a84f27cfa3143d1372a9e2aa5e514dbd" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.16.287", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "strstr", + "wcsstr", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", + "RtlCopyUnicodeString", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ProbeForRead", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "f778489c7105a63e9e789a02412aaa5f", - "SHA1": "c95db1e82619fb16f8eec9a8209b7b0e853a4ebe", - "SHA256": "ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "ZwQueryInformationProcess", + "__C_specific_handler", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessImageFileName", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwDeleteFile", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "PsGetProcessId", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123363,183 +132773,212 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" - } - ] - } - ] - }, - { - "Filename": "CITMDRV_IA64.sys", - "MD5": "ed07f1a8038596574184e09211dfc30f", - "SHA1": "fe1d909ab38de1389a2a48352fd1c8415fd2eab0", - "SHA256": "b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", - "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" - }, - "InternalName": "", - "Copyright": "", - "Imports": [ - "ntoskrnl.exe" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", - "MmProbeAndLockPages", - "IoAllocateMdl", - "__C_specific_handler", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" - ], - "Signatures": [ - { - "CertificatesInfo": "", - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=malopolska, L=Krakow, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2010-04-08 00:00:00", - "ValidTo": "2013-04-09 23:59:59", - "Signature": "aec628787fc5115db93dba252e13cd029479d493c11fe73c7489505159c140ffe12c4626385c9dc75bb198692a08f1ddef7596666f654f6b2ac73884106f73c854ea38c3ea17af5d6b114884e174c4fb9061d48894066d6375662ddfdbb501cecbd1b6b92b9ac67a4b420aab9275658932fbcddfaa96590f5d40d29c807fda722681eb09fd16407fc1f2aea03470f36d1e134807d87dfc934789a500bf97b7fa816a56b96b269cf900d66809306d450556051df6ea7643848b2199d3a4927c34f1e385a31ead8aabb510a3dc1551c2ddabfede5f3210e774196660380a9d707d329c97e4317ddde27e111865367bab7c424e9a704f7f005d641cff9e3977bd38", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "45595f53cb4840a48f7415305213fba6", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "14eead4d42728e9340ec8399a225c124", - "SHA1": "b4d1554ec19504215d27de0758e13c35ddd6db3e", - "SHA256": "b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zamguard32.sys", + "MD5": "06897b431c07886454e0681723dd53e6", + "SHA1": "40d29aa7b3fafd27c8b27c7ca7a3089ccb88d69b", + "SHA256": "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "4e0b0bd19c0f3c4a2a75e786474d9d06", + "SHA1": "c5388c61135c7fe5617607206d663ac3eaef649c", + "SHA256": "de99cea1cb680816afa10d2629a8067af1dc289d2d162a21b9dba71eb0e47745" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.21.63", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "I386", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "_allmul", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "KeQuerySystemTime", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "KeGetCurrentThread", + "RtlIntegerToUnicodeString", + "RtlCompareMemory", + "KeInitializeEvent", + "KeSetEvent", + "KefAcquireSpinLockAtDpcLevel", + "KefReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwQuerySystemInformation", + "IoFileObjectType", + "ZwQueryInformationProcess", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExfInterlockedInsertHeadList", + "ExfInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "KeServiceDescriptorTable", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "RtlUnwind", + "PsGetProcessImageFileName", + "FsRtlIsNameInExpression", + "ObQueryNameString", + "PsLookupProcessByProcessId", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "DbgPrint", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "strstr", + "_aullshr", + "memcpy", + "KeReadStateEvent", + "memset", + "KfRaiseIrql", + "KfLowerIrql", + "KfReleaseSpinLock", + "KfAcquireSpinLock", + "KeGetCurrentIrql", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123557,86 +132996,166 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "825703c494e0d270f797f1ecf070f698", - "SHA1": "5dd2c31c4357a8b76db095364952b3d0e3935e1d", - "SHA256": "b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "d4a10447fdaff7a001715191c1f914b6", + "SHA1": "628e63caf72c29042e162f5f7570105d2108e3c2", + "SHA256": "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "8ff959801623fcaf37f6fde89a4aeec1", + "SHA1": "b24f8e34221cb7eaa5bed2f177f6701380a0e71f", + "SHA256": "1a166e70dcaf3ef12836db1927953ee528e532cdae8165e67d776971e4cbc48c" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "2.11.1.510", + "Product": "ZAM", + "ProductVersion": "2.11.1.510", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", + "strstr", + "wcsstr", "RtlInitUnicodeString", - "ZwWriteFile", - "DbgPrint", + "RtlCopyUnicodeString", + "RtlGetVersion", + "KeDelayExecutionThread", + "ExAllocatePoolWithTag", + "ExFreePoolWithTag", + "ProbeForRead", + "ObReferenceObjectByHandle", + "ObfDereferenceObject", "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "ZwClose", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "ZwQueryInformationProcess", + "__C_specific_handler", + "DbgPrint", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessImageFileName", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwDeleteFile", + "ZwQuerySystemInformation", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "PsGetProcessId", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", "KeBugCheckEx" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123654,86 +133173,200 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "9007c94c9d91ccff8d7f5d4cdddcc403", - "SHA1": "ecb4d096a9c58643b02f328d2c7742a38e017cf0", - "SHA256": "db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653", - "Signature": [ - "IBM Polska Sp. z o.o.", - "Symantec Class 3 SHA256 Code Signing CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "75e50ae2e0f783e0caf912f45e15248a", + "SHA1": "a3d612a5ea3439ba72157bd96e390070bdddbbf3", + "SHA256": "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "cf4707d1cc2b1d1344058ac750e4e61e", + "SHA1": "3bd3de766013c31d87545bd7affd8e52c4e24f72", + "SHA256": "e5316670c0bddc0519ef96b2db89285a8620a260429a97f9d2cf5b58b0287d91" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.20.104", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", + "FsRtlIsNameInExpression", + "PsGetProcessImageFileName", + "ZwQueryInformationProcess", + "__C_specific_handler", + "strchr", + "RtlAppendUnicodeToString", + "KeInitializeSemaphore", + "KeReleaseSemaphore", + "KeWaitForSingleObject", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "ZwQueryInformationFile", "ZwWriteFile", - "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "PsGetCurrentThreadId", + "ZwDeleteFile", + "_vsnprintf", + "PsThreadType", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "KeInitializeEvent", + "KeSetEvent", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwSetInformationFile", + "ZwReadFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ObQueryNameString", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "MmMapLockedPagesSpecifyCache", + "PsGetProcessId", + "IoThreadToProcess", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "PsGetProcessSectionBaseAddress", + "MmSystemRangeStart", + "KeBugCheckEx", + "PsLookupProcessByProcessId", + "ZwOpenProcess", + "PsGetCurrentProcessId", + "RtlUpcaseUnicodeString", + "RtlUpperString", + "ZwClose", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "strstr", + "ZwQuerySystemInformation", + "DbgPrint", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltReleaseContext", + "FltGetStreamHandleContext", + "FltSetStreamHandleContext", + "FltAllocateContext", + "FltCancelFileOpen", + "FltQueryInformationFile", + "FltReadFile", + "FltParseFileNameInformation", + "FltReleaseFileNameInformation", + "FltGetFileNameInformation", + "FltFreePoolAlignedWithTag", + "FltAllocatePoolAlignedWithTag", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123751,86 +133384,177 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2016-05-30 00:00:00", - "ValidTo": "2019-07-29 23:59:59", - "Signature": "37c4cb65c2d5579c51543d15af31471b5b497715b8018ab41d79e8c5fd07393f3ae94bc05fe9c7c309f7ac8cc213535a8fa8ea90100c57e455b50ddc95ee310d73c0577dd2e02e8f488ac3402f0a04f6bd5f40892e98c1c7a0f2763666416c56578c5124f057a762ac7e12ec79b0513db914a194e0180e7c60ebcfe6669802fa959e117dbe681d72789baa05343c622da0bb17eb05b8c6f0740d7053dbee3f12d569d4186d2dcc65a802e5ff99f6e9737f3b025eb44df12036e51b3d078fb5c29f36134134aa0ac6d34dc45d973b92fb05740c50975194828977dbe9c7218c092a4a96ec45d08610914926d92eb2fc2f0e7e4965dda5f82b7c9bbd731256acbf", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA", - "ValidFrom": "2013-12-10 00:00:00", - "ValidTo": "2023-12-09 23:59:59", - "Signature": "13851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "74c58808c139aecc23260eb2ba16f2fd", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } ] }, { - "Filename": "CITMDRV_IA64.sys", - "MD5": "9b359b722ac80c4e0a5235264e1e0156", - "SHA1": "4a705af959af61bad48ef7579f839cb5ebd654d2", - "SHA256": "e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028", - "Signature": [ - "IBM Polska Sp. z o.o.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" - ], - "Date": "", - "Publisher": "IBM Polska Sp. z o.o.", - "Company": "", - "Description": "", - "Product": "", - "ProductVersion": "", - "FileVersion": "", - "MachineType": "IA64", - "OriginalFilename": "", + "FileName": "zam64.sys", + "MD5": "5054083cf29649a76c94658ba7ff5bce", + "SHA1": "dd4cd182192b43d4105786ba87f55a036ec45ef2", + "SHA256": "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f", "Authentihash": { - "MD5": "2be85acec4d5e36a137af7ef046e0cc8", - "SHA1": "b90403d206e5f76bbf699c9627461d9fdafa9aa5", - "SHA256": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e" + "MD5": "8d4a371e8da97e8dfd254e7b860bf147", + "SHA1": "d2a888f664ffa91e876dbd797ca1fc95c511c5bc", + "SHA256": "27f5c5eb9a5fc9e02d3ac3cd83fc26b07f3d0143b03db69d6dcf7554d0c50fb6" }, + "Description": "ZAM", + "Company": "Zemana Ltd.", "InternalName": "", - "Copyright": "", + "OriginalFilename": "", + "FileVersion": "", + "Product": "ZAM", + "ProductVersion": "2.17.984", + "Copyright": "Zemana Ltd. All rights reserved.", + "MachineType": "AMD64", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "FLTMGR.SYS" ], "ExportedFunctions": "", "ImportedFunctions": [ - "ZwClose", - "ZwOpenFile", - "RtlInitUnicodeString", - "ZwWriteFile", + "RtlUpperString", + "RtlUpcaseUnicodeString", + "PsGetCurrentProcessId", + "ZwOpenProcess", + "PsLookupProcessByProcessId", + "ObQueryNameString", + "FsRtlIsNameInExpression", + "ZwQueryInformationProcess", + "__C_specific_handler", "DbgPrint", - "ZwCreateFile", - "vsprintf", - "IoDeleteDevice", - "IoDeleteSymbolicLink", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "MmUnlockPages", - "IoFreeMdl", - "ZwOpenSection", + "KeAcquireSpinLockRaiseToDpc", + "KeReleaseSpinLock", + "PsSetCreateProcessNotifyRoutine", + "PsGetProcessImageFileName", + "PsGetProcessSessionId", + "RtlAppendUnicodeStringToString", + "ZwDeleteValueKey", + "ZwSetValueKey", + "towupper", + "RtlIntegerToUnicodeString", + "RtlAppendUnicodeToString", + "KeInitializeEvent", + "KeSetEvent", + "KeWaitForSingleObject", + "KeAcquireSpinLockAtDpcLevel", + "KeReleaseSpinLockFromDpcLevel", "MmProbeAndLockPages", + "IoAllocateIrp", "IoAllocateMdl", - "__C_specific_handler", + "IofCallDriver", + "IoFreeIrp", + "IoFreeMdl", + "IoGetDeviceObjectPointer", + "IoGetRelatedDeviceObject", + "ObCloseHandle", + "ObfReferenceObject", + "ZwQueryInformationFile", + "ZwSetInformationFile", + "ZwReadFile", + "ZwWriteFile", + "ZwOpenSymbolicLinkObject", + "ZwQuerySymbolicLinkObject", + "IoCreateFileSpecifyDeviceObjectHint", + "IoGetDeviceAttachmentBaseRef", + "FsRtlGetFileSize", + "ZwDeleteFile", + "ZwClose", + "IoFileObjectType", + "KeReadStateEvent", + "ExQueueWorkItem", + "ExGetPreviousMode", + "MmGetSystemRoutineAddress", + "NtOpenProcess", + "ZwCreateEvent", + "ZwWaitForSingleObject", + "ZwSetEvent", + "NtQuerySystemInformation", + "ExEventObjectType", + "NtBuildNumber", + "ZwDeleteKey", + "ObReferenceObjectByName", + "IoDriverObjectType", + "MmIsDriverVerifying", "IofCompleteRequest", - "IoCreateSymbolicLink", "IoCreateDevice", - "KeTickCount", - "KeBugCheckEx" + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "RtlSetDaclSecurityDescriptor", + "PsGetProcessId", + "PsGetCurrentProcessSessionId", + "ZwTerminateProcess", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "ZwOpenThread", + "PsProcessType", + "ExInterlockedInsertHeadList", + "ExInterlockedRemoveHeadList", + "CmRegisterCallback", + "CmUnRegisterCallback", + "RtlCreateRegistryKey", + "ZwOpenKey", + "ZwEnumerateKey", + "ZwQueryKey", + "ZwQueryValueKey", + "RtlUnicodeStringToAnsiString", + "RtlFreeAnsiString", + "ProbeForWrite", + "PsSetLoadImageNotifyRoutine", + "PsRemoveLoadImageNotifyRoutine", + "MmSystemRangeStart", + "KeBugCheckEx", + "ZwCreateFile", + "ObfDereferenceObject", + "ObReferenceObjectByHandle", + "ProbeForRead", + "ExFreePoolWithTag", + "ExAllocatePoolWithTag", + "KeDelayExecutionThread", + "RtlGetVersion", + "RtlCopyUnicodeString", + "RtlInitUnicodeString", + "wcsstr", + "ZwQuerySystemInformation", + "strstr", + "FltSendMessage", + "FltCloseCommunicationPort", + "FltCreateCommunicationPort", + "FltStartFiltering", + "FltUnregisterFilter", + "FltRegisterFilter", + "FltBuildDefaultSecurityDescriptor" ], "Signatures": [ { - "CertificatesInfo": "", + "CertificatesInfo": [], "SignerInfo": "", "Certificates": [ { @@ -123848,31 +133572,31 @@ "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=PL, ST=mazowieckie, L=Warsaw, O=IBM Polska Sp. z o.o., OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=IBM Polska Sp. z o.o.", - "ValidFrom": "2013-05-31 00:00:00", - "ValidTo": "2016-06-29 23:59:59", - "Signature": "42e8dc916f2dc408ca5166c8b7ced14e560f83871c13c6c64e315e05fe905f6d744191e2e1fa04e15896b09c9853c735ac78efecf1d9d6c4b81d449b71b041b37f66e879cdd3ccaee2fad716d01f842540235d15c8b607c010ae4abe541053cc38f0f16c25c4cc1064aea63f2db60ebb4a7fd0f4c468f658bfe57c541b1b9292c3e6490604e75ceb222dad4bd25c3cf81031d9eeb9599a7f150f3ea8417ae517a59488fc512bbda13ba30018b1692ebfea87957384abb8cb0ce20141a7d58299a15454184e79a36c7e492e5e98c145e6e2b6010fb70825c2557176ad96047e55ca2136536f9d2357f3bbd970eb696a6af7eedb5ffdbe4696b99412a5d09e568e", + "Subject": "C=TR, L=Edirne, O=Zemana Ltd., CN=Zemana Ltd.", + "ValidFrom": "2014-12-16 00:00:00", + "ValidTo": "2017-12-20 12:00:00", + "Signature": "8a60d49cf93c42e609a5fc51877e8caee77cdc7848d3db41a9556d186c795f8f20e825c3be29056670c4414f35dc24e538606c0b1404c9b751e1fad91e2c136a5970c3c0edbb5a2391c47bb1d2782ff673636c6ec7bc2a69d06011f07dc957039835f50b6d5f342e75e00564be8edc0035aa4ae92d412dd38f347abff1d8ec9059ef25af4f5d1e20d6c5b2a5e69c7cba53c0f88901f7db044f11724be5a04b0d689c4f4fccef40d4a654954b67d5ecacf272c48a3d81ac0056c1d252f42bb403291f674642bd001d99b3846f0270b070d1487ef42e939193c949feb162e29ca5ad41d8d195b8e8f6e4c8dd79c46f27b06f9e15906df8f8fd9a850ba28f169468", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", + "ValidFrom": "2011-04-15 19:45:33", + "ValidTo": "2021-04-15 19:55:33", + "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1", + "ValidFrom": "2011-02-11 12:00:00", + "ValidTo": "2026-02-10 12:00:00", + "Signature": "49eb7c60beaeefc97cb3c5ba4b64df1669e286fa29d9de98857d406626332f4455aaaa90e935700a34bed3ae542e8e6500d67a32203e6c26b898a939b1bc95c7aae9f5ee4666c6b3e812f8b3979dff74588234997550ac448fe892ce7d8b0f3196c7dcd31130987416c6e56b4576a39401cd33007a48f66f8631c9562b3322d5f801b644ce8cb4ca88d2e416e3e7f6e23ee109c09d7943437f555c05ad9310c62c0d6bc09eea78e5d277d6b8da9a987fba4c922b9dbda488b1ddafc34cd2979b03c6ae5f1b440f333715e3cbff2f56d316a45b55679da2cadb346c0c734ab57ba4b6b3e935027870ec007acbfc4b4f2236bb1484c98f91dd0f3c758cca0b88e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "63acb2cbe8cf97d66478469f5ce0d445", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "0210230fd364b469091b8a4440145e18", + "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance Code Signing CA,1" } ] } @@ -123880,26 +133604,27 @@ } ], "Tags": [ - "CITMDRV_IA64.sys" - ] + "zam64.sys" + ], + "yara": true }, { - "Id": "e4098d7e-78b3-4da1-96cb-68b27f245e02", + "Id": "457f8b21-202a-4a3d-a18d-b4aaded9ef02", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", + "Verified": "FALSE", "Commands": { - "Command": "sc.exe create HwOs2Ec7x64.sys binPath=C:\\windows\\temp\\HwOs2Ec7x64.sys type=kernel && sc.exe start HwOs2Ec7x64.sys", + "Command": "sc.exe create WinIo64B.sys binPath=C:\\windows\\temp\\WinIo64B.sys type=kernel && sc.exe start WinIo64B.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { "Person": "", @@ -123908,100 +133633,112 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "HwOs2Ec7x64.sys", - "MD5": "bae1f127c4ff21d8fe45e2bbfc59c180", - "SHA1": "26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab", - "SHA256": "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de", + "Filename": "WinIo64B.sys", + "SHA1": "f18e669127c041431cde8f2d03b15cfc20696056", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "WinIo64B.sys" + ], + "yara": false + }, + { + "Id": "bf01915d-045f-442c-a74e-25c56182123f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create BSMI.sys binPath=C:\\windows\\temp\\BSMI.sys type=kernel && sc.exe start BSMI.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", + "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "BSMI.sys", + "MD5": "fac8eb49e2fd541b81fcbdeb98a199cb", + "SHA1": "9a35ae9a1f95ce4be64adc604c80079173e4a676", + "SHA256": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347", "Signature": [ - "Huawei Technologies Co.,Ltd.", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "BIOSTAR MICROTECH INT'L CORP", + "VeriSign Class 3 Code Signing 2009-2 CA", + "VeriSign Class 3 Public Primary CA" ], "Date": "", "Publisher": "", - "Company": "Huawei", - "Description": "HwOs2Ec", - "Product": "Huawei MateBook", - "ProductVersion": "1.0.0.1", - "FileVersion": "1.0.0.1", + "Company": "", + "Description": "SMI Driver", + "Product": "", + "ProductVersion": "1.0.0.3", + "FileVersion": "1.0.0.3", "MachineType": "AMD64", - "OriginalFilename": "HwOs2Ec.sys", + "OriginalFilename": "BSMI.sys", "Authentihash": { - "MD5": "9a0c8745f43136476aa78ea77af67a0a", - "SHA1": "dcfc27b5aac3e1911c0617d6c1823e65267c09a3", - "SHA256": "b78cb190a4968d06f2cdab65ea0106bc47eefdaffc871ba5dd2c2dccadb1e403" + "MD5": "0dea670f26bf6bf65701c4aa0dd89079", + "SHA1": "cc071f9cc1cb577b22824d401b63508f61cd76c0", + "SHA256": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7" }, - "InternalName": "HwOs2Ec", - "Copyright": "Copyright (C) 2016", + "InternalName": "BSMI.sys", + "Copyright": "Copyright (C) BIOSTAR Corp. 2011", "Imports": [ "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "DbgPrint", - "IofCompleteRequest", - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", "IoDeleteSymbolicLink", - "IoGetCurrentProcess", - "InitSafeBootMode", - "memcpy_s", "RtlInitUnicodeString", - "RtlEqualUnicodeString", - "RtlCopyUnicodeString", - "RtlAppendUnicodeToString", - "ExAllocatePool", - "ExFreePoolWithTag", - "MmProbeAndLockPages", - "MmMapLockedPagesSpecifyCache", - "MmUnmapLockedPages", - "IoAllocateMdl", - "IoFreeMdl", - "ObReferenceObjectByHandle", - "ObfDereferenceObject", - "ZwClose", - "PsSetCreateProcessNotifyRoutine", - "ZwOpenProcess", - "ZwQuerySystemInformation", - "ZwAllocateVirtualMemory", - "ZwFreeVirtualMemory", - "KeInitializeApc", - "ZwOpenThread", - "KeInsertQueueApc", - "PsGetProcessPeb", - "RtlImageDirectoryEntryToData", - "KeStackAttachProcess", - "KeUnstackDetachProcess", - "__C_specific_handler", - "PsProcessType", - "PsThreadType", - "PsGetThreadId", - "PsGetThreadProcessId", - "RtlGetVersion", - "ExAllocatePoolWithTag", - "MmGetSystemRoutineAddress", - "ZwTerminateProcess", - "KeInitializeEvent", - "ExAcquireFastMutex", - "ExReleaseFastMutex", - "KeSetEvent", - "KeWaitForMultipleObjects", - "KeWaitForSingleObject", - "PsCreateSystemThread", - "PsTerminateSystemThread", - "RtlCompareUnicodeStrings", - "wcscpy_s", - "_wcsnicmp", - "RtlCompareUnicodeString", - "RtlAppendUnicodeStringToString", - "ZwCreateFile", - "ZwOpenKey", - "ZwQueryValueKey", - "ZwQueryInformationProcess", - "ObOpenObjectByPointer", - "ObQueryNameString", - "IoFileObjectType", + "IoDeleteDevice", + "MmUnmapIoSpace", + "MmGetPhysicalAddress", + "MmMapIoSpace", + "IofCompleteRequest", + "IoCreateSymbolicLink", + "IoCreateDevice", + "RtlAssert", + "DbgPrint", "KeBugCheckEx" ], "Signatures": [ @@ -124010,45 +133747,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Huawei Technologies Co.,Ltd., OU=Handset Engineer Testing Department (Dongguan), CN=Huawei Technologies Co.,Ltd.", - "ValidFrom": "2014-08-26 00:00:00", - "ValidTo": "2017-10-24 23:59:59", - "Signature": "26ae5c92dcdd43ce7bb0268607a9ae0b1a0285edaf34485ad22397a5c488a1bb50d7bdd0920096ad9607b6f14e99e5678022730b02e37d19fa3ae2570290b232b26b816cba6ed7e040a8cb194c0ae2c904c4fa2374b568435655d3491e0df8c5ab2291d0b95135b425f05d79a46f6848d57c7b500f5cd136c1c505ad2513b235f3cc70fbe8e2322515d88c7e0b00d2be887ddc85a709baccf6999097ca01aa284136d0459b6c4af18ec967796e58411af5408ef5ce0e6570cffb3b5937af9c20d58b21416ac11dc09bcb4af20ab90ae95c04fc0a47129641eb7501954aa957c03181342ceb5371257a83307b5de647054be114f91076e8effdbc8dff85ed7a4d", + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", + "ValidFrom": "2009-05-21 00:00:00", + "ValidTo": "2019-05-20 23:59:59", + "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", + "ValidFrom": "2010-09-19 00:00:00", + "ValidTo": "2013-10-19 23:59:59", + "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4c1a3d7c5bdaef3e1166416afe8138e9", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" } ] } @@ -124056,27 +133793,27 @@ } ], "Tags": [ - "HwOs2Ec7x64.sys" - ] + "BSMI.sys" + ], + "yara": true }, { - "Id": "d64167b6-f281-41d8-9535-6cb925e77aec", + "Id": "0c0198a3-5c63-4a9b-abe9-88a810602329", "Author": "Michael Haag", - "Created": "2023-01-09", + "Created": "2023-03-04", "MitreID": "T1068", - "Category": "vulnerable driver", + "Category": "malicious", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create EneTechIo64.sys binPath=C:\\windows\\temp\\EneTechIo64.sys type=kernel && sc.exe start EneTechIo64.sys", - "Description": "", + "Command": "sc.exe create 2.sys binPath=C:\\windows\\temp\\2.sys type=kernel && sc.exe start 2.sys", + "Description": "Driver categorized as POORTRY by Mandiant.", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", - "https://github.com/hfiref0x/KDU/releases/tag/v1.2.0", - "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "" ], "Acknowledgement": { "Person": "", @@ -124085,10 +133822,10 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "EneTechIo64.sys", - "MD5": "d6e9f6c67d9b3d790d592557a7d57c3c", - "SHA1": "a87d6eac2d70a3fbc04e59412326b28001c179de", - "SHA256": "06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50", + "Filename": "2.sys", + "MD5": "bd25be845c151370ff177509d95d5add", + "SHA1": "10115219e3595b93204c70eec6db3e68a93f3144", + "SHA256": "88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463", "Signature": [ "Microsoft Windows Hardware Compatibility Publisher", "Microsoft Windows Third Party Component CA 2014", @@ -124104,33 +133841,35 @@ "MachineType": "AMD64", "OriginalFilename": "", "Authentihash": { - "MD5": "0765c07a666231285972c3487acfc7b2", - "SHA1": "6b60825564b2dccff3a4f904b71541bfe94136c9", - "SHA256": "865e4bc7290fc3b380e266ccd98c2d4e965beb711d7efd090d052e8326accdd2" + "MD5": "887c566bdc8ed5231f45a37845d5ee89", + "SHA1": "e6ab2bbad89502d8985381b33d7351eb97cb2b78", + "SHA256": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb" }, "InternalName": "", "Copyright": "", "Imports": [ - "ntoskrnl.exe", - "HAL.dll" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoCreateDevice", - "IoCreateSymbolicLink", - "IoDeleteDevice", + "ExAllocatePoolWithTag", "IoDeleteSymbolicLink", - "ObReferenceObjectByHandle", - "IofCompleteRequest", + "ExFreePoolWithTag", + "RtlAnsiStringToUnicodeString", + "RtlInitUnicodeString", + "IoDeleteDevice", + "IoCreateFile", + "RtlInitString", + "RtlFreeUnicodeString", + "ZwQueryDirectoryFile", "ZwClose", - "ZwOpenSection", - "ZwMapViewOfSection", - "ZwUnmapViewOfSection", - "RtlTimeToSecondsSince1970", + "IofCompleteRequest", + "IoIsWdmVersionAvailable", + "IoCreateSymbolicLink", + "IoCreateDevice", + "DbgPrint", "KeBugCheckEx", - "ObfDereferenceObject", - "RtlInitUnicodeString", - "HalTranslateBusAddress" + "__chkstk" ], "Signatures": [ { @@ -124139,9 +133878,9 @@ "Certificates": [ { "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", + "ValidFrom": "2022-06-07 18:08:06", + "ValidTo": "2023-06-01 18:08:06", + "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { @@ -124154,7 +133893,7 @@ ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", + "SerialNumber": "3300000057ee4d659a923e7c10000000000057", "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] @@ -124163,392 +133902,250 @@ } ], "Tags": [ - "EneTechIo64.sys" - ] + "2.sys" + ], + "yara": false }, { - "Id": "214654eb-90c4-48c8-a183-0157e50bf07f", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "04d377f9-36e0-42a4-8d47-62232163dc68", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", - "Commands": "sc.exe create MsIo64.sys binPath=C:\\windows\\temp\\MsIo64.sys type=kernel && sc.exe start MsIo64.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Commands": { + "Command": "sc.exe create iomem64.sys binPath=C:\\windows\\temp\\iomem64.sys type=kernel && sc.exe start iomem64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, - "Detection": [], - "KnownVulnerableSamples": [ + "Detection": [ { - "FileName": "MsIo64.sys", - "MD5": "88a6d84f4f1cc188741271ac1999a4e9", - "SHA1": "483e58ed495e4067a7c42ca48e8a5f600b14e018", - "SHA256": "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff", - "Authentihash": { - "MD5": "404c94935da4ba9eb3d5eea83c68378c", - "SHA1": "086e6e37abad257b753c26e8c9e3e181e46b10c3", - "SHA256": "d55dd56e24df201d1ad2204d565da5e8e6080d895c1ac2873a6afdcbb4c8b8c7" - }, - "Description": "MICSYS IO driver", - "Company": "MICSYS Technology Co., LTd", - "InternalName": "MsIo64.sys", - "OriginalFilename": "MsIo64.sys", - "FileVersion": "1.3 x64 built by: WinDDK", - "Product": "MsIo64 Driver Version 1.3", - "ProductVersion": "1.3 x64", - "Copyright": "Copyright (c) 2021 MICSYS", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "ObfDereferenceObject", - "IoDeleteDevice", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2021-09-09 19:15:59", - "ValidTo": "2022-09-01 19:15:59", - "Signature": "1757782e797188079911866d54bd474a2432707984658c549a407e7fb4e5efa2ba72367a02b382d2116d4c4538836ddcd4616fcd231229df1ae5d0da6b3abe499ee5d8b47a7919940f6bbcbe2575018dca65eef4913e3d38410f2cd6cca3082d9ba2c061173cd828635665f76e8f0f685e03da24290b9d2cae7039da974de7b7e85798ba64cbe9ba34e0308c3bd6b4d68e9723fde74274fd3806fe799d04d6a3835f82d4fefc52088ccda4b4c817116f2f5a99445a3e952d78bc27753e65e97c6271c71ac7c9e3439b847e8984ab06a5904d150223f9ca92bbda86c02663c3f4964da5e106619b6eaff2768143cce9e5a8b0b2cba90e82cd87866d9fd6499c6cfbc96529a18b5653d12b54a6c928693a4e3d197ffbfcce7ed71a909b18d09b4345b24bc25eb8dfa1821a9cd0971ffc7d38a26580e2f118c4ac55bf926d0666b72ad7ba6ec20f0b54d694bc3b8a0dbddda27bd64194da085319841d1ebc9dc067ef72ea064a475bea865828b13077bc8e14e2f7544b90f0045f3cd84bcc0d5a80645a6fb65528e4f768ec775bdb0225399f3c81c0b667714676d0949f9ffaddc8549dc45e5ce4345c4ea7dc0aff4ac510f5527ad94a2181edc4b73bcfde813a83d81ca897854c98712346001a12e5d3bf9a45c807f9b3c7d3e0bb99c035ea54ee39e2c9af4147dbea7aabec85b47192b945e083ddf6061afb901e83b11135d24e", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "330000004de597a775e3157f7b00000000004d", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" - } - ] - } - ] + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4.yara" }, { - "FileName": "MsIo32.sys", - "MD5": "564d84a799db39b381a582a0b2f738c4", - "SHA1": "fbc6d2448739ddec35bb5d6c94b46df4148f648d", - "SHA256": "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6", - "Authentihash": { - "MD5": "d7acc8a58b2163f0b070d647e81c49fd", - "SHA1": "0cb0fd5bea730e4eaaec1426b0c15376ccac6d83", - "SHA256": "0d0962db9dc6879067270134801ad425c1f3e85b0dc39877c02aaa9c54aca14e" - }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "I386", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "ObfDereferenceObject", - "ZwUnmapViewOfSection", - "IofCompleteRequest", - "MmAllocateNonCachedMemory", - "MmFreeNonCachedMemory", - "Ke386SetIoAccessMap", - "ZwOpenSection", - "IoGetCurrentProcess", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeTickCount", - "ObReferenceObjectByHandle", - "ZwMapViewOfSection", - "ZwClose", - "DbgPrint", - "RtlInitUnicodeString", - "IoDeleteSymbolicLink", - "Ke386IoSetAccessProcess", - "IoDeleteDevice", - "WRITE_PORT_USHORT", - "WRITE_PORT_UCHAR", - "READ_PORT_ULONG", - "READ_PORT_USHORT", - "READ_PORT_UCHAR", - "HalTranslateBusAddress", - "WRITE_PORT_ULONG" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=Taiwan, ??=New Taipei, ??=Private Organization, serialNumber=84948057, C=TW, L=New Taipei, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", - "ValidFrom": "2019-05-21 00:00:00", - "ValidTo": "2022-05-20 23:59:59", - "Signature": "0a47cf1ef4f7db7a1839d16d6cf70ab0447bc7a47cc9cf2124024f5f1583c03d411fabd06dddd424db9702178172411dea6503e33b3f488a5d53b30fb4dd2b30456e3880dd32fd4dc39bbb240c450e930c282095d65a061fae6cfd46eb94cdf549d4813cdc468061bc739b76c7a10fe9e8b762727a3a8e440473a1e6b56ac3d92df16ca8331deaf39072ce2a09705bcec87bc508ecea9b274115fff278b15c0e6430ddce6f09311e5d64ca763e70e5cad8eb6127680d12279d78129214cb0857078ab6a1187e112c9b71d1f08fa60e570d9180a901de521222be67be4ad243a9ddbb4af1ef3a5bb1e58556753a8183ed400de32f846e0b49a74de1025d03b7d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2011-02-22 19:25:17", - "ValidTo": "2021-02-22 19:35:17", - "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - } - ], - "Signer": [ - { - "SerialNumber": "49f161119a491d2a3faf4220f09db107", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" - } - ] - } - ] + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097.yara" }, { - "FileName": "MsIo64.sys", - "MD5": "55a7c51dc2aa959c41e391db8f6b8b4f", - "SHA1": "bc949bc040333fdc9140b897b0066ef125343ef6", - "SHA256": "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471", - "Authentihash": { - "MD5": "3cdda257c661f3c1eb256b61dba8147d", - "SHA1": "84a45f83a90b1a695ffeb915ea2a197b186857e6", - "SHA256": "9f3e67f9454cb009716b89c0a296dcde73aa29145b7dcf776b81605932785b91" - }, - "Description": "MICSYS IO driver", - "Company": "MICSYS Technology Co., LTd", - "InternalName": "MsIo64.sys", - "OriginalFilename": "MsIo64.sys", - "FileVersion": "1.3 x64 built by: WinDDK", - "Product": "MsIo64 Driver Version 1.3", - "ProductVersion": "1.3 x64", - "Copyright": "Copyright (c) 2021 MICSYS", - "MachineType": "AMD64", - "Imports": [ - "ntoskrnl.exe", - "HAL.dll" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "RtlInitUnicodeString", - "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", - "IofCompleteRequest", - "IoCreateSymbolicLink", - "IoCreateDevice", - "ObfDereferenceObject", - "IoDeleteDevice", - "HalTranslateBusAddress" - ], - "Signatures": [ - { - "CertificatesInfo": [], - "SignerInfo": "", - "Certificates": [ - { - "Subject": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2", - "ValidFrom": "2014-03-04 00:00:00", - "ValidTo": "2024-03-03 23:59:59", - "Signature": "3f5b19f3fa13d575382a5aee9f5aa04ca91dc5cc94eede15fef5106ea41ba56483541858c40b28a185c34e74e5ff897cfed5ed3cba719f5602268f162a88feb0a32722ce4be2388e00a63a865f9de53ea8de644941744121fd07c88417da1d653082cb264f39d60427a481b14b49c3238b7e02321827b7ab0bf31872b6a4ee67066f38a6588de0f17e5da460c6a8e5505fe0e8bae28f9958b6b5a0a876f1a2f11c8841727e52979b0a36998d50f701eb3ce7f0226ae5358c63368a1ab1d967665f971aefa8209df02fba6cced9948500f158f17dc97c22b5075d02c6e60bbfab9393ff27188e33367e5734f1c3af04c184f156b3e8878336f8d30a31dc6e2c6d", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - }, - { - "Subject": "??=TW, ??=Taiwan, ??=New Taipei, ??=Private Organization, serialNumber=84948057, C=TW, L=New Taipei, O=MICSYS Technology Co., Ltd., CN=MICSYS Technology Co., Ltd.", - "ValidFrom": "2019-05-21 00:00:00", - "ValidTo": "2022-05-20 23:59:59", - "Signature": "0a47cf1ef4f7db7a1839d16d6cf70ab0447bc7a47cc9cf2124024f5f1583c03d411fabd06dddd424db9702178172411dea6503e33b3f488a5d53b30fb4dd2b30456e3880dd32fd4dc39bbb240c450e930c282095d65a061fae6cfd46eb94cdf549d4813cdc468061bc739b76c7a10fe9e8b762727a3a8e440473a1e6b56ac3d92df16ca8331deaf39072ce2a09705bcec87bc508ecea9b274115fff278b15c0e6430ddce6f09311e5d64ca763e70e5cad8eb6127680d12279d78129214cb0857078ab6a1187e112c9b71d1f08fa60e570d9180a901de521222be67be4ad243a9ddbb4af1ef3a5bb1e58556753a8183ed400de32f846e0b49a74de1025d03b7d0", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" - } - ], - "Signer": [ - { - "SerialNumber": "49f161119a491d2a3faf4220f09db107", - "Issuer": "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Extended Validation Code Signing CA , G2" - } - ] - } - ] + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" }, { - "FileName": "MsIo64.sys", - "MD5": "de711decdd763a73098372f752bf5a1c", - "SHA1": "663803d7ab5aff28be37c2e7e8c7b98b91c5733e", - "SHA256": "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab", + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "iomem64.sys", + "MD5": "0898af0888d8f7a9544ef56e5e16354e", + "SHA1": "4b009e91bae8d27b160dc195f10c095f8a2441e1", + "SHA256": "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4", + "Signature": [ + "DT RESEARCH, INC. TAIWAN BRANCH", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "DT Research, Inc.", + "Description": "DTR Kernel mode driver", + "Product": "iomem.sys", + "ProductVersion": "2.3.0.0", + "FileVersion": "2.3.0.0", + "MachineType": "AMD64", + "OriginalFilename": "iomem.sys", "Authentihash": { - "MD5": "a108434c7016659eca85bc755687c9d1", - "SHA1": "5b030639b3e83f945ea610eead115b213bb436f6", - "SHA256": "555ebe7901706dbf801b5dbda6660002d3b36e5c669ec98ccfc6884a7481c56e" + "MD5": "9b6609bd5d9d8de37273fe2d355ae349", + "SHA1": "4bf9ce7ffca224020572af6c13e866d8d41ad5bf", + "SHA256": "46ffe559f5a8f6bd611ac5a9264edf92d8449d8d31b2ddf6b2add5971e309c56" }, - "Description": "MICSYS IO driver", - "Company": "MICSYS Technology Co., LTd", - "InternalName": "MsIo64.sys", - "OriginalFilename": "MsIo64.sys", - "FileVersion": "1.2 x64 built by: WinDDK", - "Product": "MsIo64 Driver Version 1.2", - "ProductVersion": "1.2 x64", - "Copyright": "Copyright (c) 2019 MICSYS", - "MachineType": "AMD64", + "InternalName": "iomem.sys", + "Copyright": "DT Research Inc. All Rights Reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoDeleteDevice", + "MmUnmapIoSpace", + "KeEnterCriticalRegion", + "MmFreeNonCachedMemory", + "MmMapIoSpace", "RtlInitUnicodeString", - "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "IoDeleteSymbolicLink", - "ZwUnmapViewOfSection", - "IofCompleteRequest", "IoCreateSymbolicLink", + "MmAllocateNonCachedMemory", "IoCreateDevice", - "ObfDereferenceObject", - "IoDeleteDevice", - "HalTranslateBusAddress" + "KeBugCheckEx", + "KeLeaveCriticalRegion", + "IofCompleteRequest", + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2019-06-05 18:34:00", - "ValidTo": "2020-06-03 18:34:00", - "Signature": "312314217055afc1a5751181c7d2d7619b23ba17166e6ae6f358b16921c925c6e3b75c31b93035f357c154fe4d347019e927db1957193b741e3371b46f4d6212b3bec972d6ff2297e8b1f2391f840045471ee31c524d4f5bf1cae4a32b73f6e48f51f777bb5b8a726db2a387c7c8df42289540f4f3d27b37d4ab4854efba809021879f3257d5670d70003a51d62bbc68e345a769f37ccb3ad336b7b3c494f5d56ef8300228d29835e5129b070742a220f83b6c9d5e2589cf2e7a1f7b59cfc81cda3232fc2fa448d736db546dc4b274cad3da83433deaa3eb9919b23ad08dc4055a8026711adcfccdb47d7a7c1adb2671ecc7198a786973807699a0ee236a46771f88913b769693b0b8ce9b002a40c2aa426edfd9a98368f89817b0d174458a390e11628e21f77e751431fae13831228e0e357610a24d89806d85390e9b3831792f62688bf04f91ee9a854b252452de7e752f39e57765a09a4ff41ae96144593a8a99688c6c9ad6b9fcaba1189ef2372b99e96db3fe6402b0e125b17f36c6f70fc1eb83257ce639b6c691a9ec031dddb9fa6536bb8e6080c9db976533f4ddfb73309b6498543cc94d3283d43668d614dd60a4fe707eb3b871da3204c534c8cc73cbc66aeb36cefd765439eef68d7ee9c515eb617f051a72097d0a25003df2dceccc9a0c4be1fd27e473955cc83ee9dba626748b1cb723c3b1c8b8ebc59321a0f5", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taipei, L=Zhongzheng, O=DT RESEARCH, INC. TAIWAN BRANCH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=DT RESEARCH, INC. TAIWAN BRANCH", + "ValidFrom": "2012-11-28 00:00:00", + "ValidTo": "2014-02-27 23:59:59", + "Signature": "f0db051a101a03822142ad6370846fde79334c0ca76bd6e57fe4dca43570ce0936b1a9c4e3372dfbe23eecf858c76228a3dda166e0a9890c3a9558ee704b9ac6fda3d31e0dfb250d369568f623a15c8c041bfd94332adfd636c16e6e5a00d4fff2d53f85398ce97de15f54baebc937904f72fa829e848b83f9aec30e201930e2811167fc1c7f5b1570b197bc7d797e91060df7946148f43944021c30c2a73a6af1b916358071208ef26c6b3bc59bb2d3db066c0575200b6d65ed47f267412a4a5983735235506602282aa045c6b716827243955ace1bc0222a3d611dab9e84f960c4cb66e23c60b75d50aca0ee9f7dbff7e2a157e5525dfcd8b90448944190e1", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "33000000319479a318f5522d06000000000031", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "79666acda698ffe7bb2f8c23ade9d57d", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } ] }, { - "FileName": "MsIo64.sys", - "MD5": "61b068b10abfa0776f3b96a208d75bf9", - "SHA1": "1de9f25d189faa294468517b15947a523538ce9d", - "SHA256": "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2", + "Filename": "iomem64.sys", + "MD5": "f1e054333cc40f79cfa78e5fbf3b54c2", + "SHA1": "6003184788cd3d2fc624ca801df291ccc4e225ee", + "SHA256": "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097", + "Signature": [ + "DT RESEARCH, INC. TAIWAN BRANCH", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "", + "Company": "DT Research, Inc.", + "Description": "DTR Kernel mode driver", + "Product": "iomem.sys", + "ProductVersion": "2.2.0.0", + "FileVersion": "2.2.0.0", + "MachineType": "AMD64", + "OriginalFilename": "iomem.sys", "Authentihash": { - "MD5": "aedaf6ec0809d26c9dc2f41754095790", - "SHA1": "2c7e97bafd3bc518778d78cfc5157d069714bc18", - "SHA256": "5f39b84cb5132d4facff213c630b05ec97ef9d83b93579530152310d63945762" + "MD5": "91896c53af5ab967f7f131285354e4ac", + "SHA1": "7eec42b3027252dea4c777bbdbd47560bc179986", + "SHA256": "57d36936fbf8785380536b03e5d9be172e5dd5c3bf435e19875a80aa96f97e1f" }, - "Description": "MICSYS IO driver", - "Company": "MICSYS Technology Co., LTd", - "InternalName": "MsIo64.sys", - "OriginalFilename": "MsIo64.sys", - "FileVersion": "1.3 x64 built by: WinDDK", - "Product": "MsIo64 Driver Version 1.3", - "ProductVersion": "1.3 x64", - "Copyright": "Copyright (c) 2021 MICSYS", - "MachineType": "AMD64", + "InternalName": "iomem.sys", + "Copyright": "DT Research Inc. All Rights Reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ + "IoDeleteDevice", + "MmUnmapIoSpace", + "KeEnterCriticalRegion", + "MmFreeNonCachedMemory", + "MmMapIoSpace", "RtlInitUnicodeString", - "DbgPrint", - "ZwClose", - "ZwMapViewOfSection", - "ObReferenceObjectByHandle", - "ZwOpenSection", - "ObfDereferenceObject", - "IoDeleteSymbolicLink", - "__C_specific_handler", - "IofCompleteRequest", - "ProbeForWrite", - "ProbeForRead", "IoCreateSymbolicLink", + "MmAllocateNonCachedMemory", "IoCreateDevice", - "ZwUnmapViewOfSection", - "IoDeleteDevice", - "HalTranslateBusAddress" + "KeBugCheckEx", + "KeLeaveCriticalRegion", + "IofCompleteRequest", + "IoDeleteSymbolicLink", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:05", - "ValidTo": "2023-06-01 18:08:05", - "Signature": "0915e1bc394d6afd2453e27c2cb0907bb3a569ca2f39bc8e430a355013bd29a2aa0f8d724499e05b94f919195e917a198a754a790c8f4f49ebeea699d62e4b97b18055d6872b13e5c3866e8617fafb65a59cf0c463f75b45f870595677ecdda4ae3562b0f4a30d09626cef7f4e20e77385bd4e4db94fc77088d698236e92e1440cef351a1f3bff256df13c1a14b5c6787dad23e1e28d4148b69b3a92fe692bed7db3feb760db45fe1700983b834ab7805ba6105fdf94d5e0833679fae2fc051d745c6fab49c8aa9044d92da8c26fe7c87a9268bd1211117298b391752c08f98ffaa3731bbca891a83a0bdb9d94546d1bab380ade386213b3833327f48b9ff29971732bfe5810b51569da90676b459f8f6341ef9ff11f96f44f58181ef7ffe3ff19ba7874ad2e8c4faa9f8d1c5cd698bbdab1658f5f234f64a0063ecaa346f16e58690dea8c52e02733560027155457863b38775e24f30176cadd0d2738b4d90f2e4f688e25bc908a5fb1057be8372e58dc7c018b4663588fb1ab36855c09e54924951cff3b29810339efca415995a577e7db9d8b43c79b0bcb888b3647c7b28b9599bf0cbc7683e0e68c610d0071e79a3f1b4160dcfcb3002478ccc6bbf0c6dd27893169825f7b50356e01ea77aeae1b534d8c8801eda6bc60682a7b3a78b8b74eddb75044a789e7c4fd8f27ac8050196a7b1de4b5ac2e2b268c568534f75ca9", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", + "ValidFrom": "2012-05-01 00:00:00", + "ValidTo": "2012-12-31 23:59:59", + "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", + "ValidFrom": "2003-12-04 00:00:00", + "ValidTo": "2013-12-03 23:59:59", + "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=Taiwan, L=Taipei, O=DT RESEARCH, INC. TAIWAN BRANCH, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=DT RESEARCH, INC. TAIWAN BRANCH", + "ValidFrom": "2012-01-18 00:00:00", + "ValidTo": "2013-01-17 23:59:59", + "Signature": "b8ae271018c3961846bf8143d1fc6ab9ce843d08c492ac7d179086c44a9453bc00ccfaeb638fce7fef3b83104a060a2e3284f63818f0798ae33db982098c7f4bcff265294f27248dd5874243e55451a30061fff3f1a9e78ca0aadabd376ec0d20176e731df3655c1328763c8fc2cae631e33abcc244a829cebb7bdf54eaf41fc2a63ba2671896ae6371792f40af06b9ac5de4b34837e7b85676eca74761b6e6872be25f14fda20ddd845b155e290b909a3c84329aded0d04a0a79843d71035467c61a72f66668e7941d69c1e2c69c8c2bc4a09243472bcbcec9af16ee4b286109325935364790810d40a59d7ef5758ef9e9444e2623977329efd8c5d38431af7", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "330000005635887ede1882ef76000000000056", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "215c8fa3dc44a29e86e5e59bd239b3c8", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -124556,150 +134153,151 @@ } ], "Tags": [ - "MsIo64.sys" - ] + "iomem64.sys" + ], + "yara": true }, { - "Id": "a5ebba11-5a31-48d2-9c6d-78bba397edf1", + "Id": "e4098d7e-78b3-4da1-96cb-68b27f245e02", "Author": "Michael Haag", - "Created": "2023-03-04", + "Created": "2023-01-09", "MitreID": "T1068", - "Category": "malicious", + "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create PcieCubed.sys binPath=C:\\windows\\temp\\PcieCubed.sys type=kernel && sc.exe start PcieCubed.sys", - "Description": "Driver categorized as POORTRY by Mandiant.", + "Command": "sc.exe create HwOs2Ec7x64.sys binPath=C:\\windows\\temp\\HwOs2Ec7x64.sys type=kernel && sc.exe start HwOs2Ec7x64.sys", + "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", - "" + " https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md" ], "Acknowledgement": { "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "PcieCubed.sys", - "MD5": "22949977ce5cd96ba674b403a9c81285", - "SHA1": "745335bcdf02fb42df7d890a24858e16094f48fd", - "SHA256": "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8", + "Filename": "HwOs2Ec7x64.sys", + "MD5": "bae1f127c4ff21d8fe45e2bbfc59c180", + "SHA1": "26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab", + "SHA256": "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de", "Signature": [ - "Microsoft Windows Hardware Compatibility Publisher", - "Microsoft Windows Third Party Component CA 2014", - "Microsoft Root Certificate Authority 2010" + "Huawei Technologies Co.,Ltd.", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" ], "Date": "", "Publisher": "", - "Company": "Legal Corp.", - "Description": "PCIe Video Capture", - "Product": "PCI Express Video Capture", - "ProductVersion": "1.0.0.15", - "FileVersion": "1.0.0.15", + "Company": "Huawei", + "Description": "HwOs2Ec", + "Product": "Huawei MateBook", + "ProductVersion": "1.0.0.1", + "FileVersion": "1.0.0.1", "MachineType": "AMD64", - "OriginalFilename": "PcieCubed.sys", + "OriginalFilename": "HwOs2Ec.sys", "Authentihash": { - "MD5": "489c034fa8dcfc9d211fc7e8e80c24e6", - "SHA1": "0a2da48019251954888ff3963ef21ccb624c1aba", - "SHA256": "2bbbe2ae5aa51868e7afc2c16c3a0a79fa3302e6830feeccca7f0363a62dddb4" + "MD5": "9a0c8745f43136476aa78ea77af67a0a", + "SHA1": "dcfc27b5aac3e1911c0617d6c1823e65267c09a3", + "SHA256": "b78cb190a4968d06f2cdab65ea0106bc47eefdaffc871ba5dd2c2dccadb1e403" }, - "InternalName": "", - "Copyright": "2016 Legal", + "InternalName": "HwOs2Ec", + "Copyright": "Copyright (C) 2016", "Imports": [ - "ntoskrnl.exe", - "HAL.DLL", - "ks.sys" + "ntoskrnl.exe" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeDelayExecutionThread", - "KeWaitForMultipleObjects", - "ZwReadFile", + "DbgPrint", + "IofCompleteRequest", + "IoCreateDevice", + "IoCreateSymbolicLink", + "IoDeleteDevice", + "IoDeleteSymbolicLink", + "IoGetCurrentProcess", + "InitSafeBootMode", + "memcpy_s", "RtlInitUnicodeString", - "MmMapLockedPagesSpecifyCache", - "ZwQueryInformationFile", - "IoAllocateMdl", - "RtlAnsiStringToUnicodeString", - "IoBuildSynchronousFsdRequest", + "RtlEqualUnicodeString", + "RtlCopyUnicodeString", "RtlAppendUnicodeToString", - "RtlQueryRegistryValues", - "RtlInitAnsiString", - "ZwSetValueKey", - "ObfDereferenceObject", - "ZwQueryValueKey", "ExAllocatePool", - "RtlAppendUnicodeStringToString", - "IoFreeIrp", - "IoGetAttachedDeviceReference", - "IoAllocateIrp", - "RtlCopyUnicodeString", - "IoOpenDeviceRegistryKey", - "IoGetDeviceProperty", - "ZwEnumerateKey", - "IofCallDriver", - "ZwQueryKey", - "ZwOpenKey", - "PoUnregisterSystemState", - "PoRegisterSystemState", - "RtlCompareMemory", - "KeBugCheckEx", - "KeReleaseSemaphore", - "KeWaitForSingleObject", + "ExFreePoolWithTag", + "MmProbeAndLockPages", + "MmMapLockedPagesSpecifyCache", + "MmUnmapLockedPages", + "IoAllocateMdl", + "IoFreeMdl", "ObReferenceObjectByHandle", - "KeInitializeSemaphore", + "ObfDereferenceObject", "ZwClose", - "PsTerminateSystemThread", - "PsCreateSystemThread", - "KeInitializeEvent", - "KeSetEvent", - "KeSetPriorityThread", - "KeClearEvent", - "ExFreePool", - "KeAcquireSpinLockRaiseToDpc", - "KeReleaseSpinLock", - "DbgPrint", - "ExFreePoolWithTag", - "RtlFreeUnicodeString", + "PsSetCreateProcessNotifyRoutine", + "ZwOpenProcess", + "ZwQuerySystemInformation", + "ZwAllocateVirtualMemory", + "ZwFreeVirtualMemory", + "KeInitializeApc", + "ZwOpenThread", + "KeInsertQueueApc", + "PsGetProcessPeb", + "RtlImageDirectoryEntryToData", + "KeStackAttachProcess", + "KeUnstackDetachProcess", + "__C_specific_handler", + "PsProcessType", + "PsThreadType", + "PsGetThreadId", + "PsGetThreadProcessId", + "RtlGetVersion", "ExAllocatePoolWithTag", - "ZwOpenFile", - "IoConnectInterrupt", - "IoDisconnectInterrupt", - "IoGetDmaAdapter", - "IoFreeMdl", - "KeInsertQueueDpc", - "MmProbeAndLockPages", - "MmUnlockPages", - "MmUnmapIoSpace", - "KeInitializeDpc", - "MmMapIoSpace", - "KeSetTimerEx", - "KeInitializeTimerEx", - "KeCancelTimer", "MmGetSystemRoutineAddress", - "PsGetVersion", - "__C_specific_handler", - "memcmp", - "KeQueryPerformanceCounter", - "KsPinGetLeadingEdgeStreamPointer", - "KsPinGetParentFilter", - "KsStreamPointerUnlock", - "KsGetPinFromIrp", - "KsGetFilterFromIrp", - "KsGetDevice", - "_KsEdit", - "KsReleaseDevice", - "KsCreateFilterFactory", - "KsAddItemToObjectBag", - "KsInitializeDriver", - "KsFilterFactoryUpdateCacheData", - "KsPinReleaseProcessingMutex", - "KsPinAcquireProcessingMutex", - "KsAcquireDevice", - "KsPinGetReferenceClockInterface" + "ZwTerminateProcess", + "KeInitializeEvent", + "ExAcquireFastMutex", + "ExReleaseFastMutex", + "KeSetEvent", + "KeWaitForMultipleObjects", + "KeWaitForSingleObject", + "PsCreateSystemThread", + "PsTerminateSystemThread", + "RtlCompareUnicodeStrings", + "wcscpy_s", + "_wcsnicmp", + "RtlCompareUnicodeString", + "RtlAppendUnicodeStringToString", + "ZwCreateFile", + "ZwOpenKey", + "ZwQueryValueKey", + "ZwQueryInformationProcess", + "ObOpenObjectByPointer", + "ObQueryNameString", + "IoFileObjectType", + "KeBugCheckEx" ], "Signatures": [ { @@ -124707,24 +134305,45 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", - "ValidFrom": "2022-06-07 18:08:06", - "ValidTo": "2023-06-01 18:08:06", - "Signature": "0a835e40cdb627d4f0a0d3dbbf64a46a05c132d0b5df9d11cd9c195d7037737057d57a342732ae68d67de47f460e7211c7c40dc29b0a079caff871c4834a9a2fc85e759de9b78659ad6fd79b7320e538e9ba5d52227ad67cc00b0a770ef662af3d743a558643ad89cfb015591709a69b6271a9b65db71898e7cb9964c6376dc474898301a6133198b486b518fdd9d7b9723dcffc441e026833f7c72e27986026c97b9184a0048b10d1fe6847ae467f02173f7a69120be780e5b6b9e6399402cc58735a31b537cc33578fbea443135a4a612359150bcf9ab316f6a9248bc71ef3f3480b9b3fa2341692bc3a121d80214688f7bd87d5ec56dcbd0ea61abf2c7ed2b739a07590adb596d401735d955f5f94c591d69ab4363a42f9fca549d439495711ff7990448c03724792ed4acf31f2b35b136c1b2f37aa82b1aabf7daf059dcb2e976e95311ec6e9cc53876dd09632cf512d39c801849a7c1088a565691953e07c7ff17b22518e982dd2dcc0feda8c834ca1f5e247aef1c3af5f13cd4b8cc1b6c0179bc876db88d677047c34366533e349796dbdea86389ad640710b7742ae8cc4ec88f10fa80ede4b1c93f81b55480fc8228216d54813df0327e74b3db9f3512a40c0568e4215827f9b7a2613deea72a7ec4df2def05e5559015049fe83edc83300526045cb128119e131b7d3573b268e24b0a25b9ad59f6301c8fc8f409322", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", - "ValidFrom": "2014-10-15 20:31:27", - "ValidTo": "2029-10-15 20:41:27", - "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Huawei Technologies Co.,Ltd., OU=Handset Engineer Testing Department (Dongguan), CN=Huawei Technologies Co.,Ltd.", + "ValidFrom": "2014-08-26 00:00:00", + "ValidTo": "2017-10-24 23:59:59", + "Signature": "26ae5c92dcdd43ce7bb0268607a9ae0b1a0285edaf34485ad22397a5c488a1bb50d7bdd0920096ad9607b6f14e99e5678022730b02e37d19fa3ae2570290b232b26b816cba6ed7e040a8cb194c0ae2c904c4fa2374b568435655d3491e0df8c5ab2291d0b95135b425f05d79a46f6848d57c7b500f5cd136c1c505ad2513b235f3cc70fbe8e2322515d88c7e0b00d2be887ddc85a709baccf6999097ca01aa284136d0459b6c4af18ec967796e58411af5408ef5ce0e6570cffb3b5937af9c20d58b21416ac11dc09bcb4af20ab90ae95c04fc0a47129641eb7501954aa957c03181342ceb5371257a83307b5de647054be114f91076e8effdbc8dff85ed7a4d", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2011-02-22 19:25:17", + "ValidTo": "2021-02-22 19:35:17", + "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "3300000057ee4d659a923e7c10000000000057", - "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" + "SerialNumber": "4c1a3d7c5bdaef3e1166416afe8138e9", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -124732,114 +134351,206 @@ } ], "Tags": [ - "PcieCubed.sys" - ] + "HwOs2Ec7x64.sys" + ], + "yara": true }, { - "Id": "39f427b6-aad3-4cb8-b363-9113a6d53b07", - "Author": "Nasreddine Bencherchali", - "Created": "2023-05-06", + "Id": "a1d35b93-e97f-4ddd-a465-2405e804e754", + "Author": "Michael Haag", + "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", - "Verified": "TRUE", - "Commands": "sc.exe create BS_RCIOW1064.sys binPath=C:\\windows\\temp\\BS_RCIOW1064.sys type=kernel && sc.exe start BS_RCIOW1064.sys", - "Description": [], - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10", + "Verified": "FALSE", + "Commands": { + "Command": "sc.exe create windows-xp-64.sys binPath=C:\\windows\\temp\\windows-xp-64.sys type=kernel type=kernel && sc.exe start windows-xp-64.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, "Resources": [ - "Internal Research" + " https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" ], "Acknowledgement": { - "Person": [], + "Person": "", "Handle": "" }, "Detection": [], "KnownVulnerableSamples": [ { - "FileName": "BS_RCIOW1064.sys", - "MD5": "6b6dfb6d952a2e36efd4a387fdb94637", - "SHA1": "42eb220fdfb76c6e0649a3e36acccbdf36e287f1", - "SHA256": "6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc", + "Filename": "windows-xp-64.sys", + "SHA256": "dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22", + "Signature": [], + "Date": "", + "Publisher": "", + "Company": "", + "Description": "", + "Product": "", + "ProductVersion": "", + "FileVersion": "", + "MachineType": "", + "OriginalFilename": "" + } + ], + "Tags": [ + "windows-xp-64.sys" + ], + "yara": false + }, + { + "Id": "51c342f3-0b91-4674-8f81-bc016855f30f", + "Author": "Michael Haag", + "Created": "2023-01-09", + "MitreID": "T1068", + "Category": "vulnerable driver", + "Verified": "TRUE", + "Commands": { + "Command": "sc.exe create AsrDrv101.sys binPath=C:\\windows\\temp\\AsrDrv101.sys type=kernel && sc.exe start AsrDrv101.sys", + "Description": "", + "Usecase": "Elevate privileges", + "Privileges": "kernel", + "OperatingSystem": "Windows 10" + }, + "Resources": [ + " https://github.com/namazso/physmem_drivers", + "https://github.com/namazso/physmem_drivers" + ], + "Acknowledgement": { + "Person": "", + "Handle": "" + }, + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], + "KnownVulnerableSamples": [ + { + "Filename": "AsrDrv101.sys", + "MD5": "1a234f4643f5658bab07bfa611282267", + "SHA1": "57511ef5ff8162a9d793071b5bf7ebe8371759de", + "SHA256": "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b", + "Signature": [ + "ASROCK Incorporation", + "VeriSign Class 3 Code Signing 2010 CA", + "VeriSign" + ], + "Date": "", + "Publisher": "ASROCK Incorporation", + "Company": "ASRock Incorporation", + "Description": "ASRock IO Driver", + "Product": "ASRock IO Driver", + "ProductVersion": "1.00.00.0000", + "FileVersion": "1.00.00.0000 built by: WinDDK", + "MachineType": "AMD64", + "OriginalFilename": "AsrDrv.sys", "Authentihash": { - "MD5": "aa8a043ec2d13570a43af8e09d4adf4f", - "SHA1": "3c8cab4c08a37a105200feb8f07dd818c8f03bff", - "SHA256": "545190e8b2a910e153b12559a9875154a1b40d6424cb4a6299a84b2dc99df700" + "MD5": "236e9dd83b6d3ae6d23a57590b68fb5e", + "SHA1": "d0580bfc31faefb7e017798121c5b8a4e68155f9", + "SHA256": "fee4560f2160a951d83344857eb4587ab10c1cfd8c5cfc23b6f06bef8ebcd984" }, - "Description": "", - "Company": "", - "InternalName": "", - "OriginalFilename": "", - "FileVersion": "", - "Product": "", - "ProductVersion": "", - "Copyright": "", - "MachineType": "AMD64", + "InternalName": "AsrDrv.sys", + "Copyright": "Copyright (C) 2012 ASRock Incorporation", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "KeInitializeSemaphore", - "IoCreateSymbolicLink", - "IoCreateDevice", - "KeSetEvent", + "IoDeleteSymbolicLink", + "ExFreePoolWithTag", + "MmFreeContiguousMemorySpecifyCache", + "RtlInitUnicodeString", + "IoDeleteDevice", + "RtlQueryRegistryValues", "MmUnmapIoSpace", - "KeDelayExecutionThread", - "PsCreateSystemThread", - "IoStartNextPacket", - "PsTerminateSystemThread", - "ExEventObjectType", + "IoFreeMdl", + "MmGetPhysicalAddress", + "IoBuildAsynchronousFsdRequest", "MmMapIoSpace", - "IoDeleteDevice", - "ObReferenceObjectByHandle", - "KeWaitForSingleObject", - "KeReleaseSemaphore", - "ObfDereferenceObject", - "IoReleaseCancelSpinLock", - "IoAcquireCancelSpinLock", - "IoStartPacket", "IofCompleteRequest", - "KeRemoveEntryDeviceQueue", + "IoFreeIrp", + "RtlCompareMemory", + "MmUnlockPages", + "IoCreateSymbolicLink", + "IoCreateDevice", + "MmAllocateContiguousMemorySpecifyCache", + "IofCallDriver", "KeBugCheckEx", - "RtlInitUnicodeString", - "ZwClose", - "IoDeleteSymbolicLink", - "HalSetBusDataByOffset", - "HalGetBusDataByOffset" + "ExAllocatePoolWithTag", + "KeStallExecutionProcessor" ], "Signatures": [ { - "CertificatesInfo": [], + "CertificatesInfo": "", "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA", - "ValidFrom": "2011-04-15 19:45:33", - "ValidTo": "2021-04-15 19:55:33", - "Signature": "208cc159ed6f9c6b2dc14a3e751d454c41501cbd80ead9b0928b062a133f53169e56396a8a63b6782479f57db8b947a10a96c2f6cbbda2669f06e1acd279090efd3cdcac020c70af3f1bec787ed4eb4b056026d973619121edb06863e09712ab6fa012edd99fd2da273cb3e456f9d1d4810f71bd427ca689dccdd5bd95a2abf193117de8ac3129a85d6670419dfc75c9d5b31a392ad08505508bac91cac493cb71a59da4946f580cfa6e20c40831b5859d7e81f9d23dca5b18856c0a86ec22091ba574344f7f28bc954aab1db698b05d09a477767eefa78e5d84f61824cbd16da6c3a19cc2107580ff9d32fde6cf433a82f7ce8fe1722a9b62b75fed951a395c2f946d48b7015f332fbbdc2d73348904420a1c8b79f9a3fa17effaa11a10dfe0b2c195eb5c0c05973b353e18884ddb6cbf24898dc8bdd89f7b393a24a0d5dfd1f34a1a97f6a66f7a1fb090a9b3ac013991d361b764f13e573803afce7ad2b590f5aedc3999d5b63c97eda6cb16c77d6b2a4c9094e64c54fd1ecd20ecce689c8758e96160beeb0ec9d5197d9fe978bd0eac2175078fa96ee08c6a2a6b9ce3e765bcbc2d3c6ddc04dc67453632af0481bca8006e614c95c55cd48e8e9f2fc13274bdbd11650307cdefb75e0257da86d41a2834af8849b2cfa5dd82566f68aa14e25954feffeaeeefea9270226081e32523c09fcc0f49b235aa58c33ac3d9169410", + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", + "ValidFrom": "2012-12-21 00:00:00", + "ValidTo": "2020-12-30 23:59:59", + "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "??=Private Organization, ??=TW, serialNumber=23826200, ??=2F, NO.108,2, MIN CHUAN RD, postalCode=231, C=TW, ST=XINDIAN DIST, L=NEW TAIPEI CITY, O=Biostar Microtech Int'l Corp, CN=Biostar Microtech Int'l Corp", - "ValidFrom": "2017-03-03 00:00:00", - "ValidTo": "2018-11-21 12:00:00", - "Signature": "4bf4d2bdc69b9a5453f71bf6c52ac1fb1624d21a1bf7f195d72f2e45e91b57dcd3ad76e4acd2ca278673867cc2d3f9bfb19f0a02c28abe5972f81ac12928fe9e340a53a198a8b106f0925defe5d11f077380a467d7a529c0037d25f526e131d63cee3b64727330eacc9e2fe328912803f2449652840778c8b663102b01a6eacddd2364b85ede2696131189edeb65f2228345ff1d31b91de4763c4a91e8c643717ad09db26da7cda6b39559f5953c3172afc8c627eea22dd47b88d32f32640a4679ba84ac4434e5c53de60d802344fa066a7d7da0b109b241559013ec8c630400c2f8c631d09e49da7b025f4b91a1fae12c65682556570ca4faaca645f6d5ee69", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", + "ValidFrom": "2012-10-18 00:00:00", + "ValidTo": "2020-12-29 23:59:59", + "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)", - "ValidFrom": "2012-04-18 12:00:00", - "ValidTo": "2027-04-18 12:00:00", - "Signature": "19334a0c813337dbad36c9e4c93abbb51b2e7aa2e2f44342179ebf4ea14de1b1dbe981dd9f01f2e488d5e9fe09fd21c1ec5d80d2f0d6c143c2fe772bdbf9d79133ce6cd5b2193be62ed6c9934f88408ecde1f57ef10fc6595672e8eb6a41bd1cd546d57c49ca663815c1bfe091707787dcc98d31c90c29a233ed8de287cd898d3f1bffd5e01a978b7cda6dfba8c6b23a666b7b01b3cdd8a634ec1201ab9558a5c45357a860e6e70212a0b92364a24dbb7c81256421becfee42184397bba53706af4dff26a54d614bec4641b865ceb8799e08960b818c8a3b8fc7998ca32a6e986d5e61c696b78ab9612d93b8eb0e0443d7f5fea6f062d4996aa5c1c1f0649480", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", + "ValidFrom": "2006-11-08 00:00:00", + "ValidTo": "2021-11-07 23:59:59", + "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", + "ValidFrom": "2006-05-23 17:01:29", + "ValidTo": "2016-05-23 17:11:29", + "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=TW, ST=TAIWAN, L=Taipei, O=ASROCK Incorporation, OU=Digital ID Class 3 , Microsoft Software Validation v2, CN=ASROCK Incorporation", + "ValidFrom": "2011-03-07 00:00:00", + "ValidTo": "2014-04-03 23:59:59", + "Signature": "e457550022e1dc5fe5a4f5162ea4664b819458f2359662f932d0d95e5ea6fd9ddafef2e213e9b4a46fa9acd6d5a07919479d127beb7ec1c11f0bc376b8ebfa7f815ec4f9b97646c2297359d2d8fda71a21143f33696ca8f3e1f830ef73cddea63b38fe440779ac5ef4885c3e5158183efbd50ecac394edbe86ad65c8245bf56719cd0dd5a13b2baad92c65ab6b2fbfc7aad423fc082e067d6080a3fbc634e58361bb6aa25ef376c78795d025f425faf64d8771549f3f7acfa1a55d4d7c4d8da57cd78411925d37a515cccbd1f978fb26abd268b80ff67b64bd4262e63b04d4015c8af232d9f117bfcec950c5612adbbcd70106d5712f5c70c131fbd19db21e6c", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + }, + { + "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", + "ValidFrom": "2010-02-08 00:00:00", + "ValidTo": "2020-02-07 23:59:59", + "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "0293728e6275aee2cea6efb4bac1eed6", - "Issuer": "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)" + "SerialNumber": "45dfec7bb3d378c97feb24efd699bb4e", + "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" } ] } @@ -124847,8 +134558,9 @@ } ], "Tags": [ - "BS_RCIOW1064.sys" - ] + "AsrDrv101.sys" + ], + "yara": true }, { "Id": "73196456-40ae-4b6d-8562-07cf99458a7d", @@ -124869,7 +134581,32 @@ "Person": [], "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184.yara" + }, + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { "FileName": "kEvP64.sys", @@ -125234,141 +134971,18 @@ ], "Tags": [ "kEvP64.sys" - ] - }, - { - "Id": "eef1fcf4-8c54-420b-8d38-9c5f95129dcc", - "Author": "Michael Haag", - "Created": "2023-02-28", - "MitreID": "T1068", - "Category": "malicious", - "Verified": "TRUE", - "Commands": { - "Command": "sc.exe create ntbios.sys binPath=C:\\windows\\temp \\n \\n \\n tbios.sys type=kernel && sc.exe start ntbios.sys", - "Description": "Driver used in the Daxin malware campaign.", - "Usecase": "Elevate privileges", - "Privileges": "kernel", - "OperatingSystem": "Windows 10" - }, - "Resources": [ - "https://gist.github.com/MHaggis/9ab3bb795a6018d70fb11fa7c31f8f48", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage", - "" - ], - "Acknowledgement": { - "Person": "", - "Handle": "" - }, - "Detection": [], - "KnownVulnerableSamples": [ - { - "Filename": "ntbios.sys", - "MD5": "14580bd59c55185115fd3abe73b016a2", - "SHA1": "71469dce9c2f38d0e0243a289f915131bf6dd2a8", - "SHA256": "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc", - "Signature": "Unsigned", - "Date": "10:26 AM 11/19/2009", - "Publisher": "n/a", - "Company": "Microsoft Corporation", - "Description": "ntbios driver", - "Product": " Microsoft(R) Windows (R) NT Operating System", - "ProductVersion": "5, 0, 2, 1", - "FileVersion": "5, 0, 2, 1", - "MachineType": "I386", - "OriginalFilename": "ntbios.sys", - "Authentihash": { - "MD5": "dd3f6fe14dadb95f5d8c963006dec9d7", - "SHA1": "2374491565e5798dccd4db2dc2af7e9bbefafd5b", - "SHA256": "50f9323eaf7c49cfca5890c6c46d729574d0caca89f7acc9f608c8226f54a975" - }, - "InternalName": "ntbio.sys", - "Copyright": "版权所有 (C) 2003", - "Imports": [ - "NTOSKRNL.EXE", - "HAL.DLL", - "ntoskrnl.exe", - "NDIS.SYS" - ], - "ExportedFunctions": "", - "ImportedFunctions": [ - "MmUnlockPages", - "MmProbeAndLockPages", - "IoAllocateMdl", - "IoQueueWorkItem", - "IoAllocateWorkItem", - "IoGetCurrentProcess", - "_stricmp", - "IoFreeWorkItem", - "RtlFreeUnicodeString", - "ZwClose", - "ZwWriteFile", - "ZwCreateFile", - "RtlAnsiStringToUnicodeString", - "_strnicmp", - "RtlUnwind", - "RtlCopyUnicodeString", - "wcsncmp", - "swprintf", - "IoCreateDevice", - "IoCreateSymbolicLink", - "KeInitializeSpinLock", - "ExfInterlockedInsertTailList", - "RtlInitUnicodeString", - "MmMapLockedPagesSpecifyCache", - "IoFreeMdl", - "InterlockedDecrement", - "InterlockedIncrement", - "InterlockedExchange", - "IoDeleteSymbolicLink", - "IoDeleteDevice", - "ExfInterlockedRemoveHeadList", - "IofCompleteRequest", - "ExAllocatePoolWithTag", - "strncmp", - "ExFreePool", - "KfAcquireSpinLock", - "KfReleaseSpinLock", - "KeInitializeApc", - "KeInsertQueueApc", - "KeAttachProcess", - "KeDetachProcess", - "NtQuerySystemInformation", - "NdisAllocatePacket", - "NdisCopyFromPacketToPacket", - "NdisAllocateMemory", - "NdisFreePacket", - "NdisAllocateBuffer", - "NdisSetEvent", - "NdisResetEvent", - "NdisFreeBufferPool", - "NdisFreePacketPool", - "NdisFreeMemory", - "NdisWaitEvent", - "NdisQueryAdapterInstanceName", - "NdisOpenAdapter", - "NdisInitializeEvent", - "NdisAllocatePacketPool", - "NdisRegisterProtocol", - "NdisAllocateBufferPool", - "NdisCloseAdapter", - "NdisDeregisterProtocol" - ], - "Signatures": {} - } ], - "Tags": [ - "ntbios.sys" - ] + "yara": true }, { - "Id": "d2806397-9ceb-47c8-b5f3-3aabec182ff5", + "Id": "f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create NCHGBIOS2x64.SYS binPath=C:\\windows\\temp\\NCHGBIOS2x64.SYS type=kernel && sc.exe start NCHGBIOS2x64.SYS", + "Command": "sc.exe create WinRing0x64.sys binPath=C:\\windows\\temp\\WinRing0x64.sys type=kernel && sc.exe start WinRing0x64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", @@ -125382,56 +134996,74 @@ "Person": "", "Handle": "" }, - "Detection": [], + "Detection": [ + { + "type": "yara_signature", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5.yara" + }, + { + "type": "sigma_hash", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml" + }, + { + "type": "sigma_names", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers_names.yml" + }, + { + "type": "sysmon_hash_detect", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes.xml" + }, + { + "type": "sysmon_hash_block", + "value": "https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sysmon/sysmon_config_vulnerable_hashes_block.xml" + } + ], "KnownVulnerableSamples": [ { - "Filename": "NCHGBIOS2x64.SYS", - "MD5": "d9ce18960c23f38706ae9c6584d9ac90", - "SHA1": "d0d39e1061f30946141b6ecfa0957f8cc3ddeb63", - "SHA256": "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073", + "Filename": "WinRing0x64.sys", + "MD5": "0c0195c48b6b8582fa6f6373032118da", + "SHA1": "d25340ae8e92a6d29f599fef426a2bc1b5217299", + "SHA256": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5", "Signature": [ - "TOSHIBA CORPORATION", - "VeriSign Class 3 Code Signing 2010 CA", - "VeriSign" + "Noriyuki MIYAZAKI", + "GlobalSign ObjectSign CA", + "GlobalSign Primary Object Publishing CA", + "GlobalSign Root CA - R1" ], "Date": "", "Publisher": "", - "Company": "TOSHIBA Corporation", - "Description": "BIOS Update Driver For Windows x64 Edition", - "Product": "TOSHIBA BIOS Package", - "ProductVersion": "4.2.4.0", - "FileVersion": "4.2.4.0 built by: WinDDK", + "Company": "OpenLibSys.org", + "Description": "WinRing0", + "Product": "WinRing0", + "ProductVersion": "1.2.0.5", + "FileVersion": "1.2.0.5", "MachineType": "AMD64", - "OriginalFilename": "NCHGBIOS2x64.SYS", + "OriginalFilename": "WinRing0.sys", "Authentihash": { - "MD5": "188d9708ba2de146c555d484668decee", - "SHA1": "bb209301f3785febdd7bdeb717cbd66340ad5c65", - "SHA256": "c4031eb0a40137c4ab6d2dbdd2755135c63ab137a0aeb74a7bbea6617b96f0a7" + "MD5": "2bab314d894a026ac6073efe43c14a3d", + "SHA1": "266821a39174d29f6f8791cf9f44f1a1f3439dda", + "SHA256": "1b845e5e43ce9e9b645ac198549e81f45c08197aad69708d96cdb9a719eb0e29" }, - "InternalName": "NCHGBIOS2x64.SYS", - "Copyright": "Copyright (C) 1999-2012 TOSHIBA Corporation. All Rights Reserved.", + "InternalName": "WinRing0.sys", + "Copyright": "Copyright (C) 2007-2008 OpenLibSys.org. All rights reserved.", "Imports": [ "ntoskrnl.exe", "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "MmFreeContiguousMemory", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmMapLockedPagesSpecifyCache", - "MmMapIoSpace", + "IoDeleteSymbolicLink", + "RtlInitUnicodeString", "IoDeleteDevice", - "RtlCompareMemory", - "IoCreateSymbolicLink", "IoCreateDevice", - "MmAllocateContiguousMemory", + "MmMapIoSpace", "KeBugCheckEx", - "RtlInitUnicodeString", + "IoCreateSymbolicLink", + "MmUnmapIoSpace", "IofCompleteRequest", - "IoDeleteSymbolicLink", - "HalGetBusDataByOffset", - "HalSetBusDataByOffset" + "__C_specific_handler", + "HalSetBusDataByOffset", + "HalGetBusDataByOffset" ], "Signatures": [ { @@ -125439,52 +135071,52 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services CA , G2", - "ValidFrom": "2012-12-21 00:00:00", - "ValidTo": "2020-12-30 23:59:59", - "Signature": "03099b8f79ef7f5930aaef68b5fae3091dbb4f82065d375fa6529f168dea1c9209446ef56deb587c30e8f9698d23730b126f47a9ae3911f82ab19bb01ac38eeb599600adce0c4db2d031a6085c2a7afce27a1d574ca86518e979406225966ec7c7376a8321088e41eaddd9573f1d7749872a16065ea6386a2212a35119837eb6", + "Subject": "C=JP, CN=Noriyuki MIYAZAKI, emailAddress=hiyohiyo@crystalmark.info", + "ValidFrom": "2007-09-24 10:50:55", + "ValidTo": "2008-09-24 10:50:55", + "Signature": "4b6c4ea808b550cbae0f97c27726a0445d0e3e021ee0e0087bfe5bbc290e3e45ca35333f2a97fb7667f64326629f7a99fe2fec4da9fe14f0d858419982b983457848fbd6a9115769db6c5626b4d2f87fc77019a755a9efdf81b1968dfbfa638bf87bd25a8adf1c6c3bba3735f06b54d127462ed40dc364ad4c4f29c9f9692b29ff9557300a7c0d395f250172e312ff253b7ce8885ef8c1fe60c448676180e4ca09b34b52ae116b01f22b446b827a748ca80aee5f8e9ff6725e1dce5a7984c26eb72a615a9ef272f6f7b2e03e6d34665caf506b93cb5a2de127177eb1923cf5bc499e312d6c43ff5a26124ea63a4dc9a3340daa6449c2322857adf98166423cfb", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G4", - "ValidFrom": "2012-10-18 00:00:00", - "ValidTo": "2020-12-29 23:59:59", - "Signature": "783bb4912a004cf08f62303778a38427076f18b2de25dca0d49403aa864e259f9a40031cddcee379cb216806dab632b46dbff42c266333e449646d0de6c3670ef705a4356c7c8916c6e9b2dfb2e9dd20c6710fcd9574dcb65cdebd371f4378e678b5cd280420a3aaf14bc48829910e80d111fcdd5c766e4f5e0e4546416e0db0ea389ab13ada097110fc1c79b4807bac69f4fd9cb60c162bf17f5b093d9b5be216ca13816d002e380da8298f2ce1b2f45aa901af159c2c2f491bdb22bbc3fe789451c386b182885df03db451a179332b2e7bb9dc20091371eb6a195bcfe8a530572c89493fb9cf7fc9bf3e226863539abd6974acc51d3c7f92e0c3bc1cd80475", + "Subject": "CN=GlobalSign RootSign Partners CA, OU=RootSign Partners CA, O=GlobalSign nv,sa, C=BE", + "ValidFrom": "2003-12-16 13:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "5c2f2e674a26b3e7b53f353cdda003ed569af9443752163065c7d14ea20f8db7b6b6678ee74cec8d95bee6cea7227874acd7f87499b3f7ce8b1338d596cc8d76c52f38b23aae61be0b8799e321626423398d84f6858df777ffb03806f07ec1485fb5ee582606660522749283a7dbb5f992e3e8c3192c2e63efbb1fdff9f70747660d0789977ef8332c9ecbae143df11cdfa3f179afc8928f9471c4d144c554db1eb50b0aa942a3afd643391dee8f9398585bbe6e9c0bf563ec5e99c2f954fa010746da0db06424cf8ed1061d4f3ca26377455ba4bc5fb080bb31e00b54015c161d724ed52a6947d11b667e5f016ef135916be02efeb045d81627b5c58bc2da53", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. , For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority , G5", - "ValidFrom": "2006-11-08 00:00:00", - "ValidTo": "2021-11-07 23:59:59", - "Signature": "1302ddf8e88600f25af8f8200c59886207cecef74ef9bb59a198e5e138dd4ebc6618d3adeb18f20dc96d3e4a9420c33cbabd6554c6af44b310ad2c6b3eabd707b6b88163c5f95e2ee52a67cecd330c2ad7895603231fb3bee83a0859b4ec4535f78a5bff66cf50afc66d578d1978b7b9a2d157ea1f9a4bafbac98e127ec6bdff", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Primary Object Publishing CA, CN=GlobalSign Primary Object Publishing CA", + "ValidFrom": "1999-01-28 12:00:00", + "ValidTo": "2014-01-27 11:00:00", + "Signature": "a0422eb876a7427186404d464d5b26b0b074f93f89a87b7cb7f1c697e08239999d43fe60823642b55b878df55df4bbffa91044a871d3c7f12241f29aa4a5ec63fae5eb654a19309d8bc7b6fddc3fe16cfdd5521407fc6d24ccb3cc81a2c052f327b96d9e063dd8a849023269c7054294d0bbe3bba908c393501bdb846dc0ba1e5298659c1376bdb3d567292f1f7baa2c51a0fd854f263c48a38127a6feee7f7899c245cf9d1f527ed7958bfde1d020c3af7e51a22f663bab2dcf2d8e8c4d7d18392128fbdcae6d6581d0e0d7184be7b5f774d784e6522aac3b68fd3b4ab80154849132bb95d28e6330a69ece2396feab2eb86a8b74dcde21a114c2fbbf53af10", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", + "Subject": "O=GlobalSign, CN=GlobalSign Time Stamping Authority, emailAddress=timestampinfo@globalsign.com", + "ValidFrom": "2007-02-05 09:00:00", + "ValidTo": "2014-01-27 09:00:00", + "Signature": "649b07caaccc411e37ef6f349cb5e8ca48f9daeafaf7172e5cad193b7311ec5adbfd7b213161c092515bb166b07c64d8fe10b471a8bc9e75379c5f6ff2da0437b8ecc003e256b7785995581d7a7c3e18d74c32bdf91ee723457fdee08d65825b45fd64c66fc3d7ea12411d0c395ef696f8c3cd9e1fff51886976988b8eb42788821ad63c7aabb04eb73ee8d434d2c1a439533cb2747b15373054a6ebb924cc2f084b4364f14aaf8d9ce8546cb2dbdc3bb1c722849f558e72a8b2a8f6f0ff03c996ebab8273dabe45561936fdba6cbc71f0d3c7c376d7e4bce2a1a67200cfbdb200ed92aa39ab09d16e3953862ad43b517398b754e9972d9977ee123e3642257f", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=JP, ST=Tokyo, L=1,1 Shibaura, 1,chome, Minato,ku, O=TOSHIBA CORPORATION, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=TOSHIBA CORPORATION, CN=TOSHIBA CORPORATION", - "ValidFrom": "2012-04-05 00:00:00", - "ValidTo": "2013-04-05 23:59:59", - "Signature": "d34cb4523367a2f1c3ac6cd7b60573565e4fb4408ebcd1b7b81a8c550df4c0cf8c5e4866f934b8cdc853c990a24134f098d4429befd62b07fdbfac78fec80ddb218b3a9311dec9d98fdba32ce0c2db6a40564212794311eaeb7459f19b355721a28e16c9e8d859983ce0d4c090baa076662d30e34385fea849917de462ced4be80e7b08b9a50493a5f59c84cc5f3258c8c85722cb2146e8470fe3f2a3ef9ad35a2e0ddd1227cdcc25b14e51d3eadea817412652ed9af9812fa86110376c487d0fc7370fdf9f9a5ad214e4c9e0ce464137965f8b6ef1c63a0743c1f127a910da444a05415b072ce6d3ce64e82368ac06a66d6d0a53a343ce06fe248cbb70d465a", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA", + "ValidFrom": "2004-01-22 09:00:00", + "ValidTo": "2014-01-27 10:00:00", + "Signature": "11d45d8af43d0d9d7e4fa70071610b56b34caa70e1b2d1dec7886d1d897c2ba946e58b1f8e4cc26695911fe34d394ae31b70b7446edc068a4d6d25e89812dcbca0dd864eae8f81130540905a542529944acaf165b4ef0679dae7cb86f004c918dcee72b320015748dfe333e12ccd9c077f9447278d888d340ca67c5c20c17d07b3736b648c26d29bd7e87965a6a891a174862a050282c1847cf279cd3c2a2b0f99291eea8c8a1ab16aeaa266380e65e1add8c6c91f888d3976ee1782c4138d97ce6341e77af5b4b66c15c33813b3930b620688dde1447f10a950248b60dc05f75ba514b27b56720b96eabffc057090659e051ca4dd07af4b57dec639673bc574", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" }, { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA", - "ValidFrom": "2010-02-08 00:00:00", - "ValidTo": "2020-02-07 23:59:59", - "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3", + "Subject": "C=BE, O=GlobalSign nv,sa, OU=Root CA, CN=GlobalSign Root CA", + "ValidFrom": "2006-05-23 17:00:51", + "ValidTo": "2016-05-23 17:10:51", + "Signature": "13c56c5e077f3c57ff9b315f3fbd955425c679f92c31034d64694b56d95b976f7cf3f0d024657538639813701613f7a701f1c623e085866c0bf080945a75e87ce41e92b473bfc1b3a7b00bd31884cbcc09a35c9c4f3eb03a9c2d1bc404ef9737966fe5ecbaac6ab3d4e23cdf8b25e7acbc624531dda40a72e41bf8784301ccba3914de5d90aed85acf5eca46815133d5a60e5867d3d8665888169beeb11acaad91138421da9a6e20efda007428bac95ff34d5dc3da25692554ea44bcc39b29331cd63c961f8781c553d72a2733d42e197c08586ddb4e1999a9ea5ff39a9d8c513a5a5cbd2fa908359b54a7db351a521633343aa380046afdb4838cad90cf0c3a6596ec334e1826b849bbeb8192ff134d324b23c733e7b6716b15f69c80e6bcb76cbe41d5033a7133150050743b0e5df996aaed903eab134c809926bc38a5eb0236891db620be83ab10f8199ed76379d4aeb12f6136f94a4ba833c70e7241f9f1b1907eae46efde397b75a0411459041d42bc4788b8130e05fa1df0808dff70c677d84bdc460e231a72d5bfdefeaaae69583cfc5c46e4d5819a8b6e6559771a32a590a6b6649364fd0753c9a0de28ad2a6cc638d181ce98f54019e92c1743a4265fd3443053e41d02baa40a2f16dd7a60275242bbad98372897e4b8d27911e3108c48d5305d0a0c52def588ea8d1a2d67c9f4801484b7850cd16628a5c66f2461", "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" } ], "Signer": [ { - "SerialNumber": "4dfa235fb8e4e89715cc62facb68438d", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA" + "SerialNumber": "01000000000115372421a8", + "Issuer": "C=BE, O=GlobalSign nv,sa, OU=ObjectSign CA, CN=GlobalSign ObjectSign CA" } ] } @@ -125492,26 +135124,27 @@ } ], "Tags": [ - "NCHGBIOS2x64.SYS" - ] + "WinRing0x64.sys" + ], + "yara": true }, { - "Id": "bf01915d-045f-442c-a74e-25c56182123f", + "Id": "9b65dba4-81a0-48cc-8ff0-a4f353881062", "Author": "Michael Haag", "Created": "2023-01-09", "MitreID": "T1068", "Category": "vulnerable driver", "Verified": "TRUE", "Commands": { - "Command": "sc.exe create BSMI.sys binPath=C:\\windows\\temp\\BSMI.sys type=kernel && sc.exe start BSMI.sys", + "Command": "sc.exe create EneIo64.sys binPath=C:\\windows\\temp\\EneIo64.sys type=kernel && sc.exe start EneIo64.sys", "Description": "", "Usecase": "Elevate privileges", "Privileges": "kernel", "OperatingSystem": "Windows 10" }, "Resources": [ - " https://github.com/elastic/protections-artifacts/search?q=VulnDriver", - "https://github.com/elastic/protections-artifacts/search?q=VulnDriver" + " https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c", + "https://gist.github.com/k4nfr3/af970e7facb09195e56f2112e1c9549c" ], "Acknowledgement": { "Person": "", @@ -125520,48 +135153,53 @@ "Detection": [], "KnownVulnerableSamples": [ { - "Filename": "BSMI.sys", - "MD5": "fac8eb49e2fd541b81fcbdeb98a199cb", - "SHA1": "9a35ae9a1f95ce4be64adc604c80079173e4a676", - "SHA256": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347", + "Filename": "EneIo64.sys", + "MD5": "11fb599312cb1cf43ca5e879ed6fb71e", + "SHA1": "b4d014b5edd6e19ce0e8395a64faedf49688ecb5", + "SHA256": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374", "Signature": [ - "BIOSTAR MICROTECH INT'L CORP", - "VeriSign Class 3 Code Signing 2009-2 CA", - "VeriSign Class 3 Public Primary CA" + "Microsoft Windows Hardware Compatibility Publisher", + "Microsoft Windows Third Party Component CA 2014", + "Microsoft Root Certificate Authority 2010" ], "Date": "", "Publisher": "", "Company": "", - "Description": "SMI Driver", + "Description": "", "Product": "", - "ProductVersion": "1.0.0.3", - "FileVersion": "1.0.0.3", + "ProductVersion": "", + "FileVersion": "", "MachineType": "AMD64", - "OriginalFilename": "BSMI.sys", + "OriginalFilename": "", "Authentihash": { - "MD5": "0dea670f26bf6bf65701c4aa0dd89079", - "SHA1": "cc071f9cc1cb577b22824d401b63508f61cd76c0", - "SHA256": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7" + "MD5": "198111fd73515aa7fe4387612f027f0f", + "SHA1": "651b953cb03928e41424ad59f21d4978d6f4952e", + "SHA256": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12" }, - "InternalName": "BSMI.sys", - "Copyright": "Copyright (C) BIOSTAR Corp. 2011", + "InternalName": "", + "Copyright": "", "Imports": [ - "ntoskrnl.exe" + "ntoskrnl.exe", + "HAL.dll" ], "ExportedFunctions": "", "ImportedFunctions": [ - "IoDeleteSymbolicLink", "RtlInitUnicodeString", "IoDeleteDevice", - "MmUnmapIoSpace", - "MmGetPhysicalAddress", - "MmMapIoSpace", + "ZwUnmapViewOfSection", + "ZwClose", "IofCompleteRequest", - "IoCreateSymbolicLink", + "ObReferenceObjectByHandle", + "ZwMapViewOfSection", + "ObfDereferenceObject", "IoCreateDevice", "RtlAssert", + "ZwOpenSection", "DbgPrint", - "KeBugCheckEx" + "KeBugCheckEx", + "IoCreateSymbolicLink", + "IoDeleteSymbolicLink", + "HalTranslateBusAddress" ], "Signatures": [ { @@ -125569,45 +135207,24 @@ "SignerInfo": "", "Certificates": [ { - "Subject": "C=US, O=Symantec Corporation, CN=Symantec Time Stamping Services Signer , G3", - "ValidFrom": "2012-05-01 00:00:00", - "ValidTo": "2012-12-31 23:59:59", - "Signature": "1e98aa27b778b508b5c9726db7dfc00e98a635c488c9d2f66df14b1afbd5f92d99009ed1e79b8be13fbd39800c66cd07bc5c9854a694ba10d14e8babf56f65cc6709a2807c52e80e03d66b7ac60518ecc8ac427c072ca73d0866dc00edfd941d73f2729893b111d68fef8eeaacf496510cd08ddf31524f5eaf7da74a75e64ece2b9f292be7cf5d9f037e6e277b23ad622966af92e82ccebd9c7fdccd173c43c2093f7545c79ee4d7607f97c6e4aac769f5fccd74ac2cb048c1504e70561eb535d38ebeb1edacbdfe0cec857dd5bb856644195d9f93eb82ba639ed37c61ffc81bd923587f30a366a139265e92c33ccb3732faf5a38ddcd5b0a3e9253655d781fa", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., CN=VeriSign Time Stamping Services CA", - "ValidFrom": "2003-12-04 00:00:00", - "ValidTo": "2013-12-03 23:59:59", - "Signature": "4a6bf9ea58c2441c318979992b96bf82ac01d61c4ccdb08a586edf0829a35ec8ca9313e704520def47272f0038b0e4c9934e9ad4226215f73f37214f703180f18b3887b3e8e89700fecf55964e24d2a9274e7aaeb76141f32acee7c9d95eddbb2b853eb59db5d9e157ffbeb4c57ef5cf0c9ef097fe2bd33b521b1b3827f73f4a", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA", - "ValidFrom": "2009-05-21 00:00:00", - "ValidTo": "2019-05-20 23:59:59", - "Signature": "8b03c0dd94d841a26169b015a878c730c6903c7e42f724b6e4837317047f04109ca1e2fa812febc0ca44e772e050b6551020836e9692e49a516ab43731dca52deb8c00c71d4fe74d32ba85f84ebefa675565f06abe7aca64381a101078457631f3867a030f60c2b35d9df68b6676821b59e183e5bd49a53856e5de41770e580f", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" - }, - { - "Subject": "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", - "ValidFrom": "2006-05-23 17:01:29", - "ValidTo": "2016-05-23 17:11:29", - "Signature": "01e446b33b457f7513877e5f43de468ecb8abdb64741bccccc7491d8ce395195a4a6b547c0efd2da7b8f5711f4328c7ccd3fee42da04214af7c843884a6f5cca14fc4bd19f4cbdd4556ecc02be0da6888f8609baa425bde8b0f0fa8b714e67b0cb82a8d78e55f737ebf03e88efe4e08afd1c6e2e61414875b4b02c1d28d8490fd715f02473253ccc880cde284c6554fe5eae8cea19ad2c51b29b3a47f53c80350117e24987d6544afb4bab07bcbf7d79cfbf35005cbb9ecffc82891b39a05197b6dec0b307ff449644c0342a195cabeef03bec294eb513c537857e75d5b4d60d066eb5d26c237167eaf1718eaf4e74aa0cf9ecbf4c58fa5e909b6d39cb86883f8b1ca81632d5fe6db9f1f8b3ead791f6364778c0272a15c768d6f4c5fc4f4ec8673f102d409ff11ec96148e7a703fc31730cf04688fe56da492995ef09daa3e5beef60ecd954a0599c28bd54ef66157f874c84dba60e95672e517b3439b641c28c846826dc240209e7818e0a972defeea7b998a60f818dc710b5e1ed982f486f53854964789bec5dac970b5526c3efba8dc8d1a52f5a7f936b611a339b18b8a26210de24ea76e12f43ebecdd7c12342489da2855aee5754e312b6763b6a8d7ab730a03cec5ea593fc7eb2a45aea8625b2f009939abb45f73c308ec80118f470e8f2a1343e191066255bbffba3da9a93d260faeca7d628b155589d694344dd665", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Hardware Compatibility Publisher", + "ValidFrom": "2017-10-05 17:44:16", + "ValidTo": "2018-10-05 17:44:16", + "Signature": "5d029dd2c0ca0f997555ec89434d33899bd9a1ed711df775386647a579200c20df265adea863cc62d7e52425677abd190bf3717a12cd237961cdb74793930af7d63c57e4b868dbe09b8f03604a5a2e2b7fda4f9210aca193758f848d353f68f5913887c6e286a88519db9258401e939a2b541ea2b970460afa999f9fd26ba5b7c109d1088a3c2d42873691ff2ccb482289205190d0349c1f5b559f5f84e2bfa45e0152111d2c54ccd7d6212c50b5de6f0add83776bc70b319a108076fde4973d281e0f020f33dd8f7d57501216c6499d40dd8ac64566a564fee1abf5d3667d3b9bc9c904dfba7c0ca42b0d8267b16e8fe257f11c45f2fbe2d9bba0f688d12c4ffb563b68fc1e8be829f600829c49fdac4f757ea24e774d000ef3caa359f1a34ef54c77a3c0c11fc3a5849efd089b301356ff4c88a811abfdadeac18a64f61ea2d79146c18c0d3f066abc0b0fa9e803a8a3e99a960be0c4b40a7a36a7d2880ff89a17f7db91181f67dd134ae7751ac0bcdf047c262834fe3ad8ca28e2f74c3ad7f370b6f184fb58001f1b12c1aa214117f3b253162d2a29a5096d6620324c63c5e32a3cf7384664a09a978dbbebe0b6e34d1aaa1b959e620b0e37750322453dcd172537bd90717c9c9508ad1f3b9281091562c62a2a3004b89d35ee7cb6ea1927b32ffac4bdeaa1b596c5a136e0dd4498fbd3c3a6f17c4ee2668ab03229a4a013", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" }, { - "Subject": "C=TW, ST=TAIPEI HSIEN, L=HSIN TIEN, O=BIOSTAR MICROTECH INT'L CORP, OU=Digital ID Class 3 , Microsoft Software Validation v2, OU=BMA;BMG, CN=BIOSTAR MICROTECH INT'L CORP", - "ValidFrom": "2010-09-19 00:00:00", - "ValidTo": "2013-10-19 23:59:59", - "Signature": "06b346c5f71bba225d131ad7b037d6c016703a8f3d89746a2d49e5641a0ccd4034c78e4a5a756380d88cf8321b3c886cb5e2656c16c03cff1588b126a7d206fd98fd7e2d61cc80998dfb58d4652112aa258506f779543fcc0b72c06f2174f11bb01017a5c49ae4b31fd913cee75241022e7c5bd14ffff2dbe5f9c211b1a8b3bd9cc3cb5648712c5b57397f136c105148021299be4d99ba1c29d611adb10695d4565a697efe03e6c95d869883c63dffb2fac5f3db7612608f6ee7a59646031231292c7904d69bd997c266ad2f1bca7e35453a08e53d8d9e302b9bbeeca812c64f03bc641cdeb7c5ba70999724f7d92918f1f8a8657f95290cc16ee0e281a785e7", - "SignatureAlgorithmOID": "1.2.840.113549.1.1.5" + "Subject": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014", + "ValidFrom": "2014-10-15 20:31:27", + "ValidTo": "2029-10-15 20:41:27", + "Signature": "96b5c33b31f27b6ba11f59dd742c3764b1bca093f9f33347e9f95df21d89f4579ee33f10a3595018053b142941b6a70e5b81a2ccbd8442c1c4bed184c2c4bd0c8c47bcbd8886fb5a0896ae2c2fdfbf9366a32b20ca848a6945273f732332936a23e9fffdd918edceffbd6b41738d579cf8b46d499805e6a335a9f07e6e86c06ba8086725afc0998cdba7064d4093188ba959e69914b912178144ac57c3ae8eae947bcb3b8edd7ab4715bba2bc3c7d085234b371277a54a2f7f1ab763b94459ed9230cce47c099212111f52f51e0291a4d7d7e58f8047ff189b7fd19c0671dcf376197790d52a0fbc6c12c4c50c2066f50e2f5093d8cafb7fe556ed09d8a753b1c72a6978dcf05fe74b20b6af63b5e1b15c804e9c7aa91d4df72846782106954d32dd6042e4b61ac4f24636de357302c1b5e55fb92b59457a9243d7c4e963dd368f76c728caa8441be8321a66cde5485c4a0a602b469206609698dcd933d721777f886dac4772daa2466eab64682bd24e98fb35cc7fec3f136d11e5db77edc1c37e1f6a4a14f8b4a721c671866770cdd819a35d1fa09b9a7cc55d4d728e74077fa74d00fcdd682412772a557527cda92c1d8e7c19ee692c9f7425338208db38cc7cc74f6c3a6bc237117872fe55596460333e2edfc42de72cd7fb0a82256fb8d70c84a5e1c4746e2a95329ea0fecdb4188fd33bad32b2b19ab86d0543fbff0d0f", + "SignatureAlgorithmOID": "1.2.840.113549.1.1.11" } ], "Signer": [ { - "SerialNumber": "124dc5a63cc2bd8265445e912ed07d1f", - "Issuer": "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign Class 3 Code Signing 2009,2 CA" + "SerialNumber": "330000001f9800c911029569be00000000001f", + "Issuer": "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Third Party Component CA 2014" } ] } @@ -125615,7 +135232,8 @@ } ], "Tags": [ - "BSMI.sys" - ] + "EneIo64.sys" + ], + "yara": false } ] \ No newline at end of file